Forum Discussion
Onboarding Defender on Hyper V Server 2019, failing with error [Error Id: 15, Error Level: 1]
Hi,
I have a Windows Server 2019 Hyper-V server that is failing the Defender for Endpoint onboarding with the following error
[Error Id: 15, Error Level: 1] Unable to start Microsoft Defender for Endpoint Service. Error message: The service name is invalid.
I looked in the onboarding script an the error comes from :
net start sense
I have run
c:\Temp>sc query sense
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
Which confirms that the service is missing / not installed.
I have installed all the updates / KBs from the troubleshooting guide but none have helped.
I have confirmed there are on policy settings preventing Defender from running.
How do I installed the "sense" service used by Defender ?
- hey mate, so, apologies if i'm telling you to suck eggs here and you alrady did this. but I've gone round in circles 3 times now, trying to deploy on a 2012 R2 server (yea, EOSL and all that, I know, anyways.)
I went to Defender, Settings > Endpoints > Onboarding and set "Server 2012, Local script"
thought "nah it's just one computer, I don't need the installation package,I'll just get the onboarding package."
3 times now, I've ignored the "installation package" and just got the onboarding package and got the same error as you. no Sense Service. racking my brain, stepped through the script line by line. validated all te registry settings, deleted all the registry settings, rebooted, tried again. Still no sense service.
I'm making my fourth attempt now. Downloaded the installation package. Ran it.
Now i can see Service Control Manager installing the Sense Service.
Re-ran the script.
Onboarded successfully.
So, if you're using down-level server OS and you haven't already checked that you ran the installation package as WELL as the onboarding package, start there. Of course, if you HAVE done this, then just ignore me - Installing the Unified Installer package downloaded from the MDE portal also includes the sensor install. Even if the install is successful and the server is onboarded into MDE, Azure Arc won't recognise that the "MDE.Windows" extension is installed.
There is a specific method that Microsoft provided to me to effectively do a manual install of the MDE.Windows extension, but it's quite convoluted and in fact when we attempted it yesterday on a call with Microsoft engineers, it failed.
Discussed in a different ongoing thread - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/re-install-mde-windows-extension/m-p/3781123/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExGU0RPREhVTU1HUUFDfDM3ODExMjN8U1VCU0NSSVBUSU9OU3xoSw#M3420- In a surprising turn of events, all servers which had the error installing the MDE.Windows extension, now have the extension installed. So I think either...
1. Azure just kept trying until it succeeded
2. Microsoft found the root cause and fixed the back-end
3. Microsoft engineers used a manual method and fixed directly on our tenant.
Am following up with Microsoft- Thanks for the updates.
had quite a few cases in the Defender onboarding where the exact cause was not clear, that said we had to push through a large number of machines so we didn't spend anymore time than was required to get it working. Ironically the Linux machines were easier than the Windows.
- Having same error, have ticket open with Microsoft, I'll update once resolved
- Only update so far from this ticket is that they were able to recreate the issue with multiple machines, and only when affecting Server 2016.
- I gave this a shot https://github.com/microsoft/mdefordownlevelserver I thought it was only for 2016 and older, but it installed the "sense" service, which resolves my questions but I still get the same error in the event logs, so still have an issue.
