Mar 10 2022 07:20 AM - edited Mar 10 2022 07:30 AM
Hi guys,
we onboarded ~70 servers and everything went great so far.
Our last 2012 R2 gets an error related to the sense service:
event viewer:
ms document:
msi error:
MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=RollbackInstallSecFilter,ActionType=3393,Source=BinaryData,Target=UninstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:F4) [18:42:41:915]: Executing op: ActionStart(Name=InstallSecFilter,,)
Aktion 18:42:41: InstallSecFilter.
MSI (s) (28:F4) [18:42:41:915]: Executing op: CustomActionSchedule(Action=InstallSecFilter,ActionType=3073,Source=BinaryData,Target=InstallDriver,CustomActionData=c:\Windows\Inf\mssecflt.inf)
MSI (s) (28:44) [18:42:41:915]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI864A.tmp, Entrypoint: InstallDriver
MpWixCA [18:42:41:931] installdriver.cpp(98): BEGIN InstallDriver, pid=0x35e0, tid=0x3764
MpWixCA [18:42:41:931] msiutil.cpp(37): 0: HrMsiGetProperty(0xae, 'CustomActionData', 'c:\Windows\Inf\mssecflt.inf')
MpWixCA [18:42:41:978] installdriver.cpp(76): SetupInstallServicesFromInfSectionW(,DefaultInstall.Services,0) failed, hr=0x80070005
MpWixCA [18:42:41:993] installdriver.cpp(98): END InstallDriver, hr=0x80070005
CustomAction InstallSecFilter returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
sadly nothing helps, all prerequisites are given (server are managed and on the same state)
and the sense service will not start.
maybe someone has an idea on this?
(btw. this is the new onboarding method in preview, not the old SCEP/MMA method)
thanks a lot.
E: I already opened a MS case for this a week ago, and they are still trying to solve this, but no success yet.
regards
Patrick
Mar 21 2022 04:38 AM
Mar 24 2022 03:10 AM
Hi Carsten,
we tried a bunch of KB installations (were already installed) and all of this:
https://github.com/microsoft/mdefordownlevelserver
there was no solution in sight, so we went back to MMA and SCEP.
Maybe the Link helps you? 🙂
Regards
Patrick
Mar 25 2022 12:54 AM
Hi PatrickEl,
thanks for your quick answer. I'll check the link you provide. But I believe we have to do the same way as you described.
Thx
carsten
Apr 01 2022 03:20 AM - edited Apr 01 2022 03:24 AM
Worked after these steps:
1.Upgrade Hyper-V Integration Services
2. Copying files from Windows 2012 R2 successfully installed to the system where the problem is
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\ProgramData\Microsoft\Windows Defender
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection
3. Export service regedit key from Windows 2012 R2 successfully installed to the system where the problem is
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
4. Restart
5. Microsoft Defender for Endpoint offboarding process
run WindowsDefenderATPOffboardingScript.cmd
6. Run manual installation
run md4ws.msi
7. Restart
Perhaps some steps are not needed, let it be the subject of discussion
Apr 01 2022 07:06 AM
Jun 30 2022 12:40 PM - edited Jun 30 2022 12:43 PM
So in my case, I just solved this in the following manner. The issue was it couldn't install the service because there was already a registry key for the service in place. I believe this was due to a previously failed rollback of the MSI attempting to be installed. I had to manually delete the registry key for the windefend service in HKLM\SYSTEM\CurrentControlSet\Services\Windefend. I tried using sc delete windefend, but always got access denied, even in safe mode. Once I removed the registry key, I rebooted. The service no longer showed in the services MMC. I could then run the install successfully.
Jul 07 2022 07:46 AM
SolutionAug 08 2022 01:34 PM
Aug 10 2022 04:29 AM
Jul 07 2022 07:46 AM
Solution