Forum Discussion

PatrickEl's avatar
PatrickEl
Copper Contributor
Mar 10, 2022

Defender for Endpoint | Onboarding 2012R2 via local script | md4ws.msi with error id 15

Hi guys,

 

we onboarded ~70 servers and everything went great so far.

Our last 2012 R2 gets an error related to the sense service:

event viewer:

ms document:

 

 

msi error: 

MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=RollbackInstallSecFilter,ActionType=3393,Source=BinaryData,Target=UninstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:F4) [18:42:41:915]: Executing op: ActionStart(Name=InstallSecFilter,,)
Aktion 18:42:41: InstallSecFilter. 
MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=InstallSecFilter,ActionType=3073,Source=BinaryData,Target=InstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:44) [18:42:41:915]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI864A.tmp, Entrypoint: InstallDriver
MpWixCA [18:42:41:931] installdriver.cpp(98): BEGIN InstallDriver, pid=0x35e0, tid=0x3764
MpWixCA [18:42:41:931] msiutil.cpp(37): 0: HrMsiGetProperty(0xae, 'CustomActionData', 'c:\Windows\Inf\mssecflt.inf')
MpWixCA [18:42:41:978] installdriver.cpp(76): SetupInstallServicesFromInfSectionW(,DefaultInstall.Services,0) failed, hr=0x80070005
MpWixCA [18:42:41:993] installdriver.cpp(98): END InstallDriver, hr=0x80070005
CustomAction InstallSecFilter returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

 

sadly nothing helps, all prerequisites are given (server are managed and on the same state)

and the sense service will not start.

 

maybe someone has an idea on this?

 

(btw. this is the new onboarding method in preview, not the old SCEP/MMA method)

thanks a lot.

 

E: I already opened a MS case for this a week ago, and they are still trying to solve this, but no success yet.

 

regards

Patrick

  • Had this problem on multiple servers and traced to WinDefend service taking a long time to start added the following to the registry temporarily
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    "ServicesPipeTimeout"=dword:00075300
    after a reboot ran md4ws manually (elevated) and it installed fine every time.
  • akvabello's avatar
    akvabello
    Brass Contributor

    PatrickEl 

     

    So in my case, I just solved this in the following manner. The issue was it couldn't install the service because there was already a registry key for the service in place. I believe this was due to a previously failed rollback of the MSI attempting to be installed. I had to manually delete the registry key for the windefend service in HKLM\SYSTEM\CurrentControlSet\Services\Windefend.  I tried using sc delete windefend, but always got access denied, even in safe mode. Once I removed the registry key, I rebooted. The service no longer showed in the services MMC. I could then run the install successfully.

  • KevinWBrown's avatar
    KevinWBrown
    Copper Contributor
    Had this problem on multiple servers and traced to WinDefend service taking a long time to start added the following to the registry temporarily
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    "ServicesPipeTimeout"=dword:00075300
    after a reboot ran md4ws manually (elevated) and it installed fine every time.
  • carlux1's avatar
    carlux1
    Copper Contributor
    Hi PAtrick,

    do you have received a feedback from Microsoft?

    regards
    Carsten
      • carlicht's avatar
        carlicht
        Copper Contributor

        Hi PatrickEl,

         

        thanks for your quick answer. I'll check the link you provide. But I believe we have to do the same way as you described.

         

        Thx

        carsten 

Resources