Introduction
Recently, I encountered an unusual issue on a production Exchange Server 2019 where the Microsoft Defender Definition Updates folder consumed approximately 250 GB of disk space.
The issue eventually caused the C: drive to become completely full, resulting in Microsoft Defender failing to update its antivirus engine and security intelligence.
This article explains the symptoms, investigation, root cause, troubleshooting steps, and final resolution
Environment
| Component | Version |
|---|---|
| Exchange Server | Exchange Server 2019 |
| Operating System | Windows Server |
| Antivirus | Microsoft Defender Antivirus |
| Server Role | Exchange Mailbox Server |
| Database | DAG Environment |
Symptoms
The following issues were observed:
- C: drive completely full (0 GB free)
C:\ProgramData\Microsoft\Windows Defender\Definition Updatesconsuming approximately 250 GB- Hundreds of GUID-named folders under the Definition Updates directory
- Microsoft Defender signatures failed to update
- Antivirus engine version displayed as 0.0.0.0
- Real-Time Protection disabled
- Exchange services continued running normally
Initial Health Check
Get-MpComputerStatus
AMEngineVersion : 0.0.0.0
AntivirusSignatureVersion : 0.0.0.0
RealTimeProtectionEnabled : False
DefenderSignaturesOutOfDate : True
This confirmed that Microsoft Defender was unable to load a valid antivirus engine.
Error Messages
& "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Error:
Engine Version : 0.0.0.0
ERROR:
Signature Update failed with
0x80240022
Event Viewer
Event ID 2001
Microsoft Defender Antivirus has encountered an error trying to update security intelligence. Additional errors: 0x80070070 – There is not enough space on the disk. This became the first clue that disk space was preventing Defender from completing updates.
Investigation
Checking the Definition Updates folder:
C:\ProgramData\Microsoft\Windows Defender\Definition Updates
Windows Explorer reported: 250 GB
Running PowerShell revealed hundreds of folders like:
{9BE7927D-755C-4B7C-A815-9753AB1433C5}
{9CA8CB54-0990-426C-A72B-51949F418C60}
{9B8B834B-2C0D-4770-9D58-378CCF01A628}
Each folder occupied approximately: 210MB
All folders had nearly identical timestamps, indicating Defender was repeatedly extracting update packages without cleaning up previous ones.
Root Cause
The root cause was a Microsoft Defender Antivirus definition update loop.
The update process repeatedly:
Started the process again.
Downloaded security intelligence updates.
Extracted them into GUID-named folders.
Failed to complete because the system drive was full.
Left temporary files behind.
Eventually:
Definition Updates
↓
250 GB consumed
↓
C: drive full
↓
Update fails
↓
Old definitions never removed
↓
Repeat
Solution
Instead of manually deleting system folders, I first attempted to repair Defender using the built-in update tool.
Run:
& "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Initially, the command failed because there was no free space. After sufficient space became available, the command completed successfully. Microsoft Defender automatically removed obsolete definition packages and approximately 251 GB of disk space was recovered.
Verification
Checking Defender status again:
Get-MpComputerStatus | Format-List `
AMEngineVersion,
AntivirusSignatureVersion,
RealTimeProtectionEnabled,
DefenderSignaturesOutOfDate
Output:
AMEngineVersion : 1.1.26060.3008
AntivirusSignatureVersion : 1.455.115.0
RealTimeProtectionEnabled : True
DefenderSignaturesOutOfDate : False
Microsoft Defender was fully operational again.
Conclusion
In this case, the problem was not Exchange Server, but a Microsoft Defender Antivirus update loop that caused the Definition Updates folder to grow to approximately 250 GB, eventually exhausting the system drive.
Once Microsoft Defender successfully completed a signature update, it automatically cleaned up obsolete definition packages, restored the antivirus engine, updated security intelligence, and recovered over 250 GB of disk space.
This experience highlights the importance of monitoring Defender updates and available disk space on production Exchange servers to prevent similar incidents.