Windows 11 Unable to start Windows Defender Advanced Threat Protection Service

distortedvision said:

@ChatGPT Summarize the original issue of this thread and what you have done to resolve.

Click to expand...

ChatGPT said:

Summary of the issue and fixes​

Original problems raised in this thread

• TP‑Link TX201 (Realtek 2.5GbE) on Windows: intermittent drops and very low download (≈115 Mbps) while Linux and another PC were ~900 Mbps.
• Windows 11 Home → Pro upgrade failing (0x803fa067, 0x80070490).
• Windows Security: “Your IT administrator has limited access,” Defender AV off, CFA unusable; ATP/Sense service errors; Kaspersky remnants present.
• Folder “read‑only” confusion when saving to Desktop\Scans.
• Canon i‑SENSYS MF752Cdw “Scan to folder” failing with Error #806 (SMB).

What we did to resolve

• NIC/throughput: re‑enabled TCP autotuning; disabled Advanced EEE/Energy‑Efficient/Green/Gigabit‑Lite; disabled LSO (IPv4/IPv6); kept Flow Control On; set Speed & Duplex Auto; raised buffers to driver‑allowed max (Rx 512, Tx 4096); adapter restart. Result: stable 2.5 Gbps link, Windows download ~780–900 Mbps and no drops.
• Home → Pro (in‑place, no rebuild): switched edition offline with generic Pro key (changepk.exe), then activated with your purchased key. Resolved activation errors.
• Defender/CFA: fully removed Kaspersky and stale SecurityCenter2 entries; cleared passive/disable policies; handled Tamper Protection by offline registry change; ensured WinDefend/WdFilter/WdNisSvc start types and services OK; refreshed signatures. Result: AMServiceEnabled/AntivirusEnabled/RealTimeProtectionEnabled = True; CFA available.
• “Read‑only” folder: clarified the UI tri‑state; fixed NTFS/share permissions with takeown/icacls and attrib to remove System/Hidden where needed.
• Canon scan Error #806: created simple share C:\Scans, made local account scanuser with Modify and share Change rights, enabled File/Printer Sharing (Private). In Canon Remote UI added a File (SMB) destination using Host = PC IP, Folder Path = Scans (not C:\Scans), Username = COMPUTERNAME\scanuser. Result: scans deliver successfully.

Current status

• Network stable and fast, Windows 11 Pro activated, Defender fully active, CFA controllable, and SMB “scan to folder” working.

Click to expand...

• “Windows could not start the Windows Defender Advanced Threat Protection service (Sense). Error 1067.”
• Windows Security banner: “Your IT administrator has limited access,” and Controlled Folder Access (CFA) could not be opened/changed.

• Sense (Windows Defender Advanced Threat Protection) is the Microsoft Defender for Endpoint EDR sensor. On non‑onboarded/home systems, starting Sense typically fails with 1067 by design; it does not affect antivirus protection.
• The “limited access” banner and CFA failure were because a third‑party AV (Kaspersky) was still registered with Windows, forcing Microsoft Defender Antivirus into passive/disabled mode. In that state, CFA can’t be managed.

• Clarified Sense’s role and gave two paths:
  • If not using Microsoft Defender for Endpoint: leave Sense set to Manual; don’t start it.
  • If you are using it: provided onboarding steps (check OnboardingState, run the official onboarding script, verify SENSE/Operational log).
• Restoring Defender AV and CFA:
  • Checked SecurityCenter2 to see which AVs were registered; your output showed both Windows Defender and Kaspersky.
  • Supplied commands to remove “disable/passive” Defender policies, start required services (WinDefend, WdNisSvc, SecurityHealthService), and repair/update Defender (SFC/DISM + MpCmdRun).
  • Gave Group Policy/Registry methods to unlock the CFA UI and a PowerShell path (Set‑MpPreference) once Defender is active.
  • In response to error 0x800106ba on Set‑MpPreference, explained it means Defender isn’t active and reiterated the need to remove the third‑party AV first.
  • Advised fully uninstalling Kaspersky (and running its cleanup tool), rebooting, verifying only Defender is registered, then enabling CFA and adding allowed apps/folders as needed.

• Remove Kaspersky completely, reboot, confirm only Microsoft Defender is registered, then enable CFA (Set‑MpPreference -EnableControlledFolderAccess Enabled). Sense can remain stopped unless you’re onboarding to Defender for Endpoint.

