Trying to update windows defender from UNC path continuously fails

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Trying to update windows defender from UNC path continuously fails was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, anti-virus, unc, , .

I’m trying to update Windows Defender (on Win 10) using definistions stored on a UNC path.

I’m setting the path the the mpam-fe.exe file like this

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \pathtompam.exe

Then I’m running Get-MpPreference to verify that the path was set (it is). Once I verify that the path is correct for SignatureDefinitionUpdateFileSharesSources I run

Update-MpSignature -UpdateSource FileShares

I instantly get the error

Update-MpSignature : Virus and spyware definitions update was completed with errors.
At line:1 char:1
+ Update-MpSignature -UpdateSource FileShares
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : ObjectNotFound:    (MSFT_MpSignature:ROOTMicrosoft...SFT_MpSignature) [Update-MpSignature], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070002,Update-MpSignature

This failure happens almost instantly. Just to verify that the specific powershell instance can access the fileshare in question – I followed it up by just executing the mpam-fe.exe file and it worked.

I have never done this before, but your question made me curious and I started doing some testing. I was able to reproduce your issue. It’s clear that not many people do this, because there is zero coherent information on the internet about how to do this. So, it’s no surprise you’re getting nowhere.

So, here is what I discovered while using Process Monitor. I was able to successfully get Defender to update from a file source.

  • First, the update packages consist of three files: mpam-fe.exe,
    mpam-d.exe, and nis_full.exe. I tried using just mpam-fe.exe
    and it failed.
  • Second, there are 32-bit and 64-bit versions of updates. When you run
    the Update-MPSignature command it expects to find the updates under
    the x64 or x86 folder in your source path. So, you need to create
    the additional folders under your source path and place the update
    files in there.
  • Third, the process that updates Windows Defender is wmiprvse.exe
    (WMI) – it runs as Local System. Be aware that the connection is made
    to the file source using the computer account and not a user account.
    I tried several different things to try to get it to connect to a
    file share on a domain joined server. This included adding the
    computer account, domain computers, Everyone, and Anonymous.
    Nothing worked. It failed every time with Access Denied. I was only
    able to get it to work when I put the files on my NAS which has zero
    security restrictions.

Here’s a script that can assist with downloading the update packages: https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript

Here are other references I used to get this to work:
https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/update-mpsignature?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference

How to grant network access to LocalSystem account?

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus

http://ccmexec.com/2016/01/download-and-deploy-windows-defender-definitions-for-windows-10-during-osd/

I’ve had this exact issue. The issue was resolved by creating a x64 folder in the share and moving the definitions to that folder. I can’t find this requirement anywhere but it works. SCEP uses this folder structure so that’s where I got the idea. Even the script provided by Microsoft doesn’t create the architecture folder!

Server setup:

  • File share (e.g. \ServerShare$) with full share permissions and Read permissions for Everyone (Domain Computers not required!)
  • Folder x64 containing 64-bit definition files (e.g. \ServerShare$x64mpam-fe.exe)

Client setup (powershell):

Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \ServerShare$
Set-MpPreference -SignatureFallbackOrder 'FileShares'
Update-MPSignature

Appleoddity’s answer gives everything you need. Some caveats though;

  • Update-MpSignature never worked for me in powershell. I spent a lot of time trying to set up the environment for these updates to work and was using Update-MpSignature as the test.
  • Once I actually run Defender/MSE’s built in update function and realized that the update worked correctly in a situation where Update-MpSignature was failing I started backtracking and testing other scenarios which I though weren’t working because they were failing through powershell

So basically, as you work through the issue using Appleoddity’s guide make sure not to rely solely on powershell and Update-MpSignature to test what you’re doing. YMMV but it my case I was never able to succesfully run Update-MpSignature. I had jumped to the conclusion that I had set something up wrong, but after more testing I saw that defender itself was updating without issue and only powershell was having problems.

Permission Denied Message is caused by Access Denied to the LogFile

C:WindowsTempMpSigStub.log

Just delete this LogFile before running

Update-MpSignature -UpdateSource FileShares -Verbose

Leave a Reply

Your email address will not be published. Required fields are marked *