WSUS Updates on 2012/2016 with Lockdown

in our environment WSUS updates are working with lockdown enabled. but the servers take much more time while updating. we have not enabled any specific policies or exclusions for that.

do you see any lockdown events in central?

in our environment WSUS updates are working with lockdown enabled. but the servers take much more time while updating. we have not enabled any specific policies or exclusions for that.

do you see any lockdown events in central?

Hi LHerzog,

no events on Central for both server!
I have now unlock the lockdown on one server and the update was possible.

On other server with lockdown the update stops after 50% oder installation prozess with Error 0x80070643.

I found this error id in combination with an defender update. I would think it is not related to sophos lockdown with the few infos we have about the issue.

Ofcourse it is a Defender Update and also, why is the update running if i unlock the Server?

For me it look like sophos and before lockdown last week all updates are working fine.

I think you should disable defender anyway (not disabled by default when installing any other AV like intercept X)
and then re-check if the updates are still failing for "real" OS updates from WSUS

OK i have to remove Sophos Antivirus first, then it was possible to remove Devender.

Afer that I installed sophos again an do a lockdown.

Yesterday i installed some new updates from MS and that one coud be installed, I restart server.

Very nice the server cames up and cound load his roules!

After unlock the Lockdown every thing is working again.

So for me i'm wondering why the installation of Sophos are not disable the defender or give a note pls. uninstall it first and why the server could load his Roles is Lockdown is aktive and some MS Pachtes are installed??

So pls Sophos Support investigate whats going on!!

Hello RemoHehlert, 

Thank you for reaching out to the Sophos Community. 

I am aware of some changes that occurred to Windows Defender following Server version 1803 or later. The disabling of Windows Defender no longer occurs automatically and will need to be done manually.
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide

Hello,
thanks for the info but I wonder why this is not documented in Sophos KB-000035355.
It makes a big difference if you have to install Defender manually or if the installer does it on its own.
Moreover, it does not solve the problem that the server after a Windows update and a reboot can no longer load its roles!
What solution does Sophos have here?

Many thank's

R.

Personally I would'nt expect the info of disabling Defender before or after Intercept-X installation in a KB about lockdown.

And just to repeat, this is not a Sophos issue, it is a Microsoft design flaw.

But I did not find a prominent KB of Sophos about the need (you "need" to disable defender, because otherwise you have two active AVs running and slowing down the machine) to disable MS Defender with a quick search. All the Intercept-X System requirements refer from one KB to the other and I did not find a note about Defender in them.

Anyway, what do you mean with "roles"?

Of Course i could be a design Problem by MS but a note in the documentation of Sophos whoud be very good in that case because a DC is a very sensitive system.

With Roles i meen evething what a DC can have like DHCP, DNS, ADDS ect. after update of MS-Patch all that didn't come up!

Hello RemoHehlert,

If you wish to investigate the issue with your Server Roles further, I recommend opening a support case with our team.

In the meantime, I will reach out to our documentation teams to see if we can update the Server Lockdown FAQ with some information regarding Windows Defender.