Windows 11 Unable to start Windows Defender Advanced Threat Protection Service

distortedvision said:

@ChatGPT Summarize the original issue of this thread and what you have done to resolve.

Click to expand...

ChatGPT said:

Summary of the issue and fixes​

Original problems raised in this thread

• TP‑Link TX201 (Realtek 2.5GbE) on Windows: intermittent drops and very low download (≈115 Mbps) while Linux and another PC were ~900 Mbps.
• Windows 11 Home → Pro upgrade failing (0x803fa067, 0x80070490).
• Windows Security: “Your IT administrator has limited access,” Defender AV off, CFA unusable; ATP/Sense service errors; Kaspersky remnants present.
• Folder “read‑only” confusion when saving to Desktop\Scans.
• Canon i‑SENSYS MF752Cdw “Scan to folder” failing with Error #806 (SMB).

What we did to resolve

• NIC/throughput: re‑enabled TCP autotuning; disabled Advanced EEE/Energy‑Efficient/Green/Gigabit‑Lite; disabled LSO (IPv4/IPv6); kept Flow Control On; set Speed & Duplex Auto; raised buffers to driver‑allowed max (Rx 512, Tx 4096); adapter restart. Result: stable 2.5 Gbps link, Windows download ~780–900 Mbps and no drops.
• Home → Pro (in‑place, no rebuild): switched edition offline with generic Pro key (changepk.exe), then activated with your purchased key. Resolved activation errors.
• Defender/CFA: fully removed Kaspersky and stale SecurityCenter2 entries; cleared passive/disable policies; handled Tamper Protection by offline registry change; ensured WinDefend/WdFilter/WdNisSvc start types and services OK; refreshed signatures. Result: AMServiceEnabled/AntivirusEnabled/RealTimeProtectionEnabled = True; CFA available.
• “Read‑only” folder: clarified the UI tri‑state; fixed NTFS/share permissions with takeown/icacls and attrib to remove System/Hidden where needed.
• Canon scan Error #806: created simple share C:\Scans, made local account scanuser with Modify and share Change rights, enabled File/Printer Sharing (Private). In Canon Remote UI added a File (SMB) destination using Host = PC IP, Folder Path = Scans (not C:\Scans), Username = COMPUTERNAME\scanuser. Result: scans deliver successfully.

Current status

• Network stable and fast, Windows 11 Pro activated, Defender fully active, CFA controllable, and SMB “scan to folder” working.

Click to expand...

• “Windows could not start the Windows Defender Advanced Threat Protection service (Sense). Error 1067.”
• Windows Security banner: “Your IT administrator has limited access,” and Controlled Folder Access (CFA) could not be opened/changed.

• Sense (Windows Defender Advanced Threat Protection) is the Microsoft Defender for Endpoint EDR sensor. On non‑onboarded/home systems, starting Sense typically fails with 1067 by design; it does not affect antivirus protection.
• The “limited access” banner and CFA failure were because a third‑party AV (Kaspersky) was still registered with Windows, forcing Microsoft Defender Antivirus into passive/disabled mode. In that state, CFA can’t be managed.

• Clarified Sense’s role and gave two paths:
  • If not using Microsoft Defender for Endpoint: leave Sense set to Manual; don’t start it.
  • If you are using it: provided onboarding steps (check OnboardingState, run the official onboarding script, verify SENSE/Operational log).
• Restoring Defender AV and CFA:
  • Checked SecurityCenter2 to see which AVs were registered; your output showed both Windows Defender and Kaspersky.
  • Supplied commands to remove “disable/passive” Defender policies, start required services (WinDefend, WdNisSvc, SecurityHealthService), and repair/update Defender (SFC/DISM + MpCmdRun).
  • Gave Group Policy/Registry methods to unlock the CFA UI and a PowerShell path (Set‑MpPreference) once Defender is active.
  • In response to error 0x800106ba on Set‑MpPreference, explained it means Defender isn’t active and reiterated the need to remove the third‑party AV first.
  • Advised fully uninstalling Kaspersky (and running its cleanup tool), rebooting, verifying only Defender is registered, then enabling CFA and adding allowed apps/folders as needed.

• Remove Kaspersky completely, reboot, confirm only Microsoft Defender is registered, then enable CFA (Set‑MpPreference -EnableControlledFolderAccess Enabled). Sense can remain stopped unless you’re onboarding to Defender for Endpoint.

