Forefront Endpoint Protection failing on manual update

6 Feb

So I tought posting a blog for everyone that’s frustrated like me and looking for a solution for something that might be considered logical. WHY ON EARTH IS FOREFRONT NOT UPDATING!!!!

My freshly installed Windows Server 2012 installation with Forefront Endpoint Protection (FEP) installed just wouldn’t update. Googling the error message gave me a lot of ‘you’re infected’ posts. And in the end (again) it’s just a stupid button you have to click. So first the error (screenshot and text (so ppl can actually find it ;-))) (Scroll down for Server Core instructions)

FEP_Update_Error

Microsoft Forefront Endpoint Protection
Virus and spyware definitions update failed
Forefront Endpoint Protection could not check for virus and spyware definition updates due to an Internet or network connectivity issue.
Error code: 0x80070490
Error description: Forefront Endpoint Protection couldn’t install the definition updates. Please try again later.

In the eventlog you will see the following nothing saying message:

Microsoft Antimalware has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.143.1680.0
Update Source: Microsoft Update Server
Update Stage: Search
Source Path: http://www.microsoft.com
Signature Type: AntiVirus
Update Type: Full
User: NT AUTHORITY\SYSTEM
Current Engine Version:
Previous Engine Version: 1.1.9103.0
Error code: 0x80248014
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

The Windows Update Log will say the following:

>>– RESUMED — COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
– Updates found = 0
– WARNING: Exit code = 0x00000000, Result code = 0x80248014
———
— END — COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
————-
WARNING: Operation failed due to earlier error, hr=80248014
FATAL: Unable to complete asynchronous search. (hr=80248014)

And you’re thinking…… what……..?!? 😯
Well it’s just Microsoft disabling updates for all other Microsoft products except Windows by default. What you need to to solve it: Open up your windows update screen. You will see directely what your causes your error. Updates are enabled for Windows only.

Windows Update 1

Click find out more In the browser that opens check I agree and click Install

Windows Update 2

Now Windows Update will download updates for ‘other Microsoft Products’ as well. And there you have it. FEP will update like a charm

How to fix this on Windows 2008/2008R2/2012/2012R2 Server Core

Update: I’m playing around with Server Core a little at the moment. Ran into the same problem. Easy to fix, hard to find on the internet.
First run a little powershell command:

$ServiceManager = New-Object -ComObject "Microsoft.Update.ServiceManager"; $ServiceManager.ClientApplicationID = "My App"; $ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"")

Next update your FEP signatures

PS C:\Program Files\Microsoft Security Client\Antimalware> .\MpCmdRun.exe signatureupdate
Signature update started . . .
Signature update finished.

It should run nicely after configuring WU through powershell

Comments

  • Chuck Stuckenberg, is saying:

    Thanks Mark. That corrected the same issue for me.

    Reply this message
  • Kevin Carter, is saying:

    You’re a life saver. FEP works now.

    Reply this message
  • Andrew B, is saying:

    That Fixed it. Should be number 2 in the TechEd troubleshooting guide (right after internet connectivity). Thanks!

    Reply this message
  • Ras, is saying:

    Thanks Mark, you are the best

    Reply this message
  • sebus, is saying:

    Thanks, so simple, yet so idiotic!

    You made my day!

    Reply this message
  • Riordan toms, is saying:

    Worked like a charm

    Reply this message
  • Ahsan, is saying:

    thanks bro you’r the best

    Reply this message
  • Olaf, is saying:

    Thanks, worked for me too =)

    Reply this message
  • Akin, is saying:

    Hello,

    Thank you for this tip, the screen is different for Windows Server 2012 R2, it is a checkbox option and it worked.

    Regards,

    Akin

    Reply this message
  • JimmyCap, is saying:

    I realize this thread is a little dated, but any ideas on how I can enable WU to pull down updates for other products from a machine WITHOUT IE installed?

    We’ve got some machines that don’t have IE installed as a security measure.

    Thanks,

    Jimmy

    Reply this message
    • mark, is saying:

      Hi Jimmy,

      All WU settings are in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update . I have to guess but I think you need to set EnableFeaturedSoftware to 1.
      Let me know if it works.

      Mark

      Reply this message
  • Mng, is saying:

    I have problem with Microsoft Endpoint Protection for standalone server as we don’t want to use SCCM client on those (security vulnerability). MS SCCM and our SCCM admin told me that no way it could get update. BUT, I follow your instructions and all goes well. I also use the powershell command to set up schedule task for the machine to update 3 times a day. Thank you!

    Reply this message
  • Roman Golubev, is saying:

    Unfortunately, it didn’t work for me. On Windows server 2012 R2, after the command line says “Signature update finished”, the log file says “no update is required” though the definition’s date is old and the icon is not green but orange with exclamation mark.

    Reply this message
  • Takis, is saying:

    You are a lifesaver…. thank you

    Reply this message
  • Geoff, is saying:

    Thanks, this saved me about two years ago and I had forgotten about it, now once again, thanks.

    Reply this message

Leave a Reply