question

TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 asked TimLewis-4540 edited

Defender Definitions from WSUS "InternalDefinitionUpdateServer" error - server name could not be resolved?

Hello-

I'm trying to get my PCs to download Windows Defender definitions from my WSUS server. WSUS has downloaded the definitions and it shows the client computers need the definition updates.

I've configured a GPO for WSUS, and for Windows Defender definitions updates I've enabled the setting: Define the order of sources for downloading definition updates" and entered a value of "InternalDefinitionUpdateServer".

The problem I'm having is that on my Win10 computers, when I go to Settings > Update & Security > Windows Security > Virus & threat protection > Check for updates, the updates fail to download. Checking the Windows Defender Event Viewer log I get an error 0x80072ee7 "The server name or address could not be resolved".

I've done a lot of searching but haven't found anyone posting a similar issue. What am I doing wrong? Does there need to be a DNS entry for InternalDefinitionUpdateServer or does it need to be defined somewhere? I'm not sure how the client knows what the address of the InternalDefinitionUpdateServer should be.


Thanks

windows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@TimLewis-4540
Thanks for your posting on Q&A.

First of all, I recommended to run the nslookup conmmand on the client to troubleshot. Open the CMD as an administrator and print nslookup yourWSUSServer. Here is related screenshot for your reference:
130880-3.png

I suspect that the issue is related with the DNS. We could follow the above solution to troubleshot first.

Please provide the above registry value to help me research further if the DNS is OK.

Please hlep to confirm the following registry value first:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates
130947-1.png

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
130948-2.png

Hope the above will be helpful.

Thanks for your time and have a great weekend.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


3.png (29.4 KiB)
1.png (21.5 KiB)
2.png (32.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered RitaHu-MSFT converted comment to answer

Hi Rita,

Thank you for your reply. I have some screenshots, I hope they make sense and help a bit. I've setup a WSUS server on an air-gapped, disconnected network. Regular Windows updates are working.

I had set the fallback order for Windows Defender definitions to the entire piped order as in the example in the GPO, but have since changed it to be just "InternalDefinitionUpdateServer" as in your screenshot. Since doing that I'm not seeing the "The server name or address could not be resolved" error any longer in Event Viewer, but the client computer is still not downloading the definition updates.

nslookup checks out when querying the name of my WSUS server

131070-image.png


registry values appear correct

131221-image.png
131213-image.png


WSUS shows the client computer has some Defender Definition needed and ready to be downloaded.

131158-image.png


I've been checking for Definition updates on the client here but nothing really happens.

131214-image.png


Now that I've changed the Fallback Order to just "InternalDefinitonUpdateServer" I no longer get the "server not found" issue and there isn't an event logged in the "Windows Defender" log when I try to update the definitions. There is an event listed on the WindowsUpdateClient log.

131215-image.png


I think the DNS issue is cleared up now, but the issue appears to be that there are Definition updates sitting on the WSUS server and WSUS sees that the client computer needs them, but when checking for updates from the client zero updates are found(?).

Tim



image.png (20.5 KiB)
image.png (18.9 KiB)
image.png (24.9 KiB)
image.png (24.5 KiB)
image.png (25.6 KiB)
image.png (16.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

Hello Tim,

Thanks for your feedback.

Have you enabled the Automatic Approvals on the WSUS server?

131366-4.png

According to the above description, it seems that the clients haven't tried to check for security intelligence updates for several days. Could we try to check for updates manually first?
We could follow the below screenshots and click the following icons:
131367-6.png


131402-5.png

In addition, please help to confirm whether you have enabled the alternate download server.

131368-3.png

Thanks for your time.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


4.png (4.8 KiB)
6.png (22.3 KiB)
5.png (31.3 KiB)
3.png (47.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered RitaHu-MSFT commented

Hi Rita,

Thanks for the tips, I appreciate it.

Automatic Approvals on the WSUS server are enabled and regular Windows updates are working well.

I did have my internal WSUS server's address listed in "Set the alternate download server:" I've removed that and will check for definition updates later today and report back.

Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TimLewis-4540
Thanks for your feedback.

Please feel free to inform me if there are any updates of the case.

Regards,
Rita

0 Votes 0 ·
TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered RitaHu-MSFT converted comment to answer

Hi Rita,

I'm still tweaking the process of downloading WSUS updates on a server connected to the Internet, then copying them across to a server on a closed network. I feel pretty confident I have everything dialed-in and have gotten regular Windows updates to be successful.

