Windows Server 2016 x64 - unable to enable Defender Missing KB's

(...) results below
The current owner of this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense is administrators.

This should be System, could you please check this on the working server. This because the Sense service is owned by the System account on all my VM's.
 
Your correct It should be, I've checked the working server and indeed the owner is System.

I've set the problem server to System

1718622460555.png
 
Great, let's hope the error in post #277 is gone now when you run the script again?!
 
Thanks, I've tested it this way

Started PS as system using - C:\Temp\PSTools/psexec.exe /i /s powershell.exe

ran the script within the new PS window, but same error

1718627069967.png
 
Please run the following command on the working and problem server.
Code:
certutil -hashfile "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" SHA256
 
Please compare the permissions of the following directory and the Sense executable with SetACL Studio on both servers.

Code:
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Code:
C:\Program Files\Windows Defender Advanced Threat Protection
 
Thanks, There seem to be quite a lot of differences

Working Server

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
1718628553118.png
C:\Program Files\Windows Defender Advanced Threat Protection
1718628515010.png

Problem Server

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
1718628780331.png
C:\Program Files\Windows Defender Advanced Threat Protection

1718628757447.png
 
Hmm, please run the following command on the problem server and check the permissions again to see if TrustedInstaller is set as owner.
Code:
icacls "C:\Program Files\Windows Defender Advanced Threat Protection\*" /t /q /c /reset
 
Ran the command output below

1718629599046.png

Both still showing as Administrator owner

1718629822065.png


1718629838341.png
 

Attachments

  • 1718629743091.png
    1718629743091.png
    16.8 KB · Views: 0
  • 1718629725063.png
    1718629725063.png
    34.7 KB · Views: 0
Please run the following script to see if it changes the ownership!

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.
 

Attachments

Great that's worked, owner is now TrustedInstaller

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-06-17 14:21:19.416
Microsoft Windows Server 10 Build 14393 - amd64
Using .txt script file at C:\Users\we02dc\Desktop\SFCFixScript (1).txt [0]




TrustedInstaller::
Successfully set file ownership to TrustedInstaller for C:\Program Files\Windows Defender Advanced Threat Protection
Successfully set file ownership to TrustedInstaller for C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
TrustedInstaller:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 203 datablocks.
Finish time: 2024-06-17 14:21:19.431
Script hash: XeVas2UPLB2JL6kej1miYha1xi165WsaMiZXSqaqQBg=
----------------------EOF-----------------------
 
Please check the following: open Setting (WIN +I) > System > Apps and Features, is md4ws.msi (Microsoft Defender for Endpoint) listed as installed?
 
No it's not installed on the problem server under Apps & Features, checked on working server and it's installed
 
It seems we'll need to add the SYSTEM account to: "C:\Program Files\Windows Defender Advanced Threat Protection" as well in relation to error 1603 as documented by Microsoft.

I would use SetACL Studio again to add all the permissions on the problem server so it's the same as on the working server.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top