Windows Small Business Server 2011 Standard Edition and Windows Server 2008 R2.
Windows Updates repeatedly fails to install “Definition Update for Windows Defender”.
Manually updating definitions through Windows Defender but this fails.
Running “mpcmdrun.exe -RemoveDefinitions -All” and then “mpcmdrun.exe -SignatureUpdate” but this fails with the error “ERROR: Signature Update failed with hr=8050A005”.
sfc /scannow finds no errors.
Step 1
1. Run the following PS script from an Admin PS prompt on the problem Exchange 2010 server/SBS 2011
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\client-computer_filtered.txt”
or
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | select subject, notafter
2. We may see Microsoft Certificates listed in the output file c:\client-computer_filtered.txt
3. Please back up these certificates first
4. Move the certificates from the Root to the Intermediate store.
Step 2
Move Certificates from root to intermediate store
To move the certificates from the Root to the Intermediate store, please follow the steps below:
1. Open an administrative command prompt and run mmc.exe
2. Click on File\Add/Remove Snap-in
3. Select Certificates and then click on Add >, select Computer account\Local computer\Finish\OK
4. Click on Certificates(Local Computer), we will see Trusted Root Certification Authorities and Intermediate Certification Authorities
5. Open Trusted Root Certification Authorities\Certificates, look for each certificate listed in the output of previous PowerShell command
6. For each of them right click on it and select Cut, then navigate to Intermediate Certification Authorities\Certificates, and paste the certificate there
Only move following certificates
- Microsoft Time-Stamp PCA
- Microsoft Code Signing PCA
- Microsoft Timestamping PCA
Note: The above solution is currently untested Solution confirmed