Windows Defender cannot be started on Windows Server 2012/2016 - must be manually started

Brass Contributor

Hi all,


Replacing Sophos AV with Defender ATP.  Have a problem with defender service (via GPO or services mmc) is not automatically starting after uninstalling Sophos. I must go into Defender GUI to manually start it. 


Sophos is fully uninstalled and I cannot find any registry settings that would still prevent the defender service to start. "Error 577: Windows cannot verify the digital signature for this file...". When manually starting and clicking "Start now" in Windows Defender GUI it starts successfully.  


Note that the problem occurs on our older servers, Windows Server 2012R2/2016 only. Not too keen on doing this manual start on 150 servers...


Any suggestions?



8 Replies

Hi @Björn Lagerwall,


Did you try restart any of the servers after uninstalling Sophos? It might simply require a restart, as Windows probably doesn't know or has its information updated that the third-party antivirus software has been removed.


Another way would be to simply script this with PowerShell to go through all affected 150 servers (for example make a list), have the script iterate though the list and start the Windows Defender service (WinDefend).



Get-Content "C:\Temp\ServerList.txt" | ForEach-Object {
Start-Service -Name "WinDefend"


Best regards,

@Leon Laude thanks for your reply, but multiple reboots does not do any difference. 

I've heard about this issue, but no real workaround, easiest is to script this, you can either turn on the Windows Defender with scripts, or you can change the registry entry for the service (which I wouldn't recommend).

@Leon Laude Unfortunately, the script does not work as start-service, I guess it is doing basically the same as starting service via services.msc MMC. 

Starting Defender via GUI is bad, but at least it works. On our machines running Windows Server 2016 Core I cannot get to run though.

Sounds troublesome indeed, in your case I'd raise a support request directly to Microsoft:

I ended up with in-place upgrading all 2016 core with this issue to Windows Server 2019 core.

That enabled the service properly.
best response confirmed by Björn Lagerwall (Brass Contributor)

SOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.

@Björn Lagerwall 


Appreciate this is a pretty old post now and you found a solution, but I was running across a similar issue to you when trying to start Defender on Server 2016 - interacting with the WinDefend service just errored every time. This post started me on the road to the ultimate solution, so many thanks!


Eventually I found success by running:


& 'C:\Program Files\Windows Defender\MpCmdRun.exe' -wdenable


I used Process Monitor to see what Windows was up to when clicking the button - and this was one of the commands that were traced. I confirmed it in one of the MS articles - though it took some digging!


Enable Defender if it was Disabled 


The above got everything going. Hopefully this will help someone else in a similar situation where GUI interaction is impractical/undesirable.

1 best response

Accepted Solutions
best response confirmed by Björn Lagerwall (Brass Contributor)

SOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.

View solution in original post