Microsoft Defender for Endpoint fails to start on Windows Server

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,863
Microsoft has confirmed a new issue impacting Windows Server devices preventing the Microsoft Defender for Endpoint security solution from launching on some systems.

The enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection or Defender ATP) might fail to start or run on devices with a Windows Server Core installation.

The known issue only impacts devices where customers have installed KB5007206 or later updates on Windows Server 2019 and KB5007205 or later updates on Windows Server 2022.

"After installing KB5007205 or later updates, Microsoft Defender for Endpoint might fail to start or run on devices with a Windows Server Core installation," Microsoft explained on the Windows Server 2022 health dashboard.

As the company further revealed, this newly confirmed issue does not affect Microsoft Defender for Endpoint running on Windows 10 devices.

Redmond is currently working on a solution to address this bug and will provide the fix in an upcoming update.
Reports of Defender Antivirus crashes
BleepingComputer is also aware of reports that Microsoft Defender Antivirus crashes with EventID 3002 notifications (MALWAREPROTECTION_RTP_FEATURE_FAILURE) and "Real-time protection encountered an error and failed" errors codes.

This issue occurs only after installing security intelligence updates between versions 1.353.1477.0 and 1.353.1486.0.

According to Microsoft's documentation, on systems where this Event ID shows up in logs after Real-Time Protection crashes, one or more of the following Microsoft Defender Antivirus will also fail:
  • On Access
  • Internet Explorer downloads and Microsoft Outlook Express attachments
  • Behavior monitoring
  • Network Inspection System
Microsoft seems to have fixed this bug with version 1.353.1502.0 but, according to Dutch security expert SecGuru_OTX, your device might require a hard reboot to re-enable features such as behavior monitoring.

SecGuru_OTX also shared info on how to find systems impacted by this Microsoft Defender Antivirus bug and on fixing the issue.
 

silversurfer

Level 83
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,312

Microsoft fixes bug blocking Defender for Endpoint on Windows Server​

Microsoft has addressed a known issue that plagued Windows Server customers for weeks, preventing the Defender for Endpoint enterprise security platform from launching on some systems.

When it acknowledged the bug in November, Microsoft explained that the endpoint security solution (previously known as Microsoft Defender Advanced Threat Protection or Defender ATP) failed to start or run on devices running Windows Server Core installations.

The issue only impacts devices where customers installed Windows Server 2019 and Windows Server 2022 security updates issued during last month's Patch Tuesday.

Microsoft addressed the bug with the release of KB5008223 this week as part of the December 2021 Patch Tuesday.

As Redmond revealed, KB5008223 "addresses a known issue that might prevent Microsoft Defender for Endpoint from starting or running on devices that have a Windows Server Core installation."
 

South Park

Level 8
Verified
Jun 23, 2018
393
Interesting to note that the Twitter posts reference the same crash I was experiencing with the consumer version of MD on W10 Home with C_D on Nov. 25 and 26. Perhaps one of the ASR rules was responsible.