Error 801 on the MF752Cdw = “cannot connect to the file server”​

• Create a simple share (don’t use Desktop paths):
  • Folder: C:\ScansD
  • Local user for the scanner (example): scanuser_d with a password.
  • NTFS and Share permissions:
    icacls C:\ScansD /inheritance:e
    icacls C:\ScansD /grant "%COMPUTERNAME%\scanuser_dOI)(CI)M"
    net share ScansD=C:\ScansD /GRANT:scanuser_d,CHANGE
• Network profile and firewall (Private profile):
  • Settings > Network & internet > your adapter > Network profile = Private.
  • Enable file sharing rules:
    netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• Services/port check:
  • sc query LanmanServer (STATE should be RUNNING)
  • netstat -ano | find ":445" (should show LISTENING)
• Keep the PC awake while testing (no sleep).

• Win+R → \PATRE-DESKTOP\ScansD and also \<PATRE-Desktop-IP>\ScansD
• When prompted, use: PATRE-DESKTOP\scanuser_d + the password.
• Create a test file. If this works, credentials and share are good.

• Remote UI (http://PRINTER_IP) > Address Book > Register New Destination > Type: File.
• Protocol: Windows (SMB).
• Use the PC’s IP, not the name:
  • Host Name: <PATRE-Desktop-IP>
  • Folder Path: ScansD (not C:\ScansD)
  • User Name: PATRE-DESKTOP\scanuser_d
  • Password: (as set above)
• Network settings on printer: Settings/Registration > Network Settings > SMB Client Settings:
  • SMB version: Auto (ensure SMB2/SMB3 are enabled)
  • Authentication: NTLMv2

• If the scan fails immediately, it’s still a connectivity/name issue. Verify you can ping the PC’s IP from another device, and that the PC isn’t sleeping. Stick with the IP (not the hostname) in the Canon entry.
• Check Windows Security log at the scan time:
  • If there is NO Event ID 4625, the printer never reached the PC (firewall/route/name). Re‑check step 1 and use the IP.
  • If you do see 4625, the error becomes an auth failure (that’s Error 806); in that case fix username/password or share rights.

• The exact Host Name, Folder Path, and User Name you entered for PATRE‑Desktop,
• The PC’s IP, and
• The output of: Get-SmbShare -Name ScansD; Get-SmbShareAccess -Name ScansD; icacls C:\ScansD
  and I’ll spot the one field to change.

Why it works when Kaspersky is paused​

• Kaspersky > Settings (gear) > Protection > Firewall.
• Networks (or Manage networks):
  • Set your home network to Trusted.
• Settings > Network settings > Trusted addresses:
  • Add the printer’s IP (e.g., 192.168.1.50). Save.
• Test the scan.

• Kaspersky > Settings > Protection > Firewall > Configure rules (Packet rules).
• Add rule:
  • Action: Allow
  • Direction: Incoming
  • Protocol: TCP
  • Local ports: 445 (add 139 as well if you like)
  • Remote address: printer’s IP only (e.g., 192.168.1.50)
  • Network: Local/Trusted
• Move this rule above any generic “Block incoming” rules. Apply and test.

• In Kaspersky > Protection, turn off only Firewall (leave AV on).
• In Windows Firewall, ensure “File and Printer Sharing” rules are enabled for Private.
• Test. If this works, you can stay with Windows Firewall for LAN traffic.

• In Kaspersky > Reports, filter by Firewall; you’ll see the exact block event (port, IP, app). Click “Create rule” or re‑create the allow rule using the shown details.
• Also check Intrusion Prevention/Application Control:
  • Application rules > System group > “Windows Operating System” → make sure network activity isn’t blocked for Trusted networks.

• Use the printer’s IP in the Canon address book.
• Share path is Scans (not C:\Scans) and user is PCNAME\scanuser.
• PC is awake; network profile is Private.

• If you created local scan accounts (scanuser), consider changing the password to something strong and store it securely.
• When not scanning, you can disable the share (net share Scans /delete) or tighten share permissions.
• Keep Kaspersky rules scoped to the printer IP (allow only that address → port 445) rather than opening SMB to the whole LAN.
• Save the working Canon Remote UI settings (Host = PC IP, Folder = Scans, Username = PCNAME\scanuser) so you can restore them if needed.

• Draft a moderator request to redact your real name from the thread, or
• Provide the exact Kaspersky firewall rule steps for your version, or
• Walk through securing/removing the temporary scan account.

