Defender for Endpoint | Onboarding 2012R2 via local script | md4ws.msi with error id 15

%3CLINGO-SUB%20id%3D%22lingo-sub-3253882%22%20slang%3D%22en-US%22%3EDefender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3253882%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20onboarded%20~70%20servers%20and%20everything%20went%20great%20so%20far.%3C%2FP%3E%3CP%3EOur%20last%202012%20R2%20gets%20an%20error%20related%20to%20the%20sense%20service%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222022-03-10_16h01_51.png%22%20style%3D%22width%3A%20658px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F354830i28B14C85C562061C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222022-03-10_16h01_51.png%22%20alt%3D%222022-03-10_16h01_51.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eevent%20viewer%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222022-03-10_16h02_03.png%22%20style%3D%22width%3A%20739px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F354831i0CA374C46EB79020%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222022-03-10_16h02_03.png%22%20alt%3D%222022-03-10_16h02_03.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ems%20document%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222022-03-10_16h04_33.png%22%20style%3D%22width%3A%20832px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F354832i217A7301D65FBD80%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222022-03-10_16h04_33.png%22%20alt%3D%222022-03-10_16h04_33.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Emsi%20error%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CEM%3EMSI%20(s)%20(28%3AF4)%20%5B18%3A42%3A41%3A915%5D%3A%20Executing%20op%3A%26nbsp%3BCustomActionSchedule(Action%3DRollbackInstallSecFilter%2CActionType%3D3393%2CSource%3DBinaryData%2CTarget%3DUninstallDriver%2CCustomActionData%3Dc%3A%5CWindows%5CInf%5Cmssecflt.inf)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMSI%20(s)%20(28%3AF4)%20%5B18%3A42%3A41%3A915%5D%3A%20Executing%20op%3A%20ActionStart(Name%3DInstallSecFilter%2C%2C)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAktion%2018%3A42%3A41%3A%20InstallSecFilter.%26nbsp%3B%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMSI%20(s)%20(28%3AF4)%20%5B18%3A42%3A41%3A915%5D%3A%20Executing%20op%3A%26nbsp%3BCustomActionSchedule(Action%3DInstallSecFilter%2CActionType%3D3073%2CSource%3DBinaryData%2CTarget%3DInstallDriver%2CCustomActionData%3Dc%3A%5CWindows%5CInf%5Cmssecflt.inf)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMSI%20(s)%20(28%3A44)%20%5B18%3A42%3A41%3A915%5D%3A%20Invoking%20remote%20custom%20action.%20DLL%3A%20C%3A%5CWindows%5CInstaller%5CMSI864A.tmp%2C%20Entrypoint%3A%20InstallDriver%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMpWixCA%20%5B18%3A42%3A41%3A931%5D%20installdriver.cpp(98)%3A%20BEGIN%20InstallDriver%2C%20pid%3D0x35e0%2C%20tid%3D0x3764%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMpWixCA%20%5B18%3A42%3A41%3A931%5D%20msiutil.cpp(37)%3A%200%3A%20HrMsiGetProperty(0xae%2C%20'CustomActionData'%2C%20'c%3A%5CWindows%5CInf%5Cmssecflt.inf')%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMpWixCA%20%5B18%3A42%3A41%3A978%5D%20installdriver.cpp(76)%3A%20SetupInstallServicesFromInfSectionW(%2CDefaultInstall.Services%2C0)%20failed%2C%20hr%3D0x80070005%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMpWixCA%20%5B18%3A42%3A41%3A993%5D%20installdriver.cpp(98)%3A%20END%20InstallDriver%2C%20hr%3D0x80070005%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ECustomAction%20InstallSecFilter%20returned%20actual%20error%20code%201603%20(note%20this%20may%20not%20be%20100%25%20accurate%20if%20translation%20happened%20inside%20sandbox)%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esadly%20nothing%20helps%2C%20all%20prerequisites%20are%20given%20(server%20are%20managed%20and%20on%20the%20same%20state)%3C%2FP%3E%3CP%3Eand%20the%20sense%20service%20will%20not%20start.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emaybe%20someone%20has%20an%20idea%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(btw.