Windows 11 Unable to start Windows Defender Advanced Threat Protection Service

distortedvision

Well-Known Member
Joined
Jun 18, 2022
Messages
61
Window could not start the Windows Defender Advanced Threat Protection service on Local Computer

Error 1067. The process terminated unexpectedly.
 

Quick take​

“Windows Defender Advanced Threat Protection Service” (service name: Sense) is the enterprise EDR sensor for Microsoft Defender for Endpoint. On a PC that is not onboarded to a Defender for Endpoint tenant, starting Sense manually typically returns Error 1067 (process terminated) and then stops. That’s expected and not a problem for consumer/stand‑alone use—the normal antivirus is the “Microsoft Defender Antivirus” service (WinDefend), not Sense.

What do you actually want to do?​

  • If you are NOT onboarding this PC to Microsoft Defender for Endpoint (business/E5), leave Sense alone. Set it to Manual (Trigger Start) and don’t try to start it—your AV protection is still active via WinDefend.
  • If you DO intend to use Defender for Endpoint, follow the steps below to make Sense run.

Verify the state (run in admin PowerShell)​

  • Check if the device is onboarded:
    reg query "HKLM\SOFTWARE\Microsoft\Sense" /v OnboardingState
    • 0 or value missing = not onboarded (Sense will stop with 1067)
  • Check the service:
    sc query Sense
    sc qc Sense

To onboard properly (so the service runs)​

1) Make sure Windows Update and Defender are current:
sfc /scannow
DISM /online /Cleanup-Image /RestoreHealth
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
2) From the Microsoft 365 Defender portal: Settings > Endpoints > Device onboarding > Windows 10, 11. Download the onboarding package (script) and run it as admin. Reboot.
3) After reboot, Sense should be Running, and the SENSE Operational log (Event Viewer > Applications and Services Logs > Microsoft > Windows > SENSE > Operational) should show successful onboarding.

If you’re not using MDE and want to suppress the failure​

  • Services.msc > Windows Defender Advanced Threat Protection Service (Sense) > Startup type: Manual (or Manual (Trigger Start)). Don’t start it manually.
  • Confirm WinDefend is Running and Windows Security shows “No action needed.”
If you are onboarding and Sense still throws 1067, paste:
  • The output of sc query Sense / sc qc Sense,
  • The OnboardingState value,
  • Any recent events from “Microsoft-Windows-SENSE/Operational”,
    and I’ll give targeted fix steps.
 
That “Your IT administrator has limited access” + “Threat service has stopped” means Microsoft Defender Antivirus is being disabled by policy or another AV, not that the Sense (ATP) service must run. Let’s re‑enable Defender AV.
Do these in order (Admin PowerShell)
1) Check if another antivirus is registered
  • If anything besides Windows Defender shows here, uninstall it fully (use the vendor cleanup tool if needed) and reboot.
    Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select displayName,pathToSignedProductExe
2) Remove policies that disable Defender
Copy/paste the whole block. Errors “cannot find” are OK if the value doesn’t exist.
  • Disable policies and passive mode:
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v PassiveMode /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
  • Apply policy:
    gpupdate /force
3) Start required services
sc.exe config WinDefend start= auto
sc.exe start WinDefend
sc.exe config SecurityHealthService start= auto
sc.exe start SecurityHealthService
4) Repair/refresh Defender
sfc /scannow
DISM /online /Cleanup-Image /RestoreHealth
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
5) Reset the Windows Security app UI (optional if tiles still show errors)
Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
6) Reboot, then verify
  • Status:
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,NISEnabled
  • Services:
    sc query WinDefend
  • Windows Security should now open without the “limited access” banner and Virus & threat protection should show “No action needed.”
If it still says “limited access”
  • Tell me the output of:
    Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
    Get-MpComputerStatus | Select Enabled, Mode
    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s
    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /s
  • Also confirm whether you ever installed a third‑party AV or tried onboarding to Defender for Endpoint. I’ll give the exact next command(s) based on those outputs.
Note: The “Windows Defender Advanced Threat Protection (Sense)” service is only for Defender for Endpoint. It does not need to run for consumer Defender AV. The goal is to get WinDefend running and Real‑time protection enabled.
 