1. Confirm the target: are you scanning to a network folder on your PC (Scan to Folder / SMB)? Which model MFP/printer is it? (If not SMB, tell me how you scan — to email, to PC client, etc.
2. From the PC, confirm the server service and listening port:
   • Run in an elevated PowerShell / CMD:
     sc query LanmanServer
     netstat -ano | findstr ":445"
     If LanmanServer is not RUNNING or you don’t see port 445 LISTENING, the MFP can’t reach the SMB share.
3. Check the network profile and firewall:
   • Settings → Network & internet → your adapter → Network profile = Private
   • Ensure File and Printer Sharing rules are enabled:
     netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
4. Confirm the UNC you configured on the MFP is correct:
   • Use \PC-NAME\ScansD or \192.168.x.y\ScansD (use the PC’s LAN IP for testing to avoid name resolution problems).
5. Test access from another machine (or the PC itself) using the same SMB creds your MFP uses:
   • From CMD (run elevated): net use \PCNAME\ScansD /userCNAME\scanuser_d <password>
   • If that fails note the error (permission, path not found, network path not found).
6. Make sure the PC isn’t sleeping and that the share folder exists and has correct NTFS + Share permissions for the account the MFP uses.

# Run as Administrator # 1) Create scan folder
$ScanFolder = 'C:\ScansD'
New-Item -Path $ScanFolder -ItemType Directory -Force | Out-Null # 2) Create local scan account (you will be prompted for password)
$scanUser = 'scanuser_d'
Write-Host "Enter password for local user $scanUser"
$pass = Read-Host -AsSecureString "Password"
if (-not (Get-LocalUser -Name $scanUser -ErrorAction SilentlyContinue) { New-LocalUser -Name $scanUser -Password $pass -FullName "Scanner User" -Description "Account for MFP scan to folder" -PasswordNeverExpires:$false Add-LocalGroupMember -Group 'Users' -Member $scanUser Write-Host "Created local user $scanUser"
} else { Write-Host "Local user $scanUser already exists — skipping creation."
} # 3) Set NTFS permissions (Modify for the scan user)
$acct = "$env:COMPUTERNAME\$scanUser"
$acl = Get-Acl -Path $ScanFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acct,'Modify','ContainerInherit, ObjectInherit','None','Allow')
$acl.SetAccessRule($rule)
Set-Acl -Path $ScanFolder -AclObject $acl
Write-Host "Set NTFS Modify permission for $acct on $ScanFolder" # 4) Create share and grant Change/Full as needed
if (-not (Get-SmbShare -Name 'ScansD' -ErrorAction SilentlyContinue) { New-SmbShare -Name 'ScansD' -Path $ScanFolder -FullAccess $acct # Optionally limit share perms to change only: Grant-SmbShareAccess -Name 'ScansD' -AccountName $acct -AccessRight Change -Force Write-Host "Created SMB share \\$env:COMPUTERNAME\ScansD and granted access to $acct"
} else { Write-Host "SMB share 'ScansD' already exists."
} # 5) Ensure Server service is running
Start-Service -Name LanmanServer -ErrorAction SilentlyContinue
sc.exe query LanmanServer | Out-Host # 6) Allow File and Printer Sharing through the firewall (Private profile)
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes # 7) Helpful tests for you to run from the MFP or another PC:
Write-Host "`nTest suggestions:"
Write-Host " - UNC to configure on MFP: \\$env:COMPUTERNAME\ScansD"
Write-Host " - Or use the PC IP: \\<PC-IP>\ScansD (run ipconfig to get IP)"
Write-Host " - Try from another PC: net use \\$env:COMPUTERNAME\ScansD /user:$env:COMPUTERNAME\$scanUser <password>"
Write-Host "`nScript complete. If you want the user removed later run: Remove-LocalUser -Name $scanUser"

• In the MFP control panel or web UI choose “Scan to Folder (SMB)”.
• Folder path (UNC): \PC-NAME\ScansD or \192.168.x.y\ScansD
• Username: PC-NAME\scanuser_d (some MFPs want just scanuser_d; try PC\username if the first fails)
• Password: the password you entered above
• Domain/Workgroup: leave blank or use the PC name/workgroup value if required

• sc query LanmanServer
• netstat -ano | findstr ":445"
• net use \PCNAME\ScansD /userCNAME\scanuser_d <password> (replace PCNAME and password with actual values; you can obfuscate password if you want)

• ipconfig /all (to show PC IP)
• Test-NetConnection -ComputerName <PC-IP> -Port 445

• Name resolution: printers sometimes don’t resolve PC names. Using the PC’s IP address in the UNC avoids this problem.
• Firewall: Windows Reset or in-place repair often reverts firewall rules — enabling the File & Printer Sharing rule is required.
• Sleep/Power: If the PC sleeps, the MFP cannot reach it. Set power plan to prevent sleeping when sharing.
• Credentials on the MFP must match a local account on the PC (not a Microsoft account). Use a local account or create a local password for your Microsoft account by creating a local user as above.
• SMB versions: modern Windows uses SMB2/3; you shouldn’t need SMB1. Avoid enabling SMB1 for security reasons.

• I can provide the exact one‑line net commands instead of the PowerShell script if you prefer CMD.
• Or, paste the model of your MFP and the current UNC you configured (and whether you used a username), and I’ll give the exact values to enter on the MFP.

