question

JanPeterLindner-8484 avatar image
0 Votes"
JanPeterLindner-8484 asked RitaHu-MSFT commented

Updating Windows Defender Antivirus fails with Error 0x80070643

Hello,

I have trouble keeping a server of our company up-to-date when it comes to windows defender definition files. It installs other security updates as normal, but it seems I am stuck with a very old definition of the the windows defender. Whenever I check windows update, I see this error:

Security Intelligence-Update for Windows Defender Antivirus - KB915597 (Version 1.363.1679.0) – Error 0x80070643

The system is a Windows Server 2019 Standard (Version 1809 Build 17763.2928) runninng in Hyper-V. Kaspersky is running as an antivirus software on the system. We do not use a local WSUS server.

I have tried using the tips of several websites, like clearing out the temp files of windows in general or the software distribution path, restarting the update service afterwards.

In the CBS.log, I see this entry, I don't know if this is related: "Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]"

In the WindowsUpdate.log, I can see this part, ending with a "FAILED" message, maybe this helps with the investigation?:

2022.05.12 11:13:25.3903228 7188 4464 ComApi QUEUED Updates to install = 1
2022.05.12 11:13:25.3903278 7188 4464 ComApi Install ClientId = UpdateOrchestrator (cV: /F63IHkXVU2TpdwD.5.0.0)
2022.05.12 11:13:25.3951398 5632 5624 Agent Title = Security Intelligence-Update f??r Windows Defender Antivirus - KB915597 (Version 1.363.1679.0)
2022.05.12 11:13:25.3951459 5632 5624 Agent UpdateId = 347426ED-0457-4A6B-99E3-7C722AFF2405.200
2022.05.12 11:13:25.3951475 5632 5624 Agent Bundles 7 updates:
2022.05.12 11:13:25.3951520 5632 5624 Agent D24B570A-714A-4783-B8CD-39589895831A.200
2022.05.12 11:13:25.3951562 5632 5624 Agent D93D1252-6F2B-4909-B663-BD8E9B077C2C.200
2022.05.12 11:13:25.3951602 5632 5624 Agent 860E6BA4-B55B-40FA-A0A8-58AAEF4100E3.200
2022.05.12 11:13:25.3951639 5632 5624 Agent 7D78E3C3-F78C-4BB3-84B9-3249C6D7E08D.200
2022.05.12 11:13:25.3951673 5632 5624 Agent 42B5983F-B24D-4BFC-8F06-3AE66494227C.200
2022.05.12 11:13:25.3951710 5632 5624 Agent EA2A0C1A-555A-43FA-9BDE-ADD7FD539C49.200
2022.05.12 11:13:25.3951797 5632 5624 Agent 53CEC3E3-D1B8-410E-A857-2DC9A5AD9B71.200
2022.05.12 11:13:25.3956986 5632 5624 Agent Validating updates before Install
2022.05.12 11:13:25.5174250 5632 5624 Agent Pre-install check complete
2022.05.12 11:13:25.5175801 5632 5624 DataStore Failed to find update with global id of D93D1252-6F2B-4909-B663-BD8E9B077C2C.200 (sessiondata = (null))
2022.05.12 11:13:25.5176256 5632 5624 Agent WU client starts install in local system context
2022.05.12 11:13:25.5213894 5632 5624 Handler Attempting to create remote handler process as KILIAN\Administrator in session 1
2022.05.12 11:13:25.5547647 5632 5624 DownloadManager Preparing update for install, updateId = 7D78E3C3-F78C-4BB3-84B9-3249C6D7E08D.200.
2022.05.12 11:13:25.6046703 5632 5624 DownloadManager ExtractUpdateFiles
2022.05.12 11:13:25.6050307 2136 6840 Handler START Command Line Install Updates to install = 1
2022.05.12 11:13:27.0054143 2136 6840 Handler Command line install completed. Return code = 0x80070645, Result = Failed, Reboot required = false
2022.05.12 11:13:27.0057756 2136 6840 Handler END Command Line Install 0x8024200b
2022.05.12 11:13:27.0060680 5632 5624 Agent FAILED [8024200B] Method failed [CAgentUpdateManager::InstallUpdate:11739]


I have no clue where to go next in investigation. Can someone help?




Kind Regards,

JP

windows-server-update-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT commented

@JanPeterLindner-8484
It seems that you haven't enable the Windows Defender Antivirus feature in the Server. Please try to follow the below steps to enable the feature and scan for updates automatically.
Turn on the GUI using the Add Roles and Features Wizard:
1. See Install roles, role services, and features by using the add Roles and Features Wizard, and use the Add Roles and Features Wizard.
2. When you get to the Features step of the wizard, under Windows Defender Features, select the GUI for Windows Defender option.

Turn on the GUI using PowerShell:
Also we could run the followig PowerShell command to enable the feature:

 Install-WindowsFeature -Name Windows-Defender-GUI

Note that don't forget to open the PowerShell as an administrator before running the command.

Best regards,
Rita

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanPeterLindner-8484 avatar image JanPeterLindner-8484 ·

Oh man, how stupid one can be. I just ASSUMED the windows defender is automatically on every windows system. Well, seems not like it... Thank you so much for pointing out the obvious :D

0 Votes 0 ·
RitaHu-MSFT avatar image RitaHu-MSFT JanPeterLindner-8484 ·

it's Ok. Everyone will go wrong sometimes. It is my pleasure to help. Please keep us in touch if there are any qusetions next time.

Wish you have great weekend.

Best regards,

Rita

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered JanPeterLindner-8484 commented

@JanPeterLindner-8484
Thanks for your posting on Q&A.

I found the following error tips in the log files:
201597-5.png

It seems that there are something wrong with Windows Defender Antivirus update files. Please follow the below link to clear the current cache and trigger an update. ]
https://www.microsoft.com/en-us/wdsi/defenderupdates

 cd %ProgramFiles%\Windows Defender
 MpCmdRun.exe -removedefinitions -dynamicsignatures
 MpCmdRun.exe -SignatureUpdate

Hope the above will be helpful. Wish you have a great weekend.

Best regards,
Rita

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5.png (60.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanPeterLindner-8484 avatar image JanPeterLindner-8484 ·

Hm... now I am worried - the folder c:\Program Files\Windows Defender\ is empty, with the only exception being the folder "platform", which is empty as well. But a folder called "c:\Program Files\Windows Defender Advanced Threat Protection" exists, I guess thats the equivalent on servers? Theres no MpCmdRun.exe in it though...

0 Votes 0 ·
RitaHu-MSFT avatar image RitaHu-MSFT JanPeterLindner-8484 ·

@JanPeterLindner-8484
Thanks for your response.

It is so weird. The folder did appear on my lab. Please help to confirm whether the following service is running in your server.
201686-7.png



0 Votes 0 ·
7.png (20.6 KiB)
JanPeterLindner-8484 avatar image JanPeterLindner-8484 RitaHu-MSFT ·

Nope, that service is neither running not present on the system. If I check it via "sc query windefend" in the command window, it tells me its not a installed service :(

0 Votes 0 ·