Defender for Endpoint | Onboarding 2012R2 via local script | md4ws.msi with error id 15

Copper Contributor

Hi guys,


we onboarded ~70 servers and everything went great so far.

Our last 2012 R2 gets an error related to the sense service:


event viewer:


ms document:




msi error: 

MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=RollbackInstallSecFilter,ActionType=3393,Source=BinaryData,Target=UninstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:F4) [18:42:41:915]: Executing op: ActionStart(Name=InstallSecFilter,,)
Aktion 18:42:41: InstallSecFilter. 
MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=InstallSecFilter,ActionType=3073,Source=BinaryData,Target=InstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:44) [18:42:41:915]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI864A.tmp, Entrypoint: InstallDriver
MpWixCA [18:42:41:931] installdriver.cpp(98): BEGIN InstallDriver, pid=0x35e0, tid=0x3764
MpWixCA [18:42:41:931] msiutil.cpp(37): 0: HrMsiGetProperty(0xae, 'CustomActionData', 'c:\Windows\Inf\mssecflt.inf')
MpWixCA [18:42:41:978] installdriver.cpp(76): SetupInstallServicesFromInfSectionW(,DefaultInstall.Services,0) failed, hr=0x80070005
MpWixCA [18:42:41:993] installdriver.cpp(98): END InstallDriver, hr=0x80070005
CustomAction InstallSecFilter returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)


sadly nothing helps, all prerequisites are given (server are managed and on the same state)

and the sense service will not start.


maybe someone has an idea on this?


(btw. this is the new onboarding method in preview, not the old SCEP/MMA method)

thanks a lot.


E: I already opened a MS case for this a week ago, and they are still trying to solve this, but no success yet.




9 Replies
Hi PAtrick,

do you have received a feedback from Microsoft?



Hi Carsten,


we tried a bunch of KB installations (were already installed) and all of this:

there was no solution in sight, so we went back to MMA and SCEP.

Maybe the Link helps you? :)



Hi PatrickEl,


thanks for your quick answer. I'll check the link you provide. But I believe we have to do the same way as you described.




Worked after these steps:

1.Upgrade Hyper-V Integration Services


2. Copying files from Windows 2012 R2 successfully installed to the system where the problem is

C:\Program Files\Windows Defender

C:\Program Files\Windows Defender Advanced Threat Protection

C:\ProgramData\Microsoft\Windows Defender

C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection

3. Export service regedit key from Windows 2012 R2 successfully installed to the system where the problem is





4. Restart

5. Microsoft Defender for Endpoint offboarding process

run WindowsDefenderATPOffboardingScript.cmd

6. Run manual installation

run md4ws.msi 

7. Restart


Perhaps some steps are not needed, let it be the subject of discussion

Hi Yevhen,

thanks for the feedback. Will try it next week and give you feedback.




So in my case, I just solved this in the following manner. The issue was it couldn't install the service because there was already a registry key for the service in place. I believe this was due to a previously failed rollback of the MSI attempting to be installed. I had to manually delete the registry key for the windefend service in HKLM\SYSTEM\CurrentControlSet\Services\Windefend.  I tried using sc delete windefend, but always got access denied, even in safe mode. Once I removed the registry key, I rebooted. The service no longer showed in the services MMC. I could then run the install successfully.

best response confirmed by Yong Rhee (Microsoft)
Had this problem on multiple servers and traced to WinDefend service taking a long time to start added the following to the registry temporarily
after a reboot ran md4ws manually (elevated) and it installed fine every time.
It helped us as well. Thank you a lot.