Windows Server 2016 x64 - unable to enable Defender Missing KB's

Unfortunately, the SFCFix result is empty? So I wonder if the fix applied successfully.

Please do the following again.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFix.zip and save it to your desktop.
  • Drag the SFCFix.zip file over the SFCFix.exe executable and release it.
650c22f99662d-6190d993a26f3-SFCFix-Zip-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.
 

Attachments

Interesting, I just had a look at the attached from the previous post and it looks corrupted, it should look like the below. I've re-attached again, hopefully that will work, Thanks

1717513432936.png
 

Attachments

Please try to install Defender again with Process Monitor running.

Step#1 - Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Try updating the system just like you have in the past.
3. Stop Process Monitor as soon as it fails. You can simply do this by clicking the square (CTRL +E) on the toolbar as shown below.



4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up the LogFile.PML and upload it to WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free and provide the link.
6. Attach also the CBS and DISM log for the time stamps.
 
Process Mon set up to capture, proceeded to enable defender via SM and DISM (obs failed as expected)

Logs.7z attached containing log files below. Managed to zip it to just over 50MB so was able to attach to the post. Cheers

LogFile.PML
CBS
DISM

Update *Seems it didn't attach probably due to size. I'll send via the link in a moment will need to use personal laptop*
 
50Mb is too large, 30Mb is the max to attach. So please use WeTransfer to share the files here.
 
I've filtered the log, so please do the following to check some of the WinSxS folder on this server.

Open an elevated command prompt and run the following command. Attach Dirlist.txt to your next post.
Code: 
dir /s /a %systemroot%\WinSxS\amd64_windows-defender-drivers_31bf3856ad364e35_10.0.14393.0_none_1e417abb0bebd499 > "%userprofile%\Desktop\Dirlist.txt"
 
The following fix to apply for this snapshot is too large to attach, so I've uploaded it here: SFCFix.zip

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFix.zip and save it to your desktop.
  • Drag the SFCFix.zip file over the SFCFix.exe executable and release it.
650c22f99662d-6190d993a26f3-SFCFix-Zip-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.

Afterwards try to install the Defender Feature, but I would reboot the server first.
 
Ran fix, rebooted server, then completed below steps.


Reenabled via SM - Pointing location to D:\SourceFiles\WinSxS


Reenabled via SM - NOT Pointing location to D:\SourceFiles\WinSxS



Ran DISM - Different error this time

1717519987418.png


I'm finishing for the day now, thanks as always your help. I keep expecting you to say this will need an in place upgrade which is what the solution is on every other forum, but you keep coming up with new ideas. Very much appreciated
 

Attachments

It seems we make some progress, please provide the following files.

Upload your COMPONENTS hive.
  • Navigate to C:\Windows\System32\Config and locate the COMPONENTS file.
  • Please copy this file to your desktop.
  • Note: If you receive an error that this file is in-use, simply reboot your computer and try again.
  • Right-click on this file on your desktop and select Send To > Compressed (zipped) folder. This will create a file named COMPONENTS.ZIP on your desktop.
  • If the file is too large to upload here, upload the file to www.wetransfer.com and post the link in your next reply.

Export SBS (SideBySide) hive
  • Click on the Start button and type regedit
  • When you see regedit on the list, right-click on it and select Run as administrator.
  • When regedit opens, using the left pane, navigate to the following registry key and select it by clicking on it once.
    Code: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
  • Once selected, click File > Export....
  • Change the Save as type: to Registry Hive Files (*.*).

    652ff1dfded79-622dbdc454cdb-Export-SBS-hive.png

  • Name this file SideBySide (with no file extension) and save it to your Desktop.
  • Right-click on the saved file and choose Send > Compressed (zipped) Folder.
  • Attach the .ZIP file to your next post.
  • If the file is too large to upload here, upload the file to www.wetransfer.com and post the link in your next reply.
 
Good morning too!

Here's the next fix.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.

Afterwards try to install the Defender feature again and post the result including the CBS logs if it fails...
 

Attachments

Wooo Hooo it's worked!!! Thanks ever so much my friend absolutely outstanding!!

1717583381650.png

I need to reboot the server in order to onboarded to MDE, but I'm sure it'll be fine after the reboot

1717583475977.png

I'm going to donate to the site, but was wondering is there anyway I can also donate to you personally after all the help you have offered?

I suppose the million dollar question is how would I implement this to the other servers on my own. I'm thinking most of the steps before we used the payload files can be disregarded and maybe understand how the last two fixes were made?

Thanks Again
 
That's great news! Let me know the result after the restart to see Windows Defender works correctly.

I have merged the latest fixes, and you can use this server as source! If it fails apply the attached fix first and try again.

Merged fix: SFCFix.zip

Please try this on another server first to see if this is the solution for all the other servers?

And many thanks for your donation to Sysnative... (y)
 
Last edited:
Quick update, seems we are so so close, but not quite at the finishing line. I've rebooted the server and tried to onboard to MDE and the script fails asking for the device to be rebooted, so I rebooted again just to be sure and I got the same error.

I checked the logs on the script and spotted the line "Image path is null or empty" (see below)

[09 24/06/05T17:27:17.634 Install.ps1:1221] 'WindDefend' service status is ''
[09 24/06/05T17:27:17.665 Install.ps1:1224] WARNING: 'WinDefend' image path is null or empty. Still the 'Windows-Defender' feature state is Enabled
[:09 24/06/05T17:27:17.697 Install.ps1:208] HKLM:\SOFTWARE\Microsoft\Microsoft Defender for Endpoint Install[PendingReboot]=24/06/05T17:25:40.499
[:09 24/06/05T17:27:17.665 Install.ps1:1228] Restart is required by 'Windows-Defender'
[:09 24/06/05T17:27:17.697 Install.ps1:212] Script will exit with code 12(0xc)


I had a quick look at in C:\Program Files\Windows Defender and the folder is empty (platform folder is also empty) which at a guess is probably why defender isn't running, although when I check with PS defender is indeed showing as installed.

1717605760511.png

I did try to re-enable defender via PS and that command ran successfully, tested the script again and same reboot error. Lastly I used DISM to try to re-enable the feature using the command below

DISM failed - DISM /Online /Enable-feature:Windows-Defender /All /Source D:\SourceFiles\WinSxS\ /LimitAccess

This is currently stuck at 33.4%

1717605907406.png

CBS logs attached, Cheers
 

Attachments

Hi,

Please run Windows Update to see if KB4052623 is offered, if not download version 4.18.24050.7 from the update catalog and install this update manually.
 
Morning, Downloaded from update catalog tried to install but nothing happens. Defender folder still empty, cheers
 

Attachments

Please check "%ProgramData%\Microsoft\Windows Defender" there should be a platform directory including the "4.18.24050.7" folder. This update is an silent installer, so you will not see anything when this executable is launched.

Run also the System File Checker and post the result.
Code: 
SFC /Scannow
 
Thanks for the above. Seems only the old version is showing in %ProgramData%\Microsoft\Windows Defender

1717666031782.png

Scannow result below and logs attached

1717666170061.png
Thanks
 

Attachments

You must log in or register to reply here.
Back
Top