• In Event Viewer open Windows Logs → Security and find the 4625 entry you captured. Note the Account Name (Scanner), Failure Reason (password expired) and the Status/SubStatus codes (your screenshot shows the expired password code). This confirms the account itself needs a password change or to be removed as the logon identity.

• Services:
  Get-CimInstance Win32Service |
  Where-Object { $.StartName -like 'Scanner' } |
  Select Name,DisplayName,StartName
• Scheduled Tasks:
  Get-ScheduledTask |
  Where-Object { $.Principal.UserId -like 'Scanner' } |
  Select TaskName,TaskPath,@{Name='User';Expression={$.Principal.UserId}}
• Registry (services stored in registry):
  Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' |
  ForEach-Object { Get-ItemProperty $.PsPath } |
  Where-Object { $.ObjectName -like 'Scanner' } |
  Select PSChildName,ObjectName

• If the PC is domain‑joined, “Scanner” may be a domain account — its password must be reset in Active Directory (contact your AD admin or use ADUC).
• If it’s a local account, reset the password locally (see step 4).

• Local account (Windows Pro/Home):
  • GUI: Computer Management → Local Users and Groups → Users → right‑click Scanner → Set Password… (or check “Password never expires” if appropriate).
  • PowerShell (Admin) to set a new password and disable expiry:
    $pw = ConvertTo-SecureString 'NewP@ssw0rd!' -AsPlainText -Force
    Set-LocalUser -Name 'Scanner' -Password $pw
    Set-LocalUser -Name 'Scanner' -PasswordNeverExpires $true
• Domain account:
  • Reset the password in Active Directory (ADUC) or ask your domain admin. If this account is used for a service, consider marking it as “Password never expires” only after evaluating security implications, or better use a Managed Service Account / gMSA.

• Services: open services.msc → find the service (for Defender ATP the service name is “Microsoft Defender Advanced Threat Protection Service” / service name Sense) → right‑click Properties → Log On tab → enter the updated account/password (or change it back to Local System if it was incorrectly set to Scanner) → OK → Restart the service.
  • Quick check of a service’s account: sc.exe qc Sense
  • If the Defender service was changed to run under Scanner by mistake, set it to Local System via Services GUI (recommended) and restart.
• Scheduled Tasks: open Task Scheduler, find tasks that use Scanner, right‑click → Properties → Change User or Group → re-enter credentials / update password → Save.
• Network devices (e.g., a multifunction printer scanning to a share): update the stored credentials on the device (Remote UI / Address Book entry) to the new password. If this is the scanner scenario, Event 4625 is commonly used to diagnose failed scans to a Windows share — the same troubleshooting steps apply.

• After updating the password, restart the affected service or task and check:
  • Services: service status shows Running
  • Event Viewer: no new 4625 entries for Scanner
  • If it’s a scanner-to-share, attempt a scan and confirm no 4625 failure at that time.

• Prefer managed service accounts (gMSA) for services because they handle password rotation automatically.
• As a quick measure you can set “Password never expires” for the account, but that has security tradeoffs — only do that if allowed by your security policy.

• Don’t change a service logon account to a normal user account unless you understand the rights required — services often need specific privileges. If unsure, services like Defender should run as Local System/Service accounts by default.
• If the account is domain‑managed, resetting it locally won’t help — must reset in AD.
• After changing credentials, some apps cache old credentials (Credential Manager) — remove stale entries if you still see failures.

• Is this PC domain‑joined or standalone?
• Paste the exact output of one 4625 entry (Account Name, Failure Reason, Status/SubStatus) or confirm the screenshot details.
• If you want, paste the outputs of the PowerShell commands above and I’ll point exactly which service/task needs the credential fix and give the exact command to restart it safely.

• Good call changing the local password with net user and updating the Canon Remote UI — Event ID 4625 failures like that are almost always an expired/incorrect credential and updating the account on both ends fixes it.
• If “Scanner” is a local account you created for the printer, consider documenting the password or storing it in a password manager so it doesn’t catch you out later.
• If this account is used by other devices/services, update those credentials too (or check for more 4625 entries in Event Viewer).
• Avoid setting “Password never expires” unless your security policy allows it; a better long‑term option for services in a domain is a managed service account (gMSA) so passwords rotate safely.
• If you want, I can show you how to:
  • Search Event Viewer for any remaining 4625 entries,
  • Replace the local account with a less-privileged dedicated account, or
  • Create a gMSA (if you’re on a domain).

• show a quick Event Viewer filter for remaining 4625s,
• help store the scanner password securely (password manager / Credential Manager), or
• walk through replacing the account with a less‑privileged one or a gMSA (if on a domain).