Jump to content
Welcome to our new Citrix community!
  • 0

Cant start Windows defender on windows server 2016 VDA


Antonio Zec

Question

I'm trying to activate Windows Defender on our already existing VDAs. But I seem to run into some problems, see below.

 

Error Code: 0x80070422

I have tried to modify the WinDefend(registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend) "Start" Value from 4 --> 2 but I cant do that.

I have tried to take ownership of the WinDefend Key but no luck.

Anyone knows what could be done to activate Windows Defender?

 

EDIT: I just tried to do this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

 

DisableAntiSpyware ----> 1

 

When i changed the value to 1, I know get the message that Windows defender is disabled beacuse I have another Antivirus enabled. I cant see any other Antivirus installed on the VDA.

Can i do some check or am I missing something obvious right now?

 

Link to comment

12 answers to this question

Recommended Posts

  • 0
1 minute ago, Mick Hilhorst said:

Hi Antonio,

I don't think your issue is related to Citrix here, apart from it occurring on a VDA.
Would suggest to check if your Windows update service is running properly.

Kind Regards,

Mick Hilhorst

Hi,

But I have the Windows Update Service disabled on the VDA. Do you mean that I need to have it enabled so that Defender can work?

 

Because I would not like to have Windows Update running in the background.

 

Kind Regards,

Antonio

Link to comment
  • 0

Hi Antonio,

0x80070422 is an explicit reference to the Windows update service, you can not remove this error with the update service disabled.
So yes, it needs to be enabled for this error to go away.

I do believe defender is working when the Windows update service is disabled, it just can't update. But i'm not entirely certain of that.

Kind Regards,

Mick Hilhorst

Link to comment
  • 0
5 minutes ago, Mick Hilhorst said:

Hi Antonio,

0x80070422 is an explicit reference to the Windows update service, you can not remove this error with the update service disabled.
So yes, it needs to be enabled for this error to go away.

I do believe defender is working when the Windows update service is disabled, it just can't update. But i'm not entirely certain of that.

Kind Regards,

Mick Hilhorst

 

Hmm, I just activated the Windows update Service and ran it. But I still get the same error.

So the problems seems to be something else.

 

/Antonio

Link to comment
  • 0
1 hour ago, Mick Hilhorst said:

Hi Antonio,

That's too bad. 
Can you post a screenshot of the thrown error?

Kind Regards,

Mick Hilhorst

Some information will be in Swedish.

 

I activated Windows update:

image.thumb.png.4bea6bbbd95471bce12fc99ad26a6600.png

I get this error when I try to activate Windows Defender:

image.thumb.png.22a12e39de31346978c695b132fe1ca8.png

 

I have tried to activate it in the Registry, 

WinDefend(registry, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend) "Start" Value from 4 --> 2 but I cant do that. No luck.

image.thumb.png.b6ae384c25d13b34fd3345b99c72e9b7.png

When I try to change the value to 2 I get this: 

image.thumb.png.802baf111273077a2716240fd80b58d2.png

I have ownership and permission of the WinDefend key.

 

I then tried to modify this:

image.thumb.png.66499fb4e9ce135fd38f6f68055142f6.png

When I change the value form 0 --> 1 for the DisableAntiSpyware parameter I get this:

 

image.thumb.png.bdc9575ab6edce3a9bb0f26f073ae337.png

It says that I have an existing Antivirus, But I cant find anything on the VDA.

 

The Windows defender Service is greyed out and I cant do anything.

image.thumb.png.8acc19549863d0301fecd251d4fe44d2.png

 

RSOP.msc show nothing regarding windows defender.

Windows update has, "Configure Automatic Updates" and "Allow non-adminstrators to receive update notifications". are disabled.

I activate(manually) "Configure Automatic Updates" once a month to update windows.

 

Kind Regards

Antonio

 

 

 

Link to comment
  • 0

Hi Antonio,

I see, so it's actually the windows defender service that is disabled.
I believe you want to keep that regkey set to 0 as the 1 would be set WHEN there is another product installed.
So right now you tricked Windows defender into thinking there is more AV software.

