Windows Server 2016 x64 - unable to enable Defender Missing KB's

[Maxstar]

You're welcome and this is a interesting problem. In most cases the ISO as source won't work at all, another (healthy) server or newly installed VM is often more effective to resolve such issues.

I would also set back the following value to it's original state.

reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 0x1 /f

 

[stinger007]

I found a server with defender installed as shown below


I ran the DISM command to point at that server and before hand also checked to see if the problem server was able to view the C$ share on the target server and it could.


Attached DISM & CBS logs

Thanks

 

[stinger007]

I'm going to build a new 2016 VM next week, will get back to you when that's done and tested DISM on a new built server. Just wanted to update you when I found a server running defender. Thanks.

 

[Maxstar]

That would be the best option, it seems the server you have used as source does not contain the following (RTM) keys and manifest / payload files?

\DerivedData\Components\amd64_windows-defender-se..-onecore-deployment_31bf3856ad364e35_10.0.14393.0_none_15452e645cc60a6d
\DerivedData\Components\amd64_windows-defender-se..p-amcore-deployment_31bf3856ad364e35_10.0.14393.0_none_1dad59d8988a3b55
\DerivedData\Components\amd64_windows-defender-cl..an-group-deployment_31bf3856ad364e35_10.0.14393.0_none_73cbf62a2f5b1486
\DerivedData\Components\amd64_windows-defender-nis-group-deployment_31bf3856ad364e35_10.0.14393.0_none_45961cfb265ff904
\DerivedData\Components\amd64_windows-defender-ma..-onecore-deployment_31bf3856ad364e35_10.0.14393.0_none_427440246506ae29
\DerivedData\Components\amd64_windows-defender-ma..p-amcore-deployment_31bf3856ad364e35_10.0.14393.0_none_c8df6796b33b11db
\DerivedData\Components\amd64_windows-defender-ma..ll-group-deployment_31bf3856ad364e35_10.0.14393.0_none_a9eedbb27546727b
\DerivedData\Components\amd64_windows-defender-am..initions-deployment_31bf3856ad364e35_10.0.14393.0_none_0753eaec7e8263b9
\DerivedData\Components\amd64_windows-defender-se..-onecore-deployment_31bf3856ad364e35_10.0.14393.0_none_eeb10089b1d8f901
\DerivedData\Components\amd64_windows-defender-se..4-amcore-deployment_31bf3856ad364e35_10.0.14393.0_none_72f84c7ccdd2f635
\DerivedData\Components\amd64_windows-defender-se..-onecore-deployment_31bf3856ad364e35_10.0.14393.0_none_50f5b0f0d3687356
\DerivedData\Components\amd64_windows-defender-se..p-amcore-deployment_31bf3856ad364e35_10.0.14393.0_none_ba25376307ac35c8
\DerivedData\Components\amd64_windows-defender-se..up-wow64-deployment_31bf3856ad364e35_10.0.14393.0_none_c4eef26c00a78f84
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_37e87d1758fb8c81
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_c715c95a226e176f
\DerivedData\Components\amd64_windows-defender-ma..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_561f989723d7e123
\DerivedData\Components\amd64_windows-defender-ma..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_19e073f63761c867
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_510efe584accd087
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_2b000cc71b15c2c3
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_47dd78209cb9ebc2
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_72fc934cdf11d2e0
\DerivedData\Components\amd64_windows-defender-se..oyment-languagepack_31bf3856ad364e35_10.0.14393.0_en-us_85ca93f619cf5198

 

[stinger007]

Interesting, So I guess even though it has defender installed, it doesn't mean it will have the payload files. It's bank holiday here in the UK on Monday so will build the server Tuesday. Enjoy your weekend mate, and will catch up with you next week

 

[Maxstar]

Could you please provide a copy of the COMPONENTS and CBS hive to look at this weekend?

Upload your COMPONENTS hive.

• Navigate to C:\Windows\System32\Config and locate the COMPONENTS file.
• Please copy this file to your desktop.
• Note: If you receive an error that this file is in-use, simply reboot your computer and try again.
• Right-click on this file on your desktop and select Send To > Compressed (zipped) folder. This will create a file named COMPONENTS.ZIP on your desktop.
• If the file is too large to upload here, upload the file to www.wetransfer.com and post the link in your next reply.

