[German]A couple of days ago a German user contacted me with a strong observation. On a fresh installed Windows 11 22H2 he received an event log entry that says (translated) "Windows Security Health Service exe no longer functioning". In addition, there are display errors in the Defender settings page. The strange thing is that the error happens to one user right after rebooting the system. It seems, that a Defender update brokes something.
German blog reader Guido B. had already contacted me by mail on March 16, 2023 and told me about his observation. Under the title "Wrongly delivered update for MS Defender?" he reported the following:
Hello Mr. Born,
I did a Clean Install on my laptop and found out that after a successful installation of the operating system, there seem to be problems with the installation of updates for MS Defender.
In the reliability history there are entries with: "Windows Security Health Service exe not working anymore".
There are problems with Windows Defender. I suspect it is either due to the update KB 5023706 which was distributed on