When you set that regkey back to 0 and reboot the machine (hoping it's statefull ;)), can you enable the Windows Defender service then?

The following link might help too, here it's suggested to delete the key entirely:

https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-servicesmsc-greyed-out/8fa6c4c8-ca92-4d52-8ae4-fbf109f2e3e6

Kind Regards,

Mick Hilhorst

Link to comment
  • 0
1 hour ago, Mick Hilhorst said:

Hi Antonio,

I see, so it's actually the windows defender service that is disabled.
I believe you want to keep that regkey set to 0 as the 1 would be set WHEN there is another product installed.
So right now you tricked Windows defender into thinking there is more AV software.

When you set that regkey back to 0 and reboot the machine (hoping it's statefull ;)), can you enable the Windows Defender service then?

The following link might help too, here it's suggested to delete the key entirely:

https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-servicesmsc-greyed-out/8fa6c4c8-ca92-4d52-8ae4-fbf109f2e3e6

Kind Regards,

Mick Hilhorst

Oh okay.

Yeah it doesnt help to restart with it set to 0.

 

Im trying to find some GPO that is activated that maybe can cause the problem. But currently no luck.

 

Kind Regards,

Antonio

Link to comment
  • 0
30 minutes ago, Antonio Zec said:

Oh okay.

Yeah it doesnt help to restart with it set to 0.

 

Im trying to find some GPO that is activated that maybe can cause the problem. But currently no luck.

 

Kind Regards,

Antonio


Did you read the linked post and clear the regkey as suggested?
I do suggest to make a backup before editing that regkey.

Link to comment
  • 0
28 minutes ago, Mick Hilhorst said:


Did you read the linked post and clear the regkey as suggested?
I do suggest to make a backup before editing that regkey.

Yeah I cant try to do it on image and delete it after.

 

But isnt deleting the regkey the same as setting the value to "0":

Turn On Windows Defender:

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware

 

EDIT: I dont have "Windows Defender" under "HKLM\SOFTWARE\Policies\Microsoft\" , then only thing I find is Windows Defender Security Center containg a systray key.

 

I can find "Windows Defender" and the "DisableAntiSpyware" under  HKLM\SOFTWARE\Microsoft\"

 

Is it the same thing?

 

/Antonio

Link to comment
  • 0
18 hours ago, Antonio Zec said:

Oh okay.

Yeah it doesnt help to restart with it set to 0.

 

Im trying to find some GPO that is activated that maybe can cause the problem. But currently no luck.

 

Kind Regards,

Antonio


Hi Antonio,

Deleting and having a default value of 0 is not the same per se, but I can't say that for sure in this case. 
If they keys are not in the same place I would refrain from removing them.
Registery keys often have multiple 'places' with different uses tied to them.

You mentioned that it did not help to set it to 0 and restart, did this change the behaviour of defender or is it the same error?
If you set it to 0, and enable the Windows update services, and then restart.. does that make any difference?



You could also query the service with:
sc query Windefend

Does that provide anything interesting?

Kind Regards,

Mick Hilhorst

 

Link to comment
  • 0
On 5/6/2021 at 9:46 AM, Mick Hilhorst said:


Hi Antonio,

Deleting and having a default value of 0 is not the same per se, but I can't say that for sure in this case. 
If they keys are not in the same place I would refrain from removing them.
Registery keys often have multiple 'places' with different uses tied to them.

You mentioned that it did not help to set it to 0 and restart, did this change the behaviour of defender or is it the same error?
If you set it to 0, and enable the Windows update services, and then restart.. does that make any difference?



You could also query the service with:
sc query Windefend

Does that provide anything interesting?

Kind Regards,

Mick Hilhorst

 

I found a solution.

 

Uninstalling it and then installing it again on the Server(2016) fixed it.

 

Run it in Powershell and restart server when its done:

Uninstall-WindowsFeature -Name Windows-Defender

 

Then run this and restart server:

Install-WindowsFeature -Name Windows-Defender

 

Kind Regards,

Antonio

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...