A new issue impacting Windows Servers has been confirmed by Microsoft. The issue preventing Microsoft Defender for Endpoint to start or run the devices using Windows Server Core. There are currently no signs that show that Windows 10 devices are affected by the issue.
Windows Server 2019 and Windows Server 2022
According to Microsoft’s Known issues and notifications post, the issue is affecting devices that have installed KB5007206 or later updates on Windows Server 2019 and KB5007205 or later updates on Windows Server 2022. The tech giant also stated that they are currently working on a resolution and they will provide an update in the upcoming release to solve the issue. Microsoft stated,
« After installing KB5007205 or later updates, Microsoft Defender for Endpoint might fail to start or run on devices with a Windows Server Core installation. Note: This issue does not affect Microsoft Defender for Endpoint on Windows 10. »
There are also reports claiming that Microsoft Defender Antivirus crashes with MALWAREPROTECTION_RTP_FEATURE_FAILURE and “Real-time protection encountered an error and failed” error. Users are getting this error who installed updates between versions 1.353.1477.0 and 1.353.1486.0. Microsoft stated that this issue has been addressed in version 1.353.1502.0. However, security expert SecGuru_OTX stated that users might have to hard reboot to benefit from these features.
MDE hunting query to find devices with inactive RealTime Protection.
For example, to detect problems with Windows Defender after signature updates 1.353.1477.0 and 1.353.1481.
Everyone should also look for EventID 3002 under Windows Defender\Operational
— CISOwithHoodie (@SecGuru_OTX) November 25, 2021