SOLVED

Windows Defender cannot be started on Windows Server 2012/2016 - must be manually started

%3CLINGO-SUB%20id%3D%22lingo-sub-1783098%22%20slang%3D%22en-US%22%3EWindows%20Defender%20cannot%20be%20started%20on%20Windows%20Server%202012%2F2016%20-%20must%20be%20manually%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783098%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReplacing%20Sophos%20AV%20with%20Defender%20ATP.%26nbsp%3B%20Have%20a%20problem%20with%20defender%20service%20(via%20GPO%20or%20services%20mmc)%20is%20not%20automatically%20starting%20after%20uninstalling%20Sophos.%20I%20must%20go%20into%20Defender%20GUI%20to%20manually%20start%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESophos%20is%20fully%20uninstalled%20and%20I%20cannot%20find%20any%20registry%20settings%20that%20would%20still%20prevent%20the%20defender%20service%20to%20start.%20%3CEM%3E%22Error%20577%3A%20Windows%20cannot%20verify%20the%20digital%20signature%20for%20this%20file...%22.%26nbsp%3B%3C%2FEM%3EWhen%20manually%20starting%20and%20clicking%20%22Start%20now%22%20in%20Windows%20Defender%20GUI%20it%20starts%20successfully.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20the%20problem%20occurs%20on%20our%20older%20servers%2C%20Windows%20Server%202012R2%2F2016%20only.%20Not%20too%20keen%20on%20doing%20this%20manual%20start%20on%20150%20servers...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1783098%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783164%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20cannot%20be%20started%20on%20Windows%20Server%202012%2F2016%20-%20must%20be%20manually%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783164%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F134719%22%20target%3D%22_blank%22%3E%40Bj%C3%B6rn%20Lagerwall%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20try%20restart%20any%20of%20the%20servers%20after%20uninstalling%20Sophos%3F%20It%20might%20simply%20require%20a%20restart%2C%20as%20Windows%20probably%20doesn't%20know%20or%20has%20its%20information%20updated%20that%20the%20third-party%20antivirus%20software%20has%20been%20removed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20way%20would%20be%20to%20simply%20script%20this%20with%20PowerShell%20to%20go%20through%20all%20affected%20150%20servers%20(for%20example%20make%20a%20list)%2C%20have%20the%20script%20iterate%20though%20the%20list%20and%20start%20the%20Windows%20Defender%20service%20(%3CSTRONG%3EWinDefend%3C%2FSTRONG%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExample%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-Content%20%22C%3A%5CTemp%5CServerList.txt%22%20%7C%20ForEach-Object%20%7B%0AStart-Service%20-Name%20%22WinDefend%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3CBR%20%2F%3ELeon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783188%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20cannot%20be%20started%20on%20Windows%20Server%202012%2F2016%20-%20must%20be%20manually%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783188%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F148223%22%20target%3D%22_blank%22%3E%40Leon%20Laude%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20reply%2C%20but%20multiple%20reboots%20does%20not%20do%20any%20difference.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783209%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20cannot%20be%20started%20on%20Windows%20Server%202012%2F2016%20-%20must%20be%20manually%20started%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783209%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20heard%20about%20this%20issue%2C%20but%20no%20real%20workaround%2C%20easiest%20is%20to%20script%20this%2C%20you%20can%20either%20turn%20on%20the%20Windows%20Defender%20with%20scripts%2C%20or%20you%20can%20change%20the%20registry%20entry%20for%20the%20service%20(which%20I%20wouldn't%20recommend).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

 

Replacing Sophos AV with Defender ATP.  Have a problem with defender service (via GPO or services mmc) is not automatically starting after uninstalling Sophos. I must go into Defender GUI to manually start it. 

 

Sophos is fully uninstalled and I cannot find any registry settings that would still prevent the defender service to start. "Error 577: Windows cannot verify the digital signature for this file...". When manually starting and clicking "Start now" in Windows Defender GUI it starts successfully.  

 

Note that the problem occurs on our older servers, Windows Server 2012R2/2016 only. Not too keen on doing this manual start on 150 servers...

 

Any suggestions?

 

Thanks

7 Replies

Hi @Björn Lagerwall,

 

Did you try restart any of the servers after uninstalling Sophos? It might simply require a restart, as Windows probably doesn't know or has its information updated that the third-party antivirus software has been removed.

 

Another way would be to simply script this with PowerShell to go through all affected 150 servers (for example make a list), have the script iterate though the list and start the Windows Defender service (WinDefend).

 

Example:

Get-Content "C:\Temp\ServerList.txt" | ForEach-Object {
Start-Service -Name "WinDefend"
}

 

Best regards,
Leon

@Leon Laude thanks for your reply, but multiple reboots does not do any difference. 

I've heard about this issue, but no real workaround, easiest is to script this, you can either turn on the Windows Defender with scripts, or you can change the registry entry for the service (which I wouldn't recommend).

@Leon Laude Unfortunately, the script does not work as start-service, I guess it is doing basically the same as starting service via services.msc MMC. 


Starting Defender via GUI is bad, but at least it works. On our machines running Windows Server 2016 Core I cannot get to run though.

Sounds troublesome indeed, in your case I'd raise a support request directly to Microsoft:
https://support.serviceshub.microsoft.com/supportforbusiness

I ended up with in-place upgrading all 2016 core with this issue to Windows Server 2019 core.

That enabled the service properly.
best response confirmed by Björn Lagerwall (Contributor)
Solution

SOLUTION FOUND: Remove Defender AV role on server. Add it again and the service starts.