I have one definition update which the air-gapped WSUS server knows the client Win10 machine needs and which is approved for installation. I discovered under "File Status" for that update it says the "file for this update has not yet been downloaded" (that's the only update which says this). On the Internet connected WSUS server the definition update is approved and there is not message about the update not being downloaded yet.

Both the Internet connected WSUS server and the one on the air-gapped network were using the Default Automatic Approval Rule for updates. I have read that when importing the updates' metadata, if an update is not approved it may show as needing to be downloaded even though the update file was copied across and is actually there. I think this might be where I need to be looking to see why the Definition update is downloaded and approved on the Internet connected WSUS, but showing that it's not downloaded yet approved once it gets copied across to the air-gapped WSUS server.

I notice under "File URL" for the definition update that says it has not yet downloaded there are many "Slim_Delta" and "Delta" patch files. I'm wondering if the problem is that one or many of those have a problem? They all list their location as being on the correct server, port 8530/Content/... folder. Maybe some of the delta files were deleted because they were seen as superseded(?). Still digging for a solution...

Thanks - Tim

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

In fact, all the metadata will be exported on the connected WSUS and imported into the disconnected WSUS server. And then the clients report to the disconnected WSUS server and the required updates shown as needed on the disconnected WSUS server console. I suspect that the needed updates are not approved on the connected WSUS server. So the Binary update files did not be copied and printed to the connected WSUS server. So the needed updates could not downloaded.

Please follow the below screenshots to confirm whether the the Binary update files stay on the disconected WSUS server.
132192-15.png

132212-16.png

We should try to copy and print Binary update Files again if the Binary update Files didn't stay on the disconnected WSUS server. Please try to approve the updates on the connected WSUS server. And then we should copy Binary update Files and print into the disconnected WSUS server. Note that remember to export and import the metadata again from the connected WSUS server to the disconnected WSUS server.

Hope the above will be helpful.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


15.png (59.4 KiB)
16.png (32.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered RitaHu-MSFT commented

Hi Rita,

Thanks for sticking with me, I've tried researching my problem but I just can't find any solution that works.

I checked one of the updates on my disconnected WSUS server that says the file hasn't been downloaded yet. My connected and disconnected WSUS servers look the same, the update is approved on both servers, and the file is on both servers in the same Content folder location. The update is available on the connected WSUS server, but the disconnected server shows the file needs to be downloaded, yet the update is approved and the update file is in the Content folder where it should be.

Here are a few screenshots from the disconnected WSUS for an update it says hasn't been downloaded yet. I haven't been able to pickup on any pattern behind the updates that WSUS says haven't been downloaded, it's only happening to a few. What step am I missing?

132456-update-approved.png

132475-file-is-there.png

132512-updates-not-downloaded.png

Thanks again - Tim



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please try to export and import the metadata again to confirm whether the issue has been resolved or not first.

In addition, it is weird why there are so many .cab file in the same folder named 1A:
132583-5.png

Please help to confirm you have copy all the folders under wsuscontent in the connected and paste into the disconnected WSUS server, not just the .cab files.

Regards,
Rita

0 Votes 0 ·
5.png (149.5 KiB)
TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered RitaHu-MSFT converted comment to answer

Hi Rita,

I exported the metadata again this morning on the connected WSUS server, and imported it on the disconnected server. The same updates still show as not beging downloaded yet.

Here's a screenshot of the properties for the Content folders and the "1A" folders on both servers.

-Tim

132725-int-vs-ext.png



int-vs-ext.png (156.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@TimLewis-4540
I found the following and I want to share with you:
All the Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 updates which you mentioned above has been declined in my lab. So I could not be approved. Please help to confirm whether the four updates are ready for installation on the connected WSUS server.
133053-2.png

Please refer to the screenshots and check your environment.

In addition, please review the software distribution log to get more messages.
133094-4.png

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2.png (97.0 KiB)
4.png (17.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimLewis-4540 avatar image
0 Votes"
TimLewis-4540 answered TimLewis-4540 edited

Hi Rita,

I checked both my connected and disconnected WSUS servers and the updates that are approved and declined are the same on each. These are screenshots from my connected WSUS server. There are loads of declined updates for KB2267602, and a few approved and "ready for installation" (the same ones displaying as approved but not downloaded on the disconnected WSUS server).

What should I look for in the software distribution log?

I'll be out of the office until next Friday and won't able to reply until then, but I'm looking forward to getting back on the case. I'd like to finally nail down the steps involved with setting up a WSUS server on a network without an Internet connection. I've learned a lot so far and I think I'm in the home stretch.

Thanks - Tim


133138-declined-ext.png


133211-updates-approved-on-ext.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.