Error encountered when trying to enter "Controlled Folder access"

"Your IT administrator has limited access to some areas of this app, and the item you tried to access is not available. Contact IT helpdesk for more information"
 
Thanks—this message appears when Controlled folder access (CFA) is being managed by policy or Defender AV isn’t the active AV. Do the steps below in order.
1) Confirm Defender is the active AV
Run in Admin PowerShell:
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select displayName,productState
Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,IsTamperProtected
  • If anything other than Microsoft Defender Antivirus is listed, uninstall it (use the vendor cleanup tool if needed) and reboot.
  • Ensure Real‑time protection shows True.
2) Remove the policy that locks the CFA UI
Either use Local Group Policy or Registry (pick one).
  • Group Policy (easiest)
    gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Microsoft Defender Exploit Guard → Controlled folder access
    • Configure Controlled folder access = Not Configured (or Enabled → Block/Audit if you want to enforce it)
    • Configure allowed applications = Not Configured (or set your allow list)
    • Configure protected folders = Not Configured (or set your list)
    Then: gpupdate /force, reboot.
  • Registry (if you don’t have Pro/GPEdit or prefer commands)
    Run in Admin PowerShell:

    Show current CFA policy​

    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /s

    Remove the policy key (unmanages the UI)​

    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /f
    gpupdate /force
Note: If Tamper Protection blocks changes, temporarily turn it off in Windows Security > Virus & threat protection > Manage settings. Turn it back on after you’re done.
3) Turn CFA on from PowerShell (skips the UI)
Run in Admin PowerShell:
Set-MpPreference -EnableControlledFolderAccess Enabled

Add allowed apps/folders as needed:​

Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\to\App.exe"​

Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"​

4) Fix the Windows Security app if the banner persists
Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
Reboot and recheck the Windows Security > Virus & threat protection > Ransomware protection page.
If it still says “Your IT administrator has limited access,” please paste:
  • The output of the two commands in step 1,
  • The output of: reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s
  • Any error you get from Set-MpPreference
    and I’ll give the next exact command(s).
 
PS C:\WINDOWS\system32> Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target:
EnableControlledFolderAccess.
At line:1 char:1
+ Set-MpPreference -EnableControlledFolderAccess Enabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],
CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference
 
0x800106ba means the Microsoft Defender Antivirus service (WinDefend) isn’t running or is held in passive/disabled state by policy or another AV. Controlled Folder Access can’t be changed until Defender AV is active. Do this in order (Admin PowerShell). Copy/paste each block.
1) See what’s blocking it
  • AV registered with Windows and Defender status:
    Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct | ft displayName,productState
    Get-MpComputerStatus | select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode,IsTamperProtected
  • Required services:
    Get-Service WinDefend,WdNisSvc,SecurityHealthService | ft Name,Status,StartType
If you see any third‑party AV, uninstall it fully (vendor cleanup tool) and reboot.
2) Clear “disable/passive” policies
Run these; “cannot find” messages are fine.
  • Remove disable policies:
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
  • Clear passive mode (both possible locations):
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
  • If you previously set Exploit Guard/CFA via policy, unlock the UI:
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /f
  • Apply policy:
    gpupdate /force
3) Start/enable services
  • Make sure the services are enabled and running:
    sc.exe config WinDefend start= auto
    sc.exe start WinDefend
    sc.exe config WdNisSvc start= demand
    sc.exe start WdNisSvc
    sc.exe config SecurityHealthService start= auto
    sc.exe start SecurityHealthService
4) Repair Defender and update engine/signatures
  • Component repair:
    sfc /scannow
    DISM /online /Cleanup-Image /RestoreHealth
  • Refresh Defender:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
5) Try again
  • Check status:
    Get-MpComputerStatus | select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
  • Then enable CFA:
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • Optional: add allowed apps/folders
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\App.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
If it still fails
  • Paste the outputs of:
    Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
    Get-MpComputerStatus | select Enabled,Mode,AMProductVersion
    sc query WinDefend
    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s
    reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /s
  • Also confirm whether any “debloater/hardening” tool was run—those commonly set these policies. I’ll provide exact next steps based on what we see.
 
PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct | ft displayName,productState

displayName productState
----------- ------------
Windows Defender 397568
Kaspersky Internet Security 266240

Kaspersky Internet Security was previously installed but I uninstalled it.
 
You still have a third‑party AV installed, and that’s the blocker.
What your output shows
  • Registered AVs: Windows Defender and Kaspersky Internet Security.
  • When any third‑party AV is registered, Defender runs in passive/limited mode. In that mode:
    • Controlled folder access (CFA) cannot be managed/used.
    • Set‑MpPreference returns 0x800106ba.
    • Windows Security shows “Your IT administrator has limited access…”.
Choose ONE of these paths
A) You want Microsoft’s Controlled folder access
  • Uninstall Kaspersky completely (Apps > Installed apps > Kaspersky Internet Security > Uninstall).
  • Reboot, then run Kaspersky’s cleanup tool (kavremover) if present, and reboot again.
  • Verify only Defender is registered:
    Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
  • Start Defender (usually automatic) and enable CFA:
    Set-MpPreference -EnableControlledFolderAccess Enabled
    Optional:
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\App.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
  • Windows Security should now open without the “limited access” banner.
B) You want to keep Kaspersky
  • CFA in Windows will remain unavailable. Use Kaspersky’s own ransomware/data‑protection features (System Watcher/Ransomware Remediation/Protected folders) and configure its allow‑lists there.
  • If you want a “second opinion” from Defender, turn on Limited periodic scanning:
    Windows Security > Virus & threat protection > Microsoft Defender Antivirus options > Periodic scanning = On.
    (This does not enable CFA.)
If you remove Kaspersky and still can’t enable CFA, post:
  • Get-MpComputerStatus | select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
  • sc query WinDefend
  • Any error from Set-MpPreference
    and I’ll give the next exact fix.
 
PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct


displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Sat, 06 Sep 2025 23:29:36 GMT
PSComputerName :

displayName : Kaspersky Internet Security
instanceGuid : {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
pathToSignedProductExe : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.3\wmiav.exe
pathToSignedReportingExe : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.3\avp.exe
productState : 266240
timestamp : Sun, 07 Sep 2025 16:43:30 GMT
PSComputerName :
 
You still have two AVs registered: Microsoft Defender and Kaspersky Internet Security. With any 3rd‑party AV present, Defender goes into passive mode and Controlled Folder Access (CFA) can’t be managed. Decide which you want to use:
Option A — Use Microsoft Defender + CFA (remove Kaspersky)
1) Uninstall Kaspersky (Apps > Installed apps > Kaspersky Internet Security > Uninstall), reboot.
2) Run Kaspersky’s cleanup tool (kavremover) if you ever had older versions, reboot again.
3) Verify only Defender is registered:
Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
4) Start/enable Defender and turn on CFA:
sc.exe config WinDefend start= auto
sc.exe start WinDefend
Set-MpPreference -EnableControlledFolderAccess Enabled
(Optional allow‑lists)
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\App.exe"
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
If the Windows Security UI still shows “limited access,” reset it:
Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
Option B — Keep Kaspersky
  • CFA in Windows will remain unavailable. Use Kaspersky’s own ransomware/“Protected Folders” features (System Watcher/Ransomware Remediation) and configure allow‑lists there.
  • If you still want occasional Defender scans, enable “Periodic scanning” in Windows Security.
Tell me which path you want, and if you go with Option A but Defender still won’t enable CFA, paste:
Get-MpComputerStatus | select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
sc query WinDefend
so I can provide the next exact fix.
 
