Definition Update for Windows Defender – infinite loop

I recently came across an odd situation involving Windows Server 2016 and WSUS updates.

On the WSUS server, I typically see several new Definition Updates for Windows Defender (KB2267602) every day. E.g. on 2017-11-26, Microsoft released:

  • 1.257.995.0
  • 1.257.996.0
  • 1.257.998.0
  • 1.257.1001.0
  • 1.257.1003.0
  • 1.257.1005.0

The update with the highest number will supersede the others, so I only approve that one. I then install this update on my other servers, and verify that they’re all up to date with patches (0 needed).
NB Windows Defender only runs on Windows Server 2016, not Windows Server 2012 R2 (or older). I’ve only tested this on core server, not the GUI edition.

I’ve used sconfig to check for updates, which says this:

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Search for for (A)ll updates or (R)ecommended updates only? a

Searching for all applicable updates...

List of applicable items on the machine:

1> Definition Update for Windows Defender - KB2267602 (Definition 1.255.252.0)
2> Definition Update for Windows Defender - KB2267602 (Definition 1.257.1005.0)

Select an option:
(A)ll updates, (N)o updates or (S)elect a single update?

If I install all updates, the first succeeds (1.255.252.0) and the second fails (1.257.1005.0). Trying again, it only lists the second update (1.257.1005.0) and I can install this successfully. So, if I check for updates again at this point, it should say “There are no applicable updates.” However, it actually lists definition 1.255.252.0 again! After that, it goes in an infinite loop: each time I install one of the definition updates, it asks for the other afterwards.

The only solution I can find is to decline the older definition on the WSUS server. (In my case, I’m running WSUS on Windows Server 2012 R2.) When I go there, WSUS has a list of updates that supersede this definition:

  • 1.255.273.0
  • 1.255.280.0
  • 1.255.289.0
  • 1.255.303.0
  • 1.255.307.0
  • 1.255.312.0

That doesn’t include 1.257.x.0, and I can see why Microsoft want to keep the list down to a manageable size. WSUS also tells me that this update has expired:

Based on that, I’d expect WSUS not to offer the update at all, but apparently it has to be declined. Investigating further, I went to Options | Automatic Approvals. On the Advanced tab, I’d already ticked the box to automatically decline expired updates:

However, that doesn’t seem to be working; maybe it will only decline updates if they’re in a “Not Approved” state? After I manually declined this update, I checked for updates again on the Windows Server 2016 machine, and this time it didn’t find anything to install.

I suspect this means that the problem won’t be limited to this specific (old) definition update, and I may have to manually decline more of them on an ongoing basis.

Leave a Reply

Your email address will not be published. Required fields are marked *