We are using System Center Endpoint Protection 2012 and recently we have had 2 Windows 2003 servers and 1 Windows 7 workstation start failing definition updates through WSUS. If I click on the update button in Endpoint Protection it comes back with a connection failed and the following events show up in the application log:

EventType mptelemetry, P1 0x80508007, P2 mpupdateengine, P3 am delta, P4 11.1.4958.0, P5 mpsigstub.exe, P6 4.6.305.0, P7 system center endpoint protection, P8 NIL, P9 NIL, P10 NIL.

and

The description for Event ID ( 5000 ) in Source ( Microsoft Security Client ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mssecurityclient, msseces.exe, 4.6.305.0, 0x80070643, update, cmainwindow__onsignatureupdatestatus, 0, system center endpoint protection, NIL, NIL, NIL.

The system log also gives me the following errors:

Microsoft Antimalware has encountered an error trying to update signatures.
  New Signature Version: 1.191.2687.0
  Previous Signature Version: 1.191.2665.0
  Update Source: User
  Update Stage: Install
  Source Path:
  Signature Type: AntiVirus
  Update Type: Delta
  User: NT AUTHORITY\SYSTEM
  Current Engine Version: 1.1.11302.0
  Previous Engine Version: 1.1.11302.0
  Error code: 0x80508007
  Error description: Your computer is low on memory. Close some programs and try again, or search Help and Support for information about preventing low memory problems.

and

Microsoft Antimalware has encountered an error trying to update signatures.
  New Signature Version:
  Previous Signature Version: 1.191.2665.0
  Update Source: Internal Definition Update Server
  Update Stage: Install
  Source Path: <WSUS Server>
  Signature Type: AntiVirus
  Update Type: Full
  User: NT AUTHORITY\SYSTEM
  Current Engine Version:
  Previous Engine Version: 1.1.11302.0
  Error code: 0x80070643
  Error description: Fatal error during installation.  

I can download the definition updates manually and they will install fine. WSUS updates will then start working for a few days and then they start failing again. I have uninstalled the System Center client and Endpoint Protection several times and then reinstalled and still no good. We are not low on memory and there is nothing wrong with our connection.

Does anyone know what could be causing definition updates to fail through WSUS all of the sudden?

Hello,

What is the scheduled time for installtion?

And share windowsupdate.log at that time.

Please keep auditing client system resource during installtion, I don't think the event appears without any reason.

We are installing through WSUS and the computers check in every 3 hours, so it tries multiple times during the day to install. No other updates are having problems installing and these machines have lots or ram, memory and multiple CPU's

I have found that the one Windows 7 machine I am having problems with is installing the definition updates but the WSUS and the local computer log thinks it is failing.  It looks like its problem is with the Windows Base Filtering Service not starting.

That still leaves me with the 2 Windows 2003 Servers. Here is what the windowsupdate.log says:

2015-01-21 03:57:55:049  864 d30 Agent   * Updates to install = 1
2015-01-21 03:57:55:049  864 d30 Agent   *   Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.191.2881.0)
2015-01-21 03:57:55:049  864 d30 Agent   *   UpdateId = {E157B851-7F37-4344-80A6-87741B8BB40D}.200
2015-01-21 03:57:55:049  864 d30 Agent   *     Bundles 1 updates:
2015-01-21 03:57:55:049  864 d30 Agent   *       {399384B6-C4CF-474C-93A5-B4C7AFD4E2AB}.200
2015-01-21 03:57:55:065  864 d30 Agent WARNING: LoadLibrary failed for srclient.dll with hr:8007007e
2015-01-21 03:57:55:205  864 d30 DnldMgr Preparing update for install, updateId = {399384B6-C4CF-474C-93A5-B4C7AFD4E2AB}.200.
2015-01-21 03:57:55:252 3684 c48 Misc ===========  Logging initialized (build: 7.6.7600.256, tz: -0500)  ===========
2015-01-21 03:57:55:252 3684 c48 Misc   = Process: C:\WINDOWS\system32\wuauclt.exe
2015-01-21 03:57:55:252 3684 c48 Misc   = Module: C:\WINDOWS\system32\wuaueng.dll
2015-01-21 03:57:55:252 3684 c48 Handler :::::::::::::
2015-01-21 03:57:55:252 3684 c48 Handler :: START ::  Handler: Command Line Install
2015-01-21 03:57:55:252 3684 c48 Handler :::::::::
2015-01-21 03:57:55:252 3684 c48 Handler   : Updates to install = 1
2015-01-21 03:57:59:408 3684 c48 Handler   : WARNING: Command line install completed. Return code = 0x80508007, Result = Failed, Reboot required = false
2015-01-21 03:57:59:408 3684 c48 Handler   : WARNING: Exit code = 0x8024200B
2015-01-21 03:57:59:408 3684 c48 Handler :::::::::
2015-01-21 03:57:59:408  864 fbc AU >>##  RESUMED  ## AU: Installing update [UpdateId = {E157B851-7F37-4344-80A6-87741B8BB40D}]
2015-01-21 03:57:59:408 3684 c48 Handler ::  END  ::  Handler: Command Line Install
2015-01-21 03:57:59:408  864 fbc AU   # WARNING: Install failed, error = 0x80070643 / 0x80508007

Hi,

Please try client diagnostics tool:

https://technet.microsoft.com/en-us/windowsserver/bb466192.aspx

As far as I know, this tool only works on X86 computers.

You can run wuauclt /detectnow /reportnow to force a detection or reporting.

Reset windows update component will be the last to try:

https://support.microsoft.com/kb/971058?wa=wsignin1.0

I did notice on both servers that the paging file was both set to custom sizes. It looks like both were set to right at the recommended size. I set both servers to System managed size just to see what would happen. It still didn't work until I rebooted the server. After the reboot both machines installed the definition updates. I am going to let them run for a week (that is about how long it works before it start failing) and see what happens. Before I changed anything I installed this months updates with no problem.

I will report back in a week or so.

• Proposed as answer by Daniel JiSunMicrosoft contingent staff, Moderator Monday, February 02, 2015 11:35 AM
• Marked as answer by Daniel JiSunMicrosoft contingent staff, Moderator Tuesday, February 03, 2015 12:58 AM

Hi,

A week has passed, I want to confirm if the issue persist.

Hope to hear your feedback.

It looks like my definition updates are installing now. All is good.

Today I noticed those two computers are back to failing updates. Also one other Windows 2003 Server has joined in. I now have three failing to install virus defs through WSUS. Of course as usual as soon as I reboot the server updates install perfectly. Don't know what the problem is. I am torn between opening a case with Microsoft and rebooting every week until we get these servers replaced. Hopefully in the next couple months.

Did you manage to resolve this issue?

No, but it was only happening on Windows 2003 machines and we have since decommissioned all of them. My solution before that was create a scheduled task everyday to restart the Microsoft Antimalware Service. For some reason that would allow them to install the updates.