Microsoft Defender for Endpoint fails to start on Windows Server

Microsoft has confirmed a new issue impacting Windows Server devices preventing the Microsoft Defender for Endpoint security solution from launching on some systems.

The enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection or Defender ATP) might fail to start or run on devices with a Windows Server Core installation.

The known issue only impacts devices where customers have installed KB5007206 or later updates on Windows Server 2019 and KB5007205 or later updates on Windows Server 2022.

"After installing KB5007205 or later updates, Microsoft Defender for Endpoint might fail to start or run on devices with a Windows Server Core installation," Microsoft explained on the Windows Server 2022 health dashboard.

As the company further revealed, this newly confirmed issue does not affect Microsoft Defender for Endpoint running on Windows 10 devices.

Redmond is currently working on a solution to address this bug and will provide the fix in an upcoming update.

Other issues stemming from November's Windows updates

This month's KB5007206 and KB5007205 cumulative updates have also generated other problems for Windows users, including a Windows Installer bug that would break apps after repairing or updating them and errors trying to connect to remote printers shared on Windows print servers.

Microsoft claims to have fixed the Installer and network printing issues with the optional KB5007253 Preview cumulative update on Wednesday.

You can install this update by going into Settings, clicking on Windows Update, and manually performing a 'Check for Updates.'

Since it is an optional update, you will be asked to install it by clicking on the 'Download and install' link.

You can also download and install the KB5007253 preview update manually from the Microsoft Update Catalog.

Reports of Defender Antivirus crashes

BleepingComputer is also aware of reports that Microsoft Defender Antivirus crashes with EventID 3002 notifications (MALWAREPROTECTION_RTP_FEATURE_FAILURE) and "Real-time protection encountered an error and failed" errors codes.

This issue occurs only after installing security intelligence updates between versions 1.353.1477.0 and 1.353.1486.0.

According to Microsoft's documentation, on systems where this Event ID shows up in logs after Real-Time Protection crashes, one or more of the following Microsoft Defender Antivirus will also fail:

  • On Access
  • Internet Explorer downloads and Microsoft Outlook Express attachments
  • Behavior monitoring
  • Network Inspection System

Microsoft seems to have fixed this bug with version 1.353.1502.0 but, according to Dutch security expert SecGuru_OTX, your device might require a hard reboot to re-enable features such as behavior monitoring.

SecGuru_OTX also shared info on how to find systems impacted by this Microsoft Defender Antivirus bug and on fixing the issue.

Related Articles:

Microsoft blames Windows Server 2025 automatic upgrades on 3rd-party tools

Microsoft fixes Remote Desktop issues caused by Windows Server update

Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues

Windows Server 2025 released—here are the new features

Microsoft confirms Windows Server 2025 blue screen, install issues