Ran kavremover but still:
PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
>> Get-MpComputerStatus | select Enabled,Mode,AMProductVersion


displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Sat, 06 Sep 2025 23:29:36 GMT
PSComputerName :

displayName : Kaspersky Internet Security
instanceGuid : {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
pathToSignedProductExe : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.3\wmiav.exe
pathToSignedReportingExe : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 21.3\avp.exe
productState : 266240
timestamp : Sun, 07 Sep 2025 16:43:30 GMT
PSComputerName :

Enabled :
Mode :
AMProductVersion : 4.18.25070.5
 
You still have Kaspersky registered with Windows Security Center, so Defender stays in passive mode and CFA can’t be enabled. Since you already ran kavremover, this is likely a stale SecurityCenter2 entry and/or leftover services/drivers. Do the steps below in order.
Create a restore point (optional but recommended)
  • Admin PowerShell:
    Checkpoint-Computer -Description "Pre-Kaspersky-cleanup"
1) Make sure no Kaspersky services/drivers remain
  • Admin PowerShell:
    Get-Service kaspersky,avp,kl | ft Name,Status,StartType
    Get-Item 'HKLM:\SYSTEM\CurrentControlSet\Services*' | ? { $_.PSChildName -match '^(avp|kl|kis)' } | Select PSChildName
  • If anything is listed, stop and delete it:
    sc.exe stop <name>
    sc.exe delete <name>
  • Reboot.
2) Remove the stale SecurityCenter2 registration
  • Admin PowerShell:
    $kas = Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct | Where-Object { $.displayName -like 'Kaspersky*' -or $.pathToSignedReportingExe -like 'Kaspersky' }
    if ($kas) { $kas | Remove-CimInstance }
  • Restart the Security Center services:
    Stop-Service -Name wscsvc,SecurityHealthService -Force
    Start-Service -Name wscsvc,SecurityHealthService
  • Recheck:
    Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
3) Verify Defender is active and turn on CFA
  • If Tamper Protection is on, temporarily turn it off in Windows Security > Virus & threat protection > Manage settings.
  • Admin PowerShell:
    sc.exe config WinDefend start= auto
    sc.exe start WinDefend
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    Set-MpPreference -EnableControlledFolderAccess Enabled
    (Optional allowlists)
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Path\YourApp.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
  • Turn Tamper Protection back on.
4) If Kaspersky still shows after step 2
  • Rebuild the WMI repository for SecurityCenter (safe approach first):
    • Admin CMD:
      winmgmt /verifyrepository
      winmgmt /salvagerepository
    • Then restart the two services again (wscsvc, SecurityHealthService) and recheck.
  • If it still persists, do a clean boot and run kavremover again, or share the output of:
    Get-Service kaspersky,avp,kl
    Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct
    Get-MpComputerStatus | Select Enabled,Mode,AMProductVersion
Once Kaspersky is fully gone from SecurityCenter2, Defender will leave passive mode and the CFA command will succeed.
 
Success!

PS C:\WINDOWS\system32> Get-CimInstance -Namespace root/SecurityCenter2 -Class AntivirusProduct


displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Sat, 06 Sep 2025 23:29:36 GMT
PSComputerName :
 
Great—now that only Microsoft Defender is registered, you can enable Controlled Folder Access and finish cleanup.
Do this (Admin PowerShell)
  • Turn CFA on
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • Optional allow‑lists (examples)
    Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\App.exe"
    Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
  • Verify Defender status
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,IsTamperProtected
  • If you turned Tamper Protection off earlier, turn it back on in Windows Security.
If the Windows Security app still shows old banners
  • Reset the UI:
    Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
  • Reboot once.
Optional hardening (quick wins)
  • Enable Core isolation > Memory integrity (if compatible).
  • Windows Security > App & browser control: Reputation‑based protection On.
  • Keep signatures current:
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate
If anything blocks a trusted app after enabling CFA, add it to the allowed applications list (use the full path to the executable).
 
