A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Trying to update windows defender from UNC path continuously fails was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, anti-virus, unc, , .
I’m trying to update Windows Defender (on Win 10) using definistions stored on a UNC path.
I’m setting the path the the mpam-fe.exe file like this
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \pathtompam.exe
Then I’m running Get-MpPreference to verify that the path was set (it is). Once I verify that the path is correct for SignatureDefinitionUpdateFileSharesSources I run
Update-MpSignature -UpdateSource FileShares
I instantly get the error
Update-MpSignature : Virus and spyware definitions update was completed with errors. At line:1 char:1 + Update-MpSignature -UpdateSource FileShares + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (MSFT_MpSignature:ROOTMicrosoft...SFT_MpSignature) [Update-MpSignature], CimException + FullyQualifiedErrorId : HRESULT 0x80070002,Update-MpSignature
This failure happens almost instantly. Just to verify that the specific powershell instance can access the fileshare in question – I followed it up by just executing the mpam-fe.exe file and it worked.
I have never done this before, but your question made me curious and I started doing some testing. I was able to reproduce your issue. It’s clear that not many people do this, because there is zero coherent information on the internet about how to do this. So, it’s no surprise you’re getting nowhere.
So, here is what I discovered while using Process Monitor. I was able to successfully get Defender to update from a file source.
- First, the update packages consist of three files:
nis_full.exe. I tried using just
and it failed.
- Second, there are 32-bit and 64-bit versions of updates. When you run
Update-MPSignaturecommand it expects to find the updates under
x86folder in your source path. So, you need to create
the additional folders under your source path and place the update
files in there.
- Third, the process that updates Windows Defender is wmiprvse.exe
(WMI) – it runs as Local System. Be aware that the connection is made
to the file source using the computer account and not a user account.
I tried several different things to try to get it to connect to a
file share on a domain joined server. This included adding the
Nothing worked. It failed every time with Access Denied. I was only
able to get it to work when I put the files on my NAS which has zero
Here’s a script that can assist with downloading the update packages: https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript
Here are other references I used to get this to work:
I’ve had this exact issue. The issue was resolved by creating a x64 folder in the share and moving the definitions to that folder. I can’t find this requirement anywhere but it works. SCEP uses this folder structure so that’s where I got the idea. Even the script provided by Microsoft doesn’t create the architecture folder!
- File share (e.g. \ServerShare$) with full share permissions and Read permissions for Everyone (Domain Computers not required!)
- Folder x64 containing 64-bit definition files (e.g. \ServerShare$x64mpam-fe.exe)
Client setup (powershell):
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \ServerShare$ Set-MpPreference -SignatureFallbackOrder 'FileShares' Update-MPSignature
Appleoddity’s answer gives everything you need. Some caveats though;
- Update-MpSignature never worked for me in powershell. I spent a lot of time trying to set up the environment for these updates to work and was using Update-MpSignature as the test.
- Once I actually run Defender/MSE’s built in update function and realized that the update worked correctly in a situation where Update-MpSignature was failing I started backtracking and testing other scenarios which I though weren’t working because they were failing through powershell
So basically, as you work through the issue using Appleoddity’s guide make sure not to rely solely on powershell and Update-MpSignature to test what you’re doing. YMMV but it my case I was never able to succesfully run Update-MpSignature. I had jumped to the conclusion that I had set something up wrong, but after more testing I saw that defender itself was updating without issue and only powershell was having problems.
Permission Denied Message is caused by Access Denied to the LogFile
Just delete this LogFile before running
Update-MpSignature -UpdateSource FileShares -Verbose