Windows Server 2016 x64 - unable to enable Defender Missing KB's

Download the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

  • Right-click on the file FRST64.exe and choose Run as administrator.
  • Copy and paste the following (code) into the Search box and click the Search Registry button.
Code:
Windows Defender\Platform\4.18.*
  • When the scan is complete, a message will display that SearchReg.txt is saved in the same folder FRST was started from.
  • Post the logfile SearchReg.txt as attachment in your next reply.
 
Rich (BB code):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"InstallLocation"="C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2001.10-0\"

Please run the following command in an elevated prompt to change the install llocation to the correct platform version, and then post the result of the reg query command.
Code:
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v InstallLocation /t REG_SZ /d "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24050.7-0\" /f
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender"
 
Hmm this is strange I seem to getting access denied. Running both CMD and REGEDIT as admin
1718186322787.png

trying to edit in regedit running as admin
1718186389915.png
 
Please run the following script file with SFCFix.

Download
6530fbb0f4101-56f31e53c97da-SFCFix.PNG
SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.
 

Attachments

haha you know all the tricks!!

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-06-12 11:05:04.587
Microsoft Windows Server 10 Build 14393 - amd64
Using .txt script file at C:\Temp\SFCFixScript (4).txt [0]




RegistryScript::
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

WARNING: Failed to create backup for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.
RegistryScript:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 180 datablocks.
Finish time: 2024-06-12 11:05:04.696
Script hash: X4RJrR6v1gKhixnBlie1Frn+fXVVyJXzQ0ytLefX2go=
----------------------EOF-----------------------

1718186794001.png
 
Great, let's see if this makes any difference when you run the PowerShell scripts again.
 
shame, it failed again the service is still not staring. I also tired to start it manually but it stil will not start.

1718187081630.png

InstallPS1-N-TQU-TVW-APP01.240612T111005019+0100 log file output

[N-TQU-TVW-APP01:10 24/06/12T11:10:05.019 Install.ps1:815] Install.ps1 traces will be saved to C:\temp\mde\InstallPS1-N-TQU-TVW-APP01.240612T111005019+0100.log
[N-TQU-TVW-APP01:10 24/06/12T11:10:05.019 Install.ps1:821] Running command: Install.ps1 -UI:$true -Passive:$true
[N-TQU-TVW-APP01:10 24/06/12T11:10:05.019 Install.ps1:911] [Net.ServicePointManager]::SecurityProtocol updated to 'Ssl3, Tls, Tls12'
[N-TQU-TVW-APP01:10 24/06/12T11:10:05.034 Install.ps1:974] Handle 3264 opened over C:\temp\mde\md4ws.msi
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.394 Install.ps1:986] D0B1B278487DB4642CB57336C9920B87E16DEF5BB3D7ADB963CEB9A9F3939942 C:\temp\mde\md4ws.msi
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.394 Install.ps1:1023] BuildLabEx: 14393.6981.amd64fre.rs1_release.240503-1859
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.409 Install.ps1:1025] EditionID: ServerStandard
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.425 Install.ps1:1027] LastBootUpTime: 24/06/10T13:02:11.499
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.425 Install.ps1:1028] CurrentTime : 24/06/12T11:10:05.019+01:00
[N-TQU-TVW-APP01:10 24/06/12T11:10:07.472 Install.ps1:1030] Install.ps1 version: 1.20231204.0+E8E12DEA
[N-TQU-TVW-APP01:10 24/06/12T11:10:09.478 Install.ps1:457] 'HKCR' PSDrive created(script scoped)
[N-TQU-TVW-APP01:10 24/06/12T11:10:09.478 Install.ps1:1221] 'WindDefend' service status is 'Stopped'
[N-TQU-TVW-APP01:10 24/06/12T11:10:09.494 Install.ps1:1264] Running C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24050.7-0\MpCmdRun.exe WDEnable in C:\temp\mde ...
[N-TQU-TVW-APP01:10 24/06/12T11:10:09.579 Install.ps1:1264] [StandardOutput]: CmdTool: Failed with hr = 0x8007041d. Check C:\Users\we02dc\AppData\Local\Temp\MpCmdRun.log for more information
[N-TQU-TVW-APP01:10 24/06/12T11:10:10.541 Install.ps1:1264] Command "MpCmdRun.exe WDEnable" failed with error -2147023843 after 00:00:00.0730024
[N-TQU-TVW-APP01:10 24/06/12T11:10:10.541 Install.ps1:1615] Closing handle 3264
[N-TQU-TVW-APP01:10 24/06/12T11:10:10.541 Install.ps1:1674] No install.etl file generated.
[N-TQU-TVW-APP01:10 24/06/12T11:10:10.541 Install.ps1:1682] No install.log file generated.
[N-TQU-TVW-APP01:10 24/06/12T11:10:10.556 Install.ps1:1685] Install.ps1 traces: 'C:\temp\mde\InstallPS1-N-TQU-TVW-APP01.240612T111005019+0100.log'


