Windows Defender Install Sufficient Privileges

Occasional Contributor

I am trying to install Defender on Windows Server 2012 R2 and get the error ..'don't have sufficient privileges to install system services'- even though I am and Administrator on the server.  Any help or insight is appreciated, see the full error in the attachment. "...\MpAsDesc.dll, -310"

 

Using md4ws.msi 

5 Replies

@Adam_Bleakney having the exact same issue, have lodged a ticket with MS support, I'll reply if they come back with anything useful.

 

I noted that in the System and Application event logs, during the installer, a log is generated that indicates that the failure of the installation is partially caused by a timeout in starting the WinDefend service, presumably because it can't install it, and the time you take to press the 'Retry' button is counted before the .msi proceeds to the next step of starting the service.

 

All Windows Server 2012 R2 servers patched to the prerequisite level.

@JPearce Hi,

I have the same issue, only on two machines out of about 200, both are Windows Server 2012 R2, fully upgraded.

Please post update if you have any.

 

Regards,

Andrey

We see the same here. Most 2012R2 servers wont complete the install. All prereq`s is done. 

We`ve tried moving the server to an OU without any GPO applied, ensured we are local admins, been through anything and everything. 

 

However, we were able to do the install and onboard on a few 2012r2 server. No difference in patch-level, local permissions, or GPO. So this seems so random.

@JPearce Hi all,

So in my travels with Microsoft Support so far, we've tried the following:

-Ensuring that the prerequisite KBs (KB2999226, KB3080149, KB5006714) are installed prior to running the md4ws.msi file

-Ensuring that the .msi is called using the official MS Down-level device deployment script (https://raw.githubusercontent.com/microsoft/mdefordownlevelserver/main/Install.ps1)

-Installing using system context through PsExec, same result

-Applying a Sense Client standalone upgrade package before installing/after failed install to see if it works, same result

 

I've found that through painstaking trial and error, devices that have had the error can be onboarded, but there appears to be no rhyme or reason to when the device will let you do it - One had issues all afternoon that I replicated in a live session with the Microsoft engineer, trying all of the above and more - the next morning it worked on the first attempt. I'm finding this true for a few of them.

 

In addition, on the devices we've managed to onboard, I've found an issue where defining a proxy for DfE to use through local group policy or through the 'TelemetryProxyServer' registry value is not working, and the only way to get it to onboard is to temporarily define a system-wide WinHTTP proxy (which creates other issues and is not a great option). I'll post about that here too in case any of you are facing the same problems.

 

Thanks,

Josh

@Adam_Bleakney 

 

I know it's a bit later on but I found a way to get this working on the Windows Server (2012 R2) that I was having the exact same issue with.

 

It seemed to throw this error due to the service "WinDefender" being installed. 

 

For me I tried to install the md4ws.msi from the get go but got an error so went back and installed a bunch of updates, then ran into the above error.

After trying again and again eventually I found the above mentioned "WinDefender" service that had a broken description, leading me to believe this was the problem.

I removed this service by deleting it from the registry, this was done by deleting the reg key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl\Services\WinDefender" and then restarting.

Once the server came back up, I ran the installed via an admin command prompt and bingo! It installed successfully. I could then carry on with the onboarding process.

 

I hope this helps and works for you! (and others).