Defender Definitions from WSUS "InternalDefinitionUpdateServer" error - server name could not be resolved?

Question

Hello-

I'm trying to get my PCs to download Windows Defender definitions from my WSUS server. WSUS has downloaded the definitions and it shows the client computers need the definition updates.

I've configured a GPO for WSUS, and for Windows Defender definitions updates I've enabled the setting: Define the order of sources for downloading definition updates" and entered a value of "InternalDefinitionUpdateServer".

The problem I'm having is that on my Win10 computers, when I go to Settings > Update & Security > Windows Security > Virus & threat protection > Check for updates, the updates fail to download. Checking the Windows Defender Event Viewer log I get an error 0x80072ee7 "The server name or address could not be resolved".

I've done a lot of searching but haven't found anyone posting a similar issue. What am I doing wrong? Does there need to be a DNS entry for InternalDefinitionUpdateServer or does it need to be defined somewhere? I'm not sure how the client knows what the address of the InternalDefinitionUpdateServer should be.

Thanks

Answer 1

@SB-IT

Thanks for your response.

I noticed that the latest version Security Intelligence Update for Microsoft Defender Antivirus - KB2667602 is 1.349.732.0 in your envirnoment.

I'm not sure why the security intelligence updates shown as not downloaded yet, perhaps the updates isn't up to date. But it's OK if the latest Security Itelligence Update is ready for installation in the disconnected WSUS server. The clients could get the latest version.

But it is so weird that the latest Cumulative Update for Windows 10 2004/20H2/21H1 shown as not downloaded yet. As far as I know, the three Cumulative Updates are the same update which are named C5B235B81AE5ACD9D11FF35EDEE287B663E5861A.cab and located into the same folder.
It seems that the WSUS can't recognize the updates for a long time. Perhaps we could run the wsusutil.exe reset command again on the disconnected WSUS server. It will reset the metadata.

Hope the above will be helpful. Please remember to accept the answer if the above answers are helpful.

Thanks for your time and looking forware for your feedback.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@SB-IT
Thanks for your posting on Q&A.

First of all, I recommended to run the nslookup conmmand on the client to troubleshot. Open the CMD as an administrator and print nslookup yourWSUSServer. Here is related screenshot for your reference:

I suspect that the issue is related with the DNS. We could follow the above solution to troubleshot first.

Please provide the above registry value to help me research further if the DNS is OK.

Please hlep to confirm the following registry value first:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Hope the above will be helpful.

Thanks for your time and have a great weekend.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi Rita,

Thank you for your reply. I have some screenshots, I hope they make sense and help a bit. I've setup a WSUS server on an air-gapped, disconnected network. Regular Windows updates are working.

I had set the fallback order for Windows Defender definitions to the entire piped order as in the example in the GPO, but have since changed it to be just "InternalDefinitionUpdateServer" as in your screenshot. Since doing that I'm not seeing the "The server name or address could not be resolved" error any longer in Event Viewer, but the client computer is still not downloading the definition updates.

nslookup checks out when querying the name of my WSUS server

registry values appear correct

WSUS shows the client computer has some Defender Definition needed and ready to be downloaded.

I've been checking for Definition updates on the client here but nothing really happens.

Now that I've changed the Fallback Order to just "InternalDefinitonUpdateServer" I no longer get the "server not found" issue and there isn't an event logged in the "Windows Defender" log when I try to update the definitions. There is an event listed on the WindowsUpdateClient log.

I think the DNS issue is cleared up now, but the issue appears to be that there are Definition updates sitting on the WSUS server and WSUS sees that the client computer needs them, but when checking for updates from the client zero updates are found(?).

Tim

Answer 4

Hello Tim,

Thanks for your feedback.

Have you enabled the Automatic Approvals on the WSUS server?

According to the above description, it seems that the clients haven't tried to check for security intelligence updates for several days. Could we try to check for updates manually first?
We could follow the below screenshots and click the following icons:

In addition, please help to confirm whether you have enabled the alternate download server.

Thanks for your time.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 5

Hi Rita,

Thanks for the tips, I appreciate it.

Automatic Approvals on the WSUS server are enabled and regular Windows updates are working well.

I did have my internal WSUS server's address listed in "Set the alternate download server:" I've removed that and will check for definition updates later today and report back.

Thanks