Windows Server 2016 x64 - unable to enable Defender Missing KB's

Ran the offboarding script (ran fine)

1718195203999.png

Ran install.ps1 same issue as post 198(I've pasted the MDE log below). I think that's the last piece to the puzzle, once we can get the sense service to start I should work

[N-TQU-TVW-APP01:10 24/06/12T13:20:08.308 Install.ps1:815] Install.ps1 traces will be saved to C:\temp\mde\InstallPS1-N-TQU-TVW-APP01.240612T132008308+0100.log
[N-TQU-TVW-APP01:10 24/06/12T13:20:08.308 Install.ps1:821] Running command: Install.ps1 -UI:$true -Passive:$true
[N-TQU-TVW-APP01:10 24/06/12T13:20:08.308 Install.ps1:911] [Net.ServicePointManager]::SecurityProtocol updated to 'Ssl3, Tls, Tls12'
[N-TQU-TVW-APP01:10 24/06/12T13:20:08.324 Install.ps1:974] Handle 2800 opened over C:\temp\mde\md4ws.msi
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.715 Install.ps1:986] D0B1B278487DB4642CB57336C9920B87E16DEF5BB3D7ADB963CEB9A9F3939942 C:\temp\mde\md4ws.msi
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.730 Install.ps1:1023] BuildLabEx: 14393.6981.amd64fre.rs1_release.240503-1859
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.730 Install.ps1:1025] EditionID: ServerStandard
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.761 Install.ps1:1027] LastBootUpTime: 24/06/10T13:02:11.499
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.761 Install.ps1:1028] CurrentTime : 24/06/12T13:20:08.308+01:00
[N-TQU-TVW-APP01:10 24/06/12T13:20:10.793 Install.ps1:1030] Install.ps1 version: 1.20231204.0+E8E12DEA
[N-TQU-TVW-APP01:10 24/06/12T13:20:12.652 Install.ps1:457] 'HKCR' PSDrive created(script scoped)
[N-TQU-TVW-APP01:10 24/06/12T13:20:12.652 Install.ps1:1221] 'WindDefend' service status is 'Running'
[N-TQU-TVW-APP01:10 24/06/12T13:20:13.058 Install.ps1:1533] Sense Service is onboarded, offboard before reinstalling(or use -OffboardingScript with this script)
[N-TQU-TVW-APP01:10 24/06/12T13:20:13.058 Install.ps1:212] Script will exit with code 35(0x23)
 
Please run FRST again on the working server as well as the problematic server!

Start the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool again.
  • Right-click on the file FRST64.exe and choose Run as administrator.
  • Copy and paste the following (code) into the Search box and click the Search Registry button.
Code:
\Platform\10.8735*
  • When the scan is complete, a message will display that SearchReg.txt is saved in the same folder FRST was started from.
  • Post the logfile SearchReg.txt as attachment in your next reply.
 
Please run the following commands:

Problematic server:
Code:
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection" "%userprofile%\Desktop\bad1.reg"
reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" "%userprofile%\Desktop\bad2.reg"

Working server:
Code:
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection" "%userprofile%\Desktop\good1.reg"
reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" "%userprofile%\Desktop\good2.reg"
 
Please run the following script on the problematic server.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.

Restart the server and try to start the Sense service.
 

Attachments

cheers, log posted below

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-06-12 13:58:50.854
Microsoft Windows Server 10 Build 14393 - amd64
Using .txt script file at C:\Temp\SFCFixScript (6).txt [0]




RegistryScript::
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Failed to set registry key ownership for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense with error code 0x51B.
Failed to set registry key ownership for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Parameters with error code 0x51B.
Failed to set registry key ownership for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Security with error code 0x51B.

WARNING: Failed to create backup for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.

Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\ConfigurationModules.
WARNING: Failed to create backup for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.

Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-229835.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-58275.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-74952.
Successfully imported registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense.
Successfully imported registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Parameters.
Successfully imported registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Security.

Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\ConfigurationModules.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-229835.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-58275.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache\S-1-5-21-1606980848-484061587-682003330-74952.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status\AadAccountCache.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Parameters.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\Security.
RegistryScript:: directive failed to complete successfully.




Failed to process all directives successfully.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 200 datablocks.
Finish time: 2024-06-12 13:58:53.338
Script hash: LB1vM+x2QuByMWPsVUkBwADvympaa6rOcKLZQ6TjUes=
----------------------EOF-----------------------

rebooted and can't start either service :(

1718197963329.png

1718197865234.png
 
0x51B means an owner issue, so please try to import the Sense Service key again using FRST and PSExec, maybe it will show another error if it fails.

Please follow these instructions to run the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool with system privileges.

Download the 64 bit version: - Farbar Recovery Scan Tool Link

Warning: This script was written specifically for this system. Do not run this script on another system.
  • Download PsExec from Microsoft Sysinternals to your desktop.
  • Unzip PsTools.zip to its own directory on the system drive, for example: C:\Tools\PsTools
  • Navigate in an elevated command prompt to the PsTools directory: cd C:\Tools\PsTools.
  • Now copy and paste the following command into the command prompt and press enter. Click on the Agree button when the licence agreement of PsExec appears.
  • Note: Ensure that both FRST64.exe and the Fixlist.txt file are on your desktop! Otherwise you'll need to ammend the command to the right location.
    Code:
    psexec -i -d -s "%userprofile%\desktop\FRST64.exe"
  • FRST will make a new backup of the registry first, please wait until this process is completed.
  • Ensure the provided Fixlist.txt is in the same location as FRST64.exe and then press the Fix button.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally.
  • When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
  • Post the logfile Fixlog.txt as attachment in your next reply.
 

Attachments

Ran the above, log attached. Unable to start either service sense or WinDefend. I was actually thinking it could be permissions as when I try to change Windefend from manual to auto start I see the below.

1718200669060.png

also rebooted and tried to start sense and windefend (no joy)

1718200879984.png
1718200940499.png
 

Attachments

Please run the following commands to compare the keys of the working and problem server.
Code:
reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" "%userprofile%\Desktop\bad.reg"
reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" "%userprofile%\Desktop\good.reg"
 
Please run the following script.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.

Reboot the server and check the service state of WinDefend and Sense only.
 

Attachments

Rich (BB code):
Failed to set registry key ownership for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend with error code 0x51B.

Now we see the same error for both services, so please run the following script with FRST to list the permissions.

Start the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool again.
  • Download the attachment fixlist.txt and save it to your desktop.
  • Right-click on FRST.exe and select "Run as administrator".
  • Press the Fix button.
  • When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
  • Post the logfile Fixlog.txt as attachment in your next reply.
 

Attachments

Please import the WinDefend key as follows with FRST and PsExec.

Warning: This script was written specifically for this system. Do not run this script on another system.
  • Navigate in an elevated command prompt to the PsTools directory: cd C:\Tools\PsTools.
  • Now copy and paste the following command into the command prompt and press enter. Click on the Agree button when the licence agreement of PsExec appears.
  • Note: Ensure that both FRST64.exe and the Fixlist.txt file are on your desktop! Otherwise you'll need to ammend the command to the right location.
    Code:
    psexec -i -d -s "%userprofile%\desktop\FRST64.exe"
  • FRST will make a new backup of the registry first, please wait until this process is completed.
  • Ensure the provided Fixlist.txt is in the same location as FRST64.exe and then press the Fix button.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally.
  • When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
  • Post the logfile Fixlog.txt as attachment in your next reply.
 

Attachments

Sorry for the delay, Looks like it completed successfully (log attached), but still can't start either service

errors look the same as before

1718211852001.png
1718211903660.png
I'm going to wrap up for the day. Thanks as always for your help mate. Have a good evening.
 

Attachments

Good Morning,

Please try to start the Sense service again with Process Monitor running.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top