%20this%20is%20the%20new%20onboarding%20method%20in%20preview%2C%20not%20the%20old%20SCEP%2FMMA%20method)%3C%2FP%3E%3CP%3Ethanks%20a%20lot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EE%3A%20I%20already%20opened%20a%20MS%20case%20for%20this%20a%20week%20ago%2C%20and%20they%20are%20still%20trying%20to%20solve%20this%2C%20but%20no%20success%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%3C%2FP%3E%3CP%3EPatrick%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3273719%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3273719%22%20slang%3D%22en-US%22%3EHi%20Yevhen%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ethanks%20for%20the%20feedback.%20Will%20try%20it%20next%20week%20and%20give%20you%20feedback.%3CBR%20%2F%3E%3CBR%20%2F%3Eregards%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3273553%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3273553%22%20slang%3D%22en-US%22%3E%3CP%3EWorked%20after%20these%20steps%3A%3C%2FP%3E%3CP%3E1.Upgrade%26nbsp%3BHyper-V%20Integration%20Services%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Hyper-V_update.jpg%22%20style%3D%22width%3A%20491px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F360534i4A0F07DC28C81AAE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Hyper-V_update.jpg%22%20alt%3D%22Hyper-V_update.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2.%26nbsp%3BCopying%20files%20from%20Windows%202012%20R2%20successfully%20installed%20to%20the%20system%20where%20the%20problem%20is%3C%2FP%3E%3CP%3EC%3A%5CProgram%20Files%5CWindows%20Defender%3C%2FP%3E%3CP%3EC%3A%5CProgram%20Files%5CWindows%20Defender%20Advanced%20Threat%20Protection%3C%2FP%3E%3CP%3EC%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%3C%2FP%3E%3CP%3EC%3A%5CProgramData%5CMicrosoft%5CWindows%20Defender%20Advanced%20Threat%20Protection%3C%2FP%3E%3CP%3E3.%20Export%20service%20regedit%20key%26nbsp%3Bfrom%20Windows%202012%20R2%20successfully%20installed%20to%20the%20system%20where%20the%20problem%20is%3C%2FP%3E%3CP%3E%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CSense%5D%3C%2FP%3E%3CP%3E%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CWdNisDrv%5D%3C%2FP%3E%3CP%3E%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CWdNisSvc%5D%3C%2FP%3E%3CP%3E%5BHKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CWinDefend%5D%3C%2FP%3E%3CP%3E4.%20Restart%3C%2FP%3E%3CP%3E5.%26nbsp%3BMicrosoft%20Defender%20for%20Endpoint%20offboarding%20process%3C%2FP%3E%3CP%3Erun%26nbsp%3BWindowsDefenderATPOffboardingScript.cmd%3C%2FP%3E%3CP%3E6.%26nbsp%3BRun%20manual%20installation%3C%2FP%3E%3CP%3Erun%20md4ws.msi%26nbsp%3B%3C%2FP%3E%3CP%3E7.%20Restart%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20some%20steps%20are%20not%20needed%2C%20let%20it%20be%20the%20subject%20of%20discussion%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3266547%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3266547%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3BPatrickEl%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20your%20quick%20answer.%20I'll%20check%20the%20link%20you%20provide.%20But%20I%20believe%20we%20have%20to%20do%20the%20same%20way%20as%20you%20described.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%3C%2FP%3E%3CP%3Ecarsten%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3265628%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3265628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F93049%22%20target%3D%22_blank%22%3E%40carlux1%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Carsten%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20tried%20a%20bunch%20of%20KB%20installations%20(were%20already%20installed)%20and%20all%20of%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdefordownlevelserver%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft%2Fmdefordownlevelserver%3C%2FA%3E%3C%2FP%3E%3CP%3Ethere%20was%20no%20solution%20in%20sight%2C%20so%20we%20went%20back%20to%20MMA%20and%20SCEP.%3C%2FP%3E%3CP%3EMaybe%20the%20Link%20helps%20you%3F%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EPatrick%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3262464%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20%7C%20Onboarding%202012R2%20via%20local%20script%20%7C%20md4ws.msi%20with%20error%20id%2015%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3262464%22%20slang%3D%22en-US%22%3EHi%20PAtrick%2C%3CBR%20%2F%3E%3CBR%20%2F%3Edo%20you%20have%20received%20a%20feedback%20from%20Microsoft%3F%3CBR%20%2F%3E%3CBR%20%2F%3Eregards%3CBR%20%2F%3ECarsten%3C%2FLINGO-BODY%3E
New Contributor

