Recently I covered how to install Microsoft Security Essentials in Windows Server 2012 R2, however after performing a Windows update it failed to install with error 0x8004FF04.
Here I will discuss why this happens and then cover how to resolve this problem and update Microsoft Security Essentials manually.
From my experience definition updates have still been working fine through Windows update, so far I have only had a problem with this update, which is an update specifically for a newer version of the antimalware client itself.
A note to Windows 8, 8.1 or 10 users receiving this error for a Microsoft Security Essentials update: The built-in Windows Defender replaces Microsoft Security Essentials, if you have previously installed Microsoft Security Essentials but updated your operating system version it may no longer be supported and it should be safe to uninstall as Defender has taken over. This post is aimed toward those that have knowingly installed Microsoft Security Essentials on an unsupported operating system such as Windows Server 2012 R2 and want to update it.
Updating Microsoft Security Essentials
In this example I first downloaded and installed the latest version of Microsoft Security Essentials from Microsoft by following these steps. This installed version 4.8 of Microsoft Security Essentials.
After running Windows update it found KB3140527 which came out 23/02/2016 and was an update for Microsoft Security Essentials, version 4.9.218.0 to be exact as shown below. This means that when I did this, the download through the website was not the most up to date version.
Take note that this particular update is 8.5MB in size, this will be important later on.
The problem begins when trying to install this update, as shown the update fails and results in error code 8004FF04, simply meaning that the update does not support this version of the operating system.
This makes sense as technically Microsoft Security Essentials does not support Windows Server 2012 R2, we installed it with some slight customizations which we need to do again during the update.
If you had a look through my Microsoft Security Essentials installation guide, you may have noticed that error 8004FF04 came up there as well. Essentially the update is failing to install because it is not being run in compatibility mode for Windows 7, or with the /disableoslimit flag via Windows update causing it to fail.
In order to install the update, we need to run it manually with these customizations in place.
Windows update stores its downloaded update files in the C:\Windows\SoftwareDistribution\Download folder with different hashes for the file names. As the particular update that is failing to install in this case is 8.5MB in size, we simply look for a file within this folder that is also 8.5MB in size – in this case the file that is selected shown below.
For this example, I copied this file over to my desktop to perform the required changes rather than modifying the original, I then renamed it to ‘update.exe’ however the file name isn’t particularly important here.
Next right click the file and select properties. From the properties window select the Compatibility tab. Under Compatibility mode, tick the “Run this program in compatibility mode for:” box and then select Windows 7 from the drop down menu, then click OK.
Now open command prompt as administrator and execute the file with the /disableoslimit flag on the end as shown below.
Assuming you selected the correct file from the Windows update folder, you should be greeted with the Microsoft Security Essentials upgrade wizard as shown below, simply click the Upgrade button to proceed.
Once the upgrade has completed, click the finish button to complete the process.
From here you can now open up Microsoft Security Essentials, select the Help drop down and then click About and you should see that the Client Version has been successfully updated to the version noted through Windows Update.
This confirms that Microsoft Security Essentials has successfully been updated to the version that Windows update was failing to install. At this point we can go back to Windows update and run a check for updates, which should now no longer list the update as available, as it is now installed.
Summary
As Microsoft Security Essentials is not officially supported in Windows Server 2012 R2, we should expect strange and unexpected behaviour such as Windows updates failing to update it.
By applying similar changes that were done when we installed it, including setting the compatibility mode to Windows 7 and running the executable with the /disableoslimit flag, we can successfully update Microsoft Security Essentials when newer updates become available through Windows update that are not yet available for download through the Windows website.
Thank you. Your directions work. One questions – how did you figure out what the file name to change in the C:-Windows-SoftwareDistribution-Download location ?
I did not know the name, I worked it out based on the file size of the update. If you look at the update size available in Windows update you can find an update the same size from that folder.
Thank you for this great explanation.
It works :-)
Many thanks for this info. Developers need to use this workaround on our MSDN servers.
No problem!
Thank you for the info. It worked like a charm!
Works great. Thank you.
Perfect! What a fantastic explanation – I would never of got there without this article. Kudos.
Thanks, glad it helped!
Awesome. Thanks for the help, issue has been resolved which I had since februari this year. :-)
Brilliant!
Thanks Jarrod, very useful.
Thank you for posting this, However Unfortunately This is not working, I keep getting a restart button not an upgrade button. Please help!
Are you able to provide an example of what you’re getting?
Sure, Thank you for answering! I have a couple of screen shots but cannot attach them here. Basically I followed the directions and end up in a continuous loop of rebooting.
The last screen that is supposed to say upgrade, just says reboot. I reboot no matter how many times it still says the same thing.
To add to Thomas’s comments, I have the same issue :
Following this tutorial to upgrade from 4.9.218 to 4.10.209, the Upgrade dialog window gives a message about not having rebooted since the last installation of MSE and proposes a “Reboot” button instead of the “Upgrade” button…
(I do have rebooted the server several times since the last upgrade)
Note : this issue is also present with the Install MSE tutorial, the 4.10.209
I am currently having this problem not being able to do any updates or even unistall it manually as it says i didnt restart and still need to.
To fix the Reboot problem, delete the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EppSetupPendingReboot
Removing the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EppSetupPendingReboot” key solved the issue…
Thanks Anonymous…
Thank you – it worked. Great job.
yep thanks!
thanks. You save me!!!
I updated it on 2012 R2 then receive the 4.10.209.0 update (KB3205972) and try this trick again but unsuccessfully it said the compatibility mode doesn’t work for this program now.
Oh that’s interesting, I wonder if they are actively preventing it from working now to encourage an upgrade to server 2016, which now has defender built in by default.
It does still work for other users. I just updated one 2012R2 server this way myself.
I have been looking for solution to fix this problem sadly I can’t seem to locate the correct file I have tried two and neither of them has the compatability label where can I go from here?
You need to change the filename, to something.exe
Thank you – it worked. Great job.
Thank You. It works well at 4.10.209.0 (KB3205972). File size is 9.450 KB
You rule! Thank you, got my godaddy 2012 vm server updated.
Good info, thanks!
The Reboot problem went away after deleting the registry key, Thank You so much!!
Thanks bro! Real MVP
Thank you very much, nice instructions.
No problem Jeff!
Thank you for posting this article and also a big thank you to
“Anonymous June 8, 2017 at 5:33 am”.
Thank you! This worked great!
Dear Jarrod, It is May 2019 and I am wondering if this solution still works for Windows Server 2012 R2 Essentials. We have four workstations and three laptops all running Win10 pro version 1809, some using the built in Windows Defender and others using Comodo AV. I wanted to use the inexpensive Comodo Server AV but their on line chat support said that while it is compatible with Windows Server 2012 it is not compatible with WSE 2012 R2. So I am thinking of using your solution but wanted to see if there have been any updates. Thank you for explaining things so clearly!
To be honest I have not tested it out since originally writing the post, however some others in the comments did mention that it still worked just fine for them more recently.
worked for me just now…
Still working for MS Security Essentials 4.10.209.0
Incredible… Here in 2020 this post still usefull… Thanks a lot :-)
Thank you, this worked well for me! I’m hoping the updated Security Essentials behaves itself now…