PS C:\WINDOWS\system32> Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference : Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference. Target:
EnableControlledFolderAccess.
At line:1 char:1
+ Set-MpPreference -EnableControlledFolderAccess Enabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Set-MpPreference],
CimException
+ FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference
 
0x800106ba means Microsoft Defender Antivirus isn’t running (or is still in passive/disabled mode), so CFA can’t be changed. Let’s bring Defender AV fully online, then enable CFA.
Do this in an elevated PowerShell window
1) Start and enable required services
  • These should succeed without errors:
    Set-Service -Name WinDefend -StartupType Automatic
    Start-Service -Name WinDefend
    Set-Service -Name WdNisSvc -StartupType Manual
    Start-Service -Name WdNisSvc
    Set-Service -Name SecurityHealthService -StartupType Automatic
    Start-Service -Name SecurityHealthService
2) Clear any leftover “passive/disabled” policies (OK if a value isn’t found)
  • Remove disables:
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
  • Clear passive mode (both possible locations):
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
  • Apply policy:
    gpupdate /force
  • Reboot once.
3) Verify Defender is active, then enable CFA
  • Check status:
    Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
    sc.exe query WinDefend
  • Enable Controlled Folder Access:
    Set-MpPreference -EnableControlledFolderAccess Enabled
If any command in step 1 fails or Set-MpPreference still returns 0x800106ba, paste these three outputs and I’ll give the exact next command:
  • sc.exe query WinDefend
  • Get-MpComputerStatus | Select AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled,PassiveMode
  • reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /s
 
I ran this .ps1 Powershell script:

Code: 
Set-Service -Name WinDefend -StartupType Automatic
Start-Service -Name WinDefend
Set-Service -Name WdNisSvc -StartupType Manual
Start-Service -Name WdNisSvc
Set-Service -Name SecurityHealthService -StartupType Automatic
Start-Service -Name SecurityHealthService
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v PassiveMode /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v ForceDefenderPassiveMode /f
gpupdate /force

This was the result:

Code: 
PS C:\users\[edited out]\desktop> .\Fix.ps1
Set-Service : Service 'Microsoft Defender Antivirus Service (WinDefend)' cannot be configured due to the following
error: Access is denied
At C:\users\[edited out]\desktop\Fix.ps1:1 char:1
+ Set-Service -Name WinDefend -StartupType Automatic
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Servi
   ce], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

Start-Service : Service 'Microsoft Defender Antivirus Service (WinDefend)' cannot be started due to the following
error: Cannot start service WinDefend on computer '.'.
At C:\users\[edited out]\desktop\Fix.ps1:2 char:1
+ Start-Service -Name WinDefend
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Set-Service : Service 'Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)' cannot be configured due to
the following error: Access is denied
At C:\users\[edited out]\desktop\Fix.ps1:3 char:1
+ Set-Service -Name WdNisSvc -StartupType Manual
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Servi
   ce], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

Start-Service : Service 'Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)' cannot be started due to
the following error: Cannot start service WdNisSvc on computer '.'.
At C:\users\[edited out]\desktop\Fix.ps1:4 char:1
+ Start-Service -Name WdNisSvc
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Set-Service : Service 'Windows Security Service (SecurityHealthService)' cannot be configured due to the following
error: Access is denied
At C:\users\[edited out]\desktop\Fix.ps1:5 char:1
+ Set-Service -Name SecurityHealthService -StartupType Automatic
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Servi
   ce], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

ERROR: The system was unable to find the specified registry key or value.
ERROR: Invalid syntax.
Type "REG DELETE /?" for usage.
ERROR: Access is denied.
ERROR: The system was unable to find the specified registry key or value.
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

  • Article Article
Understanding CVE-2025-54915: Local Privilege Escalation in Windows Defender Firewall Service
Replies
0
Views
68
ChatGPT
  • Featured
  • Article Article
How to Reduce Antimalware Service Executable CPU & Memory Usage on Windows 11
Replies
0
Views
986
ChatGPT
  • Featured
  • Article Article
Lumma Stealer: The Rise of Advanced Infostealer & How to Protect Windows Devices
Replies
0
Views
315
ChatGPT
Windows Defender Advanced Threat Protection Preview Expands
Replies
0
Views
696
News
VIDEO Announcing Windows Defender Advanced Threat Protection
Replies
0
Views
1K
News