Windows Server 2016 x64 - unable to enable Defender Missing KB's

SFC repaired multiple files in "C:\Program Files\Windows Defender" and %ProgramData%\Microsoft\Windws Defender". So please check if Windows Defender is started after a reboot.
 
Great stuff, Reboot has populated C:\Program Files\Windows Defender. I ran the onboarding script again and it's stopped again asking for a reboot.

I can see it seems to be stopping here looking for this Reg key below, this key is not on the problem server

1717669373609.png

I checked a previous 2016 server I did manage to onboard and the key WinDefend is present (shown below)



1717669478901.png


One final thing I spotted was this key below
1717669709835.png
Matching the error of the onboarding script on the 2nd line regarding pending reboot

1717669797367.png
 

Attachments

  • 1717669568157.png
    1717669568157.png
    54.7 KB · Views: 2
Please run the following commands in an elevated prompt and attach "Services.txt and Services.hiv" to your next post.
Code: 
WMIC SERVICE GET caption, name, startmode, state > "%userprofile%\desktop\services.txt"
reg save "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" "%userprofile%\Desktop\Services.hiv"
 
Please re-add the WinDefend service with the following fix and let me know the result.

Warning: This fix was written specifically for this system. Do not run this fix on another system.
  • Save any work you have open, and close all programs.
  • Download the attachment SFCFixScript.txt and save it to your desktop.
  • Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.
650ef5dbdfd06-62151e1bebac4-SFCFix-Txt-Eng.gif

  • SFCFix will launch, let it complete.
  • Once done, a file will appear on your desktop, called SFCFix.txt.
  • Post the logfile (SFCFix.txt) as attachment in your next reply.
 

Attachments

Output of the log attached, I was tempted to reboot, but thought I would wait for you response. As I'll need to clear it with the system manager. Cheers
 

Attachments

Ok I think were getting closer.

Below is a working server note the ImagePath

1717678259494.png

Below is our problem server note again imagepath. Seems we are pointing to a different location. Also seem to be missing the two dll regkeys on line 3 and 4 from above screen shoot

1717678337677.png

I did check services but as expected Windows Defender Service did not start, probably due to above issue, Cheers
 
Please run the following command in an elevated PowerShell prompt on both servers and copy and paste the result.
Code: 
Get-MpComputerStatus
[/code[
 
Please run the following commands on the problematic server again.
Code: 
SFC /Scannow
DISM /online /cleanup-image /RestoreHealth
 
0x80041010 = SYNC_E_ITEM_HAS_NO_VERSION_DATA / Operation is not valid as the specified item has no version data

Open wmimgmt.msc and right-click WMI Control (local) and select properties. Take a screenshot of this window to see if it's shows an invalid class issue.
 
Please run the following commands in an elevated prompt and post the result:
Code: 
sc config winmgmt start= disabled
net stop winmgmt
ren %systemroot%\system32\wbem\repository repository.old
rd /s /q %systemroot%\system32\wbem\repository
sc config winmgmt start= auto

Then run the following command again in a PowerShell prompt after a reboot:
Code: 
Get-MpComputerStatus
 
Please do the following to see if this script will reset the WMI repo without any errors

Download the
577bf0efb8088-FRST.png
Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

Warning: This script was written specifically for this system. Do not run this script on another system.

  • Download the attachment fixlist.txt and save it to your desktop.
  • Right-click on FRST.exe and select "Run as administrator".
  • Press the Fix button.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally.
  • When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
  • Post the logfile Fixlog.txt as attachment in your next reply.
 

Attachments

Thanks, Fixlog.txt attached. Device has just rebooted. I ran Get-MpComputerStatus again just on the off chance it would work, but same error unfortunately.
 

Attachments

In the previous screenshot, I overlooked the presence of Trend Micro:
Rich (BB code): 
Trend Micro Solution Platform                             Amsp                                      Auto       Running  
Trend Micro Deep Security Agent                           ds_agent                                  Auto       Running  
Trend Micro Deep Security Monitor                         ds_monitor                                Auto       Running  
Trend Micro Deep Security Notifier                        ds_notifier                               Auto       Running

I would suggest to remove the Trend Micro security software first.
 
Ah that's going to be a non starter as I doubt I'll have the perms to uninstall it. They use trend as the main AV. Defender is used in passive mode in order to report to MDE.
 
You must log in or register to reply here.
Back
Top