Error 801 on the MF752Cdw = “cannot connect to the file server”​

• Create a simple share (don’t use Desktop paths):
  • Folder: C:\ScansD
  • Local user for the scanner (example): scanuser_d with a password.
  • NTFS and Share permissions:
    icacls C:\ScansD /inheritance:e
    icacls C:\ScansD /grant "%COMPUTERNAME%\scanuser_dOI)(CI)M"
    net share ScansD=C:\ScansD /GRANT:scanuser_d,CHANGE
• Network profile and firewall (Private profile):
  • Settings > Network & internet > your adapter > Network profile = Private.
  • Enable file sharing rules:
    netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• Services/port check:
  • sc query LanmanServer (STATE should be RUNNING)
  • netstat -ano | find ":445" (should show LISTENING)
• Keep the PC awake while testing (no sleep).

• Win+R → \PATRE-DESKTOP\ScansD and also \<PATRE-Desktop-IP>\ScansD
• When prompted, use: PATRE-DESKTOP\scanuser_d + the password.
• Create a test file. If this works, credentials and share are good.

• Remote UI (http://PRINTER_IP) > Address Book > Register New Destination > Type: File.
• Protocol: Windows (SMB).
• Use the PC’s IP, not the name:
  • Host Name: <PATRE-Desktop-IP>
  • Folder Path: ScansD (not C:\ScansD)
  • User Name: PATRE-DESKTOP\scanuser_d
  • Password: (as set above)
• Network settings on printer: Settings/Registration > Network Settings > SMB Client Settings:
  • SMB version: Auto (ensure SMB2/SMB3 are enabled)
  • Authentication: NTLMv2

• If the scan fails immediately, it’s still a connectivity/name issue. Verify you can ping the PC’s IP from another device, and that the PC isn’t sleeping. Stick with the IP (not the hostname) in the Canon entry.
• Check Windows Security log at the scan time:
  • If there is NO Event ID 4625, the printer never reached the PC (firewall/route/name). Re‑check step 1 and use the IP.
  • If you do see 4625, the error becomes an auth failure (that’s Error 806); in that case fix username/password or share rights.

• The exact Host Name, Folder Path, and User Name you entered for PATRE‑Desktop,
• The PC’s IP, and
• The output of: Get-SmbShare -Name ScansD; Get-SmbShareAccess -Name ScansD; icacls C:\ScansD
  and I’ll spot the one field to change.

Why it works when Kaspersky is paused​

• Kaspersky > Settings (gear) > Protection > Firewall.
• Networks (or Manage networks):
  • Set your home network to Trusted.
• Settings > Network settings > Trusted addresses:
  • Add the printer’s IP (e.g., 192.168.1.50). Save.
• Test the scan.

• Kaspersky > Settings > Protection > Firewall > Configure rules (Packet rules).
• Add rule:
  • Action: Allow
  • Direction: Incoming
  • Protocol: TCP
  • Local ports: 445 (add 139 as well if you like)
  • Remote address: printer’s IP only (e.g., 192.168.1.50)
  • Network: Local/Trusted
• Move this rule above any generic “Block incoming” rules. Apply and test.

• In Kaspersky > Protection, turn off only Firewall (leave AV on).
• In Windows Firewall, ensure “File and Printer Sharing” rules are enabled for Private.
• Test. If this works, you can stay with Windows Firewall for LAN traffic.

• In Kaspersky > Reports, filter by Firewall; you’ll see the exact block event (port, IP, app). Click “Create rule” or re‑create the allow rule using the shown details.
• Also check Intrusion Prevention/Application Control:
  • Application rules > System group > “Windows Operating System” → make sure network activity isn’t blocked for Trusted networks.

• Use the printer’s IP in the Canon address book.
• Share path is Scans (not C:\Scans) and user is PCNAME\scanuser.
• PC is awake; network profile is Private.

• If you created local scan accounts (scanuser), consider changing the password to something strong and store it securely.
• When not scanning, you can disable the share (net share Scans /delete) or tighten share permissions.
• Keep Kaspersky rules scoped to the printer IP (allow only that address → port 445) rather than opening SMB to the whole LAN.
• Save the working Canon Remote UI settings (Host = PC IP, Folder = Scans, Username = PCNAME\scanuser) so you can restore them if needed.

• Draft a moderator request to redact your real name from the thread, or
• Provide the exact Kaspersky firewall rule steps for your version, or
• Walk through securing/removing the temporary scan account.