Windows Server 2016 x64 - unable to enable Defender Missing KB's

[stinger007]

Thanks, I also spotted the permissions for MsSense.exe don't seem correct they defiantly don't match our working server so I'll need to have a good look through.

Quick question what are the greyed out permissions (I've highlighted in Yellow), I thought they may have been inherited, but the tick box isn't checked. The are the same perms applied to C:\Program Files which is one folder down

Working



Problem

 

[Maxstar]

Quick question what are the greyed out permissions (I've highlighted in Yellow), I thought they may have been inherited, but the tick box isn't checked. The are the same perms applied to C:\Program Files which is one folder down

Good question, when you toggle the checkmark after 'inheritance from parent:' the greyed-out still exist - however, I have no explanation for that...

 

[stinger007]

The perms are very strange. Problem server is for some reason inheriting perms from C:\Program Files. I've been playing with the perms both via explorer and SetACL and it seems no matter what I do those three perms are always inheriting from C:\Program Files and not the correct folder. (see below)

Working MsSense


Problem MsSense


I've also set the perms 3 times on C:\Program Files\Windows Defender Advanced Threat Protection and for some reason each time I open SetACL the changes I've made get reset. I've had to set the perms via Windows Explorer as when I try to set via SetACL it will let me add for example the Administrators perm, but when I press save it's disappearing. Even when setting via windows explorer, the perms are resetting.

I've even tried setting each perm one by one, apply, press ok and I thought it was working, then nope there are reset.

I did manage to get all perms on C:\Program Files\Windows Defender Advanced Threat Protection set correctly (before they magically reset) and ran install.ps1 but it errored out the same, but I've not yet been able to figure out the inheriting issue with the MsSense

Thanks again for your help, I also spotted you posted back over weekend so just wanted to let you know I really appreciate it.

Have a good evening mate

 

[Maxstar]

Good morning!

Let's try something else, run the following command on the working server to save the permissions to an *ACL file.

icacls "C:\Program Files\Windows Defender Advanced Threat Protection" /save "%userprofile%\desktop\perms.acl" /t

Copy perms.acl to the problem server and run the following command.

icacls "C:\Program Files" /restore "%userprofile%\desktop\perms.acl" /t

 

[stinger007]

Good Morning Mate,

Thanks, I was actually reading about ACL files this morning :)

Will give that a try and get back to you with an update

 

[stinger007]

I've run the above commands exporting perms no issue at all and also was able to import without issue, but this is where the strange issue starts. you can see below I imported the perms no problem first time. I checked in windows explorer and we did indeed have all the inherited perms, so far so good.

I ran Install.ps1 this failed same error code and then I opened SetACL and there were no inherited perms showing. After reopening explorer the inherited perms have disappeared and now when I try to import again I'm seeing access denied.



I did also try to reset the perms by using the command you provided in a previous post which worked, but now I'm seeing access denied when I try to add the perms back.



I'm just not to sure what's resetting the perms yet, it has to either be the script or SetACL

 

[Maxstar]

(...) you can see below I imported the perms no problem first time. I checked in windows explorer and we did indeed have all the inherited perms, so far so good.

I don't see that, I only see access denied on both screenshots?

 

[stinger007]

Sorry, i've probably not explained it well enough. I've just taken ownership of the folder and managed to add the perms back again (see below)



also checked windows explorer looking good



opening SetACL perms do not look correct. Looks like we only have 2 perms assigned to the folder and there should be 9 the rest are all inherited



run install.ps1 fails same error code





on the plus side I've just checked windows explorer again and the perms looks correct the same as they do in the above screen shot

 

[Maxstar]

Okay, but now it is getting weird at all. The owner is set to TrustedInstaller again instead of System, have you tried to change it to System again using explorer > advanced permissions?

 

[stinger007]

Arh seems I didn't. I wonder If the owner was changed when I imported the perms? Anyway I've set the owner to System, run insall.ps1 and same fail as above

 

[Maxstar]

Please check the following, is the button "Change permissions" greyed-out on the working server?

 

[stinger007]

There doesn't seem to be a button for Change Permissions on the working server

 

[Maxstar]

Please follow the steps in this article under "resolution" on the problem server.

 

[stinger007]

Looks like System already has full control over the C Drive as per below



I've also added this to C:\Program Files\Windows Defender Advanced Threat Protection asper the below




Same error 1603.

 

[Maxstar]

Please check the following:

1. Open gpedit.msc
2. In the tree, navigrato to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
3. In this Window double-click on Log on as a service
4. Take a screenshot of this window.

 

[stinger007]

Thanks, here you go

 

[Maxstar]

This looks good.

Service '@C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe,-1001'(sense) could not be installed. verify that you have sufficient privileges to install system services.

I found a similar issue as above, and removing the WinDefend service from the registry was the solution to run md4ws.msi and onboarding that server!

Some notes:
The user at TechNet said it might be an issue with a broken description value, and since we have imported this service from the working server it may also be the cause?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
"DisplayName"="@C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe,-1001"
"Description"="@C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe,-1002"

So we can try to remove the Sense service with the following script to see what happens after a reboot.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

 

[stinger007]

Very interesting, I've run the script but not yet tired to onboard again as we have a few failures

SFCFix version 3.0.2.1 by niemiro.
Start time: 2024-06-18 11:48:13.553
Microsoft Windows Server 10 Build 14393 - amd64
Using .txt script file at C:\Users\we02dc\Desktop\SFCFixScript (9).txt [0]




RegistryScript::
Failed to set registry key ownership for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense with error code 0x51B.

Successfully deleted registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense.

Failed to open registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense with error code ERROR_FILE_NOT_FOUND.
RegistryScript:: directive failed to complete successfully.




Failed to process all directives successfully.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 203 datablocks.
Finish time: 2024-06-18 11:48:13.601
Script hash: piipY19RRrPvSTagK7pI/iK3ddKpOV73sFgYwjUI3GY=
----------------------EOF-----------------------

 

[Maxstar]

Please check if the service is removed from the registry.

reg query HKLM\SYSTEM\CurrentControlSet\Services\Sense

 

[stinger007]

It's been removed, I've also rebooted so the service is no longer showing in services


low and behold. IT'S WORKED!!!!!!