Oct 15 2020 03:43 AM - edited Oct 15 2020 03:47 AM
Hi all,
Replacing Sophos AV with Defender ATP. Have a problem with defender service (via GPO or services mmc) is not automatically starting after uninstalling Sophos. I must go into Defender GUI to manually start it.
Sophos is fully uninstalled and I cannot find any registry settings that would still prevent the defender service to start. "Error 577: Windows cannot verify the digital signature for this file...". When manually starting and clicking "Start now" in Windows Defender GUI it starts successfully.
Note that the problem occurs on our older servers, Windows Server 2012R2/2016 only. Not too keen on doing this manual start on 150 servers...
Any suggestions?
Thanks
Oct 15 2020 04:15 AM
Hi @Björn Lagerwall,
Did you try restart any of the servers after uninstalling Sophos? It might simply require a restart, as Windows probably doesn't know or has its information updated that the third-party antivirus software has been removed.
Another way would be to simply script this with PowerShell to go through all affected 150 servers (for example make a list), have the script iterate though the list and start the Windows Defender service (WinDefend).
Example:
Get-Content "C:\Temp\ServerList.txt" | ForEach-Object {
Start-Service -Name "WinDefend"
}
Best regards,
Leon
Oct 15 2020 04:26 AM
@Leon Laude thanks for your reply, but multiple reboots does not do any difference.
Oct 15 2020 04:31 AM
I've heard about this issue, but no real workaround, easiest is to script this, you can either turn on the Windows Defender with scripts, or you can change the registry entry for the service (which I wouldn't recommend).
Oct 17 2020 03:59 PM
@Leon Laude Unfortunately, the script does not work as start-service, I guess it is doing basically the same as starting service via services.msc MMC.
Starting Defender via GUI is bad, but at least it works. On our machines running Windows Server 2016 Core I cannot get to run though.
Oct 18 2020 04:27 AM
Sounds troublesome indeed, in your case I'd raise a support request directly to Microsoft:
https://support.serviceshub.microsoft.com/supportforbusiness
Nov 16 2020 01:07 AM
Nov 24 2020 05:32 AM
SolutionSOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.