I'm trying to update Windows Defender (on Win 10) using definistions stored on a UNC path.
I'm setting the path the the mpam-fe.exe file like this
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\path\to\mpam.exe
Then I'm running Get-MpPreference to verify that the path was set (it is). Once I verify that the path is correct for SignatureDefinitionUpdateFileSharesSources I run
Update-MpSignature -UpdateSource FileShares
I instantly get the error
Update-MpSignature : Virus and spyware definitions update was completed with errors.
At line:1 char:1
+ Update-MpSignature -UpdateSource FileShares
+ CategoryInfo : ObjectNotFound: (MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature) [Update-MpSignature], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070002,Update-MpSignature
This failure happens almost instantly. Just to verify that the specific powershell instance can access the fileshare in question - I followed it up by just executing the mpam-fe.exe file and it worked.
I have never done this before, but your question made me curious and I started doing some testing. I was able to reproduce your issue. It's clear that not many people do this, because there is zero coherent information on the internet about how to do this. So, it's no surprise you're getting nowhere.
So, here is what I discovered while using Process Monitor. I was able to successfully get Defender to update from a file source.
nis_full.exe. I tried using just
and it failed.
Update-MPSignature command it expects to find the updates under
x86 folder in your source path. So, you need to create
the additional folders under your source path and place the update
files in there.
Nothing worked. It failed every time with Access Denied. I was only
able to get it to work when I put the files on my NAS which has zero
Here's a script that can assist with downloading the update packages: https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript
Here are other references I used to get this to work: https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/update-mpsignature?f=255&MSPPError=-2147217396
I've had this exact issue. The issue was resolved by creating a x64 folder in the share and moving the definitions to that folder. I can't find this requirement anywhere but it works. SCEP uses this folder structure so that's where I got the idea. Even the script provided by Microsoft doesn't create the architecture folder!
Client setup (powershell):
Set-MpPreference -SignatureDefinitionUpdateFileSharesSources \\Server\Share$
Set-MpPreference -SignatureFallbackOrder 'FileShares'
Appleoddity's answer gives everything you need. Some caveats though;
So basically, as you work through the issue using Appleoddity's guide make sure not to rely solely on powershell and Update-MpSignature to test what you're doing. YMMV but it my case I was never able to succesfully run Update-MpSignature. I had jumped to the conclusion that I had set something up wrong, but after more testing I saw that defender itself was updating without issue and only powershell was having problems.
Here is the powershell script I have running hourly on a server, then I just point my clients to it. The big point was NOT to extract the file. Windows Defender points to the exe itself.
$vdmpathbase = 'E:\VirusDef\latest\x64'
$vdmpackage = $vdmpathbase + '\mpam-fe.exe'
cmd /c "del $vdmpackage /q"
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
The Defender GUI runs the update download as one of two processes:
For the Update-MpSignature cmdlet, it's a bit different. It runs the update download as wmiprvse.exe which uses NT AUTHORITY/LOCAL SYSTEM. This account has minimum privileges on the computer and uses anonymous credentials on the network. Generally speaking, most network shares won't be configured for anonymous access, so this is why you can get the GUI to work, but the cmdlet doesn't.
User contributions licensed under CC BY-SA 3.0