Koolitus
Sertimine
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Troubleshooting Security Intelligence Updates from Microsoft Update source
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 1 and 2
- Microsoft Defender for Business
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
Use this article to learn how to troubleshoot security intelligence updates for Microsoft Defender Antivirus when the first source is from Microsoft Update (formerly known as Windows Update). Follow these steps to troubleshoot issues with getting your security intelligence updates:
Make sure that the URLs needed for security intelligence updates are allowed thru the firewall or proxy. See the Defender for Endpoint URL spreadsheets in Configure your network environment to ensure connectivity with Defender for Endpoint service.
If you're only using Microsoft Defender Antivirus, see the Windows Update section in Manage connection endpoints for Windows 11 Enterprise.
Make sure that the URLs you reviewed during the previous step aren't SSL inspected. Otherwise, you might see the following error in the event log:
propertiesSource: Windows Defender Event ID: 2001 Microsoft Defender Antivirus has encountered an error trying to update security intelligence. Error code: 0x80072ee7 Error description: The server name or address could not be resolved.What is error code
0x80072ee7?propertiesC:\>err 0x80072ee7 # as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x2ee7 # for hex 0x2ee7 / decimal 12007 : ERROR_INTERNET_NAME_NOT_RESOLVED inetmsg.h ERROR_INTERNET_NAME_NOT_RESOLVED wininet.hMake sure that the services needed for Windows Update are started. These services include:
Windows Update service
Background Intelligence Transfer Service (BITS)
If you're using a Fallback order policy, make sure that Microsoft Update (
MicrosoftUpdateServer) is the first item in the list.Gather diagnostic data from the Microsoft Defender for Endpoint Client Analyzer tool.
If you have Microsoft Defender for Endpoint Plan 2 and access to Live Response, you can gather the diagnostic data remotely. See Collect support logs in Microsoft Defender for Endpoint using live response.
If you have Microsoft Defender for Endpoint Plan 1 or only Microsoft Defender Antivirus, you can gather the diagnostic data using the client analyzer on Windows. See Run the client analyzer on Windows.
If either method doesn't work for you, use Microsoft Defender Antivirus diagnostic data collection. See Collect Microsoft Defender Antivirus diagnostic data.
When you have your diagnostic data, convert the
WindowsUpdate.etllogs into a human readable format by using the PowerShell command, Get-WindowsUpdateLog. Use that information to troubleshoot issues with security intelligence updates.