Oct 15 2020 03:43 AM - edited Oct 15 2020 03:47 AM
Hi all,
Replacing Sophos AV with Defender ATP. Have a problem with defender service (via GPO or services mmc) is not automatically starting after uninstalling Sophos. I must go into Defender GUI to manually start it.
Sophos is fully uninstalled and I cannot find any registry settings that would still prevent the defender service to start. "Error 577: Windows cannot verify the digital signature for this file...". When manually starting and clicking "Start now" in Windows Defender GUI it starts successfully.
Note that the problem occurs on our older servers, Windows Server 2012R2/2016 only. Not too keen on doing this manual start on 150 servers...
Any suggestions?
Thanks
Oct 15 2020 04:15 AM
Hi @Björn Lagerwall,
Did you try restart any of the servers after uninstalling Sophos? It might simply require a restart, as Windows probably doesn't know or has its information updated that the third-party antivirus software has been removed.
Another way would be to simply script this with PowerShell to go through all affected 150 servers (for example make a list), have the script iterate though the list and start the Windows Defender service (WinDefend).
Example:
Get-Content "C:\Temp\ServerList.txt" | ForEach-Object {
Start-Service -Name "WinDefend"
}
Best regards,
Leon
Oct 15 2020 04:26 AM
@Leon Laude thanks for your reply, but multiple reboots does not do any difference.
Oct 15 2020 04:31 AM
I've heard about this issue, but no real workaround, easiest is to script this, you can either turn on the Windows Defender with scripts, or you can change the registry entry for the service (which I wouldn't recommend).
Oct 17 2020 03:59 PM
@Leon Laude Unfortunately, the script does not work as start-service, I guess it is doing basically the same as starting service via services.msc MMC.
Starting Defender via GUI is bad, but at least it works. On our machines running Windows Server 2016 Core I cannot get to run though.
Oct 18 2020 04:27 AM
Sounds troublesome indeed, in your case I'd raise a support request directly to Microsoft:
https://support.serviceshub.microsoft.com/supportforbusiness
Nov 16 2020 01:07 AM
Nov 24 2020 05:32 AM
SolutionSOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.
Apr 03 2024 02:52 AM
Appreciate this is a pretty old post now and you found a solution, but I was running across a similar issue to you when trying to start Defender on Server 2016 - interacting with the WinDefend service just errored every time. This post started me on the road to the ultimate solution, so many thanks!
Eventually I found success by running:
& 'C:\Program Files\Windows Defender\MpCmdRun.exe' -wdenable
I used Process Monitor to see what Windows was up to when clicking the button - and this was one of the commands that were traced. I confirmed it in one of the MS articles - though it took some digging!
Enable Defender if it was Disabled
The above got everything going. Hopefully this will help someone else in a similar situation where GUI interaction is impractical/undesirable.
Nov 24 2020 05:32 AM
SolutionSOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.