Hi guys,

 

we onboarded ~70 servers and everything went great so far.

Our last 2012 R2 gets an error related to the sense service:

2022-03-10_16h01_51.png

event viewer:

2022-03-10_16h02_03.png

ms document:

2022-03-10_16h04_33.png

 

 

msi error: 

MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=RollbackInstallSecFilter,ActionType=3393,Source=BinaryData,Target=UninstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:F4) [18:42:41:915]: Executing op: ActionStart(Name=InstallSecFilter,,)
Aktion 18:42:41: InstallSecFilter. 
MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=InstallSecFilter,ActionType=3073,Source=BinaryData,Target=InstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:44) [18:42:41:915]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI864A.tmp, Entrypoint: InstallDriver
MpWixCA [18:42:41:931] installdriver.cpp(98): BEGIN InstallDriver, pid=0x35e0, tid=0x3764
MpWixCA [18:42:41:931] msiutil.cpp(37): 0: HrMsiGetProperty(0xae, 'CustomActionData', 'c:\Windows\Inf\mssecflt.inf')
MpWixCA [18:42:41:978] installdriver.cpp(76): SetupInstallServicesFromInfSectionW(,DefaultInstall.Services,0) failed, hr=0x80070005
MpWixCA [18:42:41:993] installdriver.cpp(98): END InstallDriver, hr=0x80070005
CustomAction InstallSecFilter returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

 

sadly nothing helps, all prerequisites are given (server are managed and on the same state)

and the sense service will not start.

 

maybe someone has an idea on this?

 

(btw. this is the new onboarding method in preview, not the old SCEP/MMA method)

thanks a lot.

 

E: I already opened a MS case for this a week ago, and they are still trying to solve this, but no success yet.

 

regards

Patrick

5 Replies
Hi PAtrick,

do you have received a feedback from Microsoft?

regards
Carsten

@carlux1 

Hi Carsten,

 

we tried a bunch of KB installations (were already installed) and all of this:

https://github.com/microsoft/mdefordownlevelserver

there was no solution in sight, so we went back to MMA and SCEP.

Maybe the Link helps you? :)

Regards

Patrick

Hi PatrickEl,

 

thanks for your quick answer. I'll check the link you provide. But I believe we have to do the same way as you described.

 

Thx

carsten 

Worked after these steps:

1.Upgrade Hyper-V Integration Services

Hyper-V_update.jpg

2. Copying files from Windows 2012 R2 successfully installed to the system where the problem is

C:\Program Files\Windows Defender

C:\Program Files\Windows Defender Advanced Threat Protection

C:\ProgramData\Microsoft\Windows Defender

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection

3. Export service regedit key from Windows 2012 R2 successfully installed to the system where the problem is

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]

4. Restart

5. Microsoft Defender for Endpoint offboarding process

run WindowsDefenderATPOffboardingScript.cmd

6. Run manual installation

run md4ws.msi 

7. Restart

 

Perhaps some steps are not needed, let it be the subject of discussion

Hi Yevhen,

thanks for the feedback. Will try it next week and give you feedback.

regards