Windows Server 2016 x64 - unable to enable Defender Missing KB's

This is mind blowing why this service cannot be started, please try to start this service again but keep Proces Monitor running for a few more minutes.
 
Morning Mate - I know it's crazy especially since WinDefend if running now. Longer Process Mon attached as requested If you need one longer let me know. Thanks for sticking with this really appreciate your time. It must be very frustrating for you as your doing all the hard work.
 

Attachments

Good morning too!

The latest trace is more helpful, and Trend Micro is still an issue! So I would stop all the TM processes first and then try to start the Sense service again.

Rich (BB code): 
6/14/2024 11:09:07 AM	WerFaultSecure.exe	CloseFile	C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MsSense.exe.5564.protected.dmp	SUCCESS	
6/14/2024 11:09:07 AM	WerFaultSecure.exe	QueryNameInformationFile	C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.1009\MsSense.exe	BUFFER OVERFLOW	Name: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.100
 
Please run also the following command on the working and problem server:
Code: 
dir /s /a "C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State" > "%userprofile%\Desktop\Dirlist.txt"
 
The trend services below are the ones that were already stopped

1718359076802.png

Agent view showing unreachable

1718357685949.png

I've looked to see if WerFaultSecure.exe is running in resource monitor and can't see it

Also tried to kill the task but no luck

1718358712825.png
 

Attachments

  • 1718357636809.png
    1718357636809.png
    8.5 KB · Views: 3
Last edited:
Thanks, I checked in event log couldn't see anything, Ran the script again, same error as expected

1718361203599.png

filtered event source by WDATPOnboarding but nothing

Viewing unfiltered Event Log shows the following Event ID 1000. I can't see event ID 1000 listed in the MS troubleshooting guide

1718361451854.png

1718361473530.png
 
Please run this script again with Process Monitor running, post also a new screenshot for the time stamps.
 
Please run FRST again on both servers.

Right-click on the file
577bf0efb8088-FRST.png
FRST64.exe and choose Run as administrator.
  • Copy and paste the following (code) into the Search box and click the Search Files button.
Code: 
MsSenseS.exe;MsSenseS.*
  • When the scan is complete, a message will display that 'Search.txt' is saved in the same folder FRST was started from. Notepad will open this file also.
  • Post the logfile Search.txt as attachment in your next reply.
 
Hmm that's odd, below an excerpt of the ProcMon trace while running the script file! However, I have to admit that it is unclear why the Sense service cannot be started and why the script says the Sense service is already onboarded, whereas the value UnboardState is set to 0x0 under the ATP key!

Code: 
6/14/2024 1:05:07 PM    svchost.exe    CreateFile    C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 19\1108\MsSenseS.exe    PATH NOT FOUND    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

Other question? Are the MDE.windows extensions still installed on both servers or only the problem server?
 
I know its very strange the only thing I can think of regarding the script thinking its onboarded is maybe because the service isn't started.

The handful I have managed to ever successfully onboard all had Sense and Windefend running, but defender was running in passive mode due to trend being the primary AV solution.

I would just run the install script and it would work. I would sometimes need to change the DisableAnitSpy regkey, but it would then install without issue.

All the ones I've found with defender not installed I've never been able to onboard.

Maxstar said:
Other question? Are the MDE.windows extensions still installed on both servers or only the problem server?
Click to expand...
Sorry not sure what you mean by Microsoft Defender Endpoint extensions installed on the server

Thanks
 
stinger007 said:
Sorry not sure what you mean by Microsoft Defender Endpoint extensions installed on the server
Click to expand...
I mean VM extensions as described here: Automatic extension upgrade for Azure Arc-enabled servers - Azure Arc

stinger007 said:
All the ones I've found with defender not installed I've never been able to onboard.
Click to expand...
Maybe I've found another clue and that's an outdated MMA (Microsoft Monitoring Agent) see the reddit post below.

https://www.reddit.com/r/sysadmin/comments/1chp758/comment/l259hlq

Additional reference: Server migration scenarios for the new version of Microsoft Defender for Endpoint - Microsoft Defender for Endpoint
 
Maxstar said:
I mean VM extensions as described here: Automatic extension upgrade for Azure Arc-enabled servers - Azure Arc
Click to expand...
Arh ok. I don't think these servers are Azure Arc Enabled. There's normally a service that runs called Windows Azure Guest Agent and it's not on these

Maxstar said:
Maybe I've found another clue and that's an outdated MMA (Microsoft Monitoring Agent) see the reddit post below.

https://www.reddit.com/r/sysadmin/comments/1chp758/comment/l259hlq

Additional reference: Server migration scenarios for the new version of Microsoft Defender for Endpoint - Microsoft Defender for Endpoint
Click to expand...
Thanks will have read. MMA is the old version of UA I think its EOL Aug 2024 so there is also another piece of work to migrate devices that are onboarded with MAA and migrate those to UA. The devices I'm looking at now have never been onboarded. Most devices I've come across do have MMA installed, but the ones I'm looking at are not onboarded.

On a side note there is an option with the install.ps1 script to -RemoveMMA I've never had to to use this as Windefend and sense is running I can onboard without issue.

I did try -RemoveMMA on our problem server, but the same error of device is onboarded please offboard came up. I do think the issue is we have no sense service.

Cheers
 
This is part I was talking about in my previous post about using -RemoveMMA Switch, the script just errors out at the same point because there's no scene service

1718376373392.png
 
I'm also having a read of the below in regard to the errors in the event viewer

1718377437349.png

Faulting application name: MsSense.exe, version: 10.8735.26020.1009, time stamp: 0x012c5b0c
Faulting module name: MsSense.exe, version: 10.8735.26020.1009, time stamp: 0x012c5b0c
Exception code: 0xc0000409
Fault offset: 0x000000000000cef9
Faulting process id: 0x968
Faulting application start time: 0x01dabe465c1faeb2
Faulting application path: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.1009\MsSense.exe
Faulting module path: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8735.26020.1009\MsSense.exe
Report Id: 7b9b5d24-1b6d-444c-b854-3c8708960f50
Faulting package full name:

Faulting application name: MsSense.exe
 
You must log in or register to reply here.
Back
Top