MpCmdRun.log - log file output

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24050.7-0\MpCmdRun.exe" WDEnable
Start Time: ‎Wed ‎Jun ‎12 ‎2024 11:10:09

MpEnsureProcessMitigationPolicy(0x5): hr = 0
WDEnable
ERROR: MpWDEnable(TRUE) failed (0x8007041d)
MpCmdRun.exe: hr = 0x8007041d.
MpCmdRun: End Time: ‎Wed ‎Jun ‎12 ‎2024 11:10:09
-------------------------------------------------------------------------------------
 
Please run the instructions for FRST in post #182 on the working server to compare some things. It looks several values and classes are missing too!
 
Please run the following commands on the working server to export some keys:
Code:
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp "%userprofile%\Desktop\001.reg"
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 "%userprofile%\Desktop\002.reg"
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\InprocServer32 "%userprofile%\Desktop\003.reg"
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\InProcServer32 "%userprofile%\Desktop\004.reg"
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32 "%userprofile%\Desktop\005.reg"
reg save HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 "%userprofile%\Desktop\006.reg"
reg save "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" "%userprofile%\Desktop\007.reg"
 
Oops, wrong syntax! It should be:
Code:
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp "%userprofile%\Desktop\001.reg"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 "%userprofile%\Desktop\002.reg"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\InprocServer32 "%userprofile%\Desktop\003.reg"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\InProcServer32 "%userprofile%\Desktop\004.reg"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32 "%userprofile%\Desktop\005.reg"
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 "%userprofile%\Desktop\006.reg"
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" "%userprofile%\Desktop\007.reg"
 
Please run the following script on the problematic server to import all the missing and incomplete keys.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.

Afterwards reboot the server and run the following command in an elevated PowerShell prompt.
Code:
Get-MpComputerStatus
 

Attachments

Thanks - Looking good

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-06-12 12:38:01.603
Microsoft Windows Server 10 Build 14393 - amd64
Using .txt script file at C:\Temp\SFCFixScript (5).txt [0]




RegistryScript::
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\InprocServer32.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\InProcServer32.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32.
WARNING: Failed to create backup for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.

Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender.MpUxDlp.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppUserModelId.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}\InprocServer32.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2DCD7FDB-8809-48E4-8E4F-3157C57CF987}.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002}\InProcServer32.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DB116D1-9B24-4DFC-946B-BFE03E852002}.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}\InprocServer32.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender.
RegistryScript:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 193 datablocks.
Finish time: 2024-06-12 12:38:02.075
Script hash: F+19AZNAeXjF0odEG/JWZSbmnRpzmaXLxgbMezKFiUM=
----------------------EOF-----------------------
 
Ok so this is interesting. I just tried to start Windows Defender service and its started!!

Also I've just run the install script again and get this error. I will try the offboarding script and then try to run the install script again. I've never used the offboarding script beofre so will need to dowload it from MS and have a read

1718193778738.png

Here is the install error

1718193868449.png
 
At least we've made some progress and finally the Windows Defender service is started, is the Sense service also started?
 
We sure have!!, Sense will still not start I did also try that when I started WinDefend. I doubt the offboarding script will work, but worth a shot. Will get back to you soon, cheers

1718194283463.png
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top