Export CBS (Component Based Servicing) hive

• Click on the Start button and type regedit
• When you see regedit on the list, right-click on it and select Run as administrator.
• When regedit opens, using the left pane, navigate to the following registry key and select it by clicking on it once.
  

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

• Once selected, click File > Export....
• Change the Save as type: to Registry Hive Files (*.*).
  
  
  
  
  
• Name this file ComponentBasedServicing (with no file extension) and save it to your Desktop.
• Right-click on the saved file and choose Send > Compressed (zipped) Folder.
• Attach the .ZIP file to your next post.
• If the file is too large to upload here, upload the file to www.wetransfer.com and post the link in your next reply.

 

[Maxstar]

even though it has defender installed, it doesn't mean it will have the payload files.

That's right, sometimes RTM files are deleted from the WinSxS folder after a (auto) cleanup if they are no longer required...

P.s. Have a nice weekend too...

 

[stinger007]

Just spotted your response so logged back in to send logs required, cheers

 

[Maxstar]

Thanks, I will look at the files this weekend to compare them with some VM's here..

 

[stinger007]

Hi Mate, hope your well.

I've built a new windows Server 2016 VM. I've had to use the clients VM template as they would not allow me to build one from ISO. Defender is indeed installed and running. I've pointed the problem server at the new 2016 server and no luck screen shot below showing error


The error came up as soon as I ran the command, almost like DISM didn't check the share.

The problem server can see the new sever fine, I tested this.

I've attached new CBS logs

Cheers

 

[Maxstar]

Hi,

I've had to use the clients VM template as they would not allow me to build one from ISO.

Okay, are you able to clone a problematic server to test some things outside the production environment?

You can also download a copy of the WinSxS folder of my VM here to use as source, this package contains all the RTM files: WinSxS.7z - Shared with pCloud

 

[stinger007]

That's a great idea. I'll see what I can do and get back to you tomorrow. Thanks for the files, will download those now. I take it we are going to copy those files to the cloned problem server's windows WinSxS folder and then run DISM?

 

[Maxstar]

I take it we are going to copy those files to the cloned problem server's windows WinSxS folder and then run DISM?

No, please extract the WinSxS.7z file to a seperate directory for example D:\SourceFiles\WinSxS. Do not replace the current WinSxS folder.

The command should be:

DISM /Online /Enable-feature:Windows-Defender /All /Source:D:\SourceFiles\WinSxS\ /LimitAccess

 

[stinger007]

Great, Thanks.

 

[Maxstar]

You're welcome. And let's see the result, maybe we'll need to replace a number of registry keys as well, it seems many RTM keys are missing the f! marks.

 

[stinger007]

Hi, Just wanted to check in with an update. I've had quite a few meetings with the client regarding the cloning of the device and received quite a lot of pushback from the infrastructure team.

I've explained the situation and they are willing to let me clone a prod server, however the will not let me give the server any sort of network connection. I've explained we could rename the server and add this to a DEV environment obs removing any application services beforehand, but they seem unwilling to do so.

If we have no network and and a side note I have no USB access to this environment. I'll have no way of copying anything and to and from the server, eg logs, fixes ect

I've suggested we go down the snapshot route and I work on this out of hours and they seem happy with that approach. I would prefer the cloning route, but unfortunately it's not my call.

I'll snapshot the server this evening 5:30pm and try the DISM fix in your last post then provide CBS logs.

Thanks

 

[Maxstar]

Okay, let me know the result. Instead of DISM you can also try the Server Manager and specify in the confirmation window the alternate source path to the copy of the WinSxS folder.

 

[stinger007]

I was able to test a little earlier.

Files copied to D:\SourceFiles\WinSxS



Used server manager to try and re-enable defender pointing the location at D:\SourceFiles\WinSxS, this failed with no error code


Also tried DISM, this also failed



New CBS logs attached, Thanks

 

[Maxstar]

Please run the following fix on this snapshot and try to install the Defender Feature again with the other WinSxS folder as source.

Download

SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

 

[stinger007]

Unfortunately failed with both server manager and DISM. Server Manager takes a little time and fails after a few moments, DISM fails straight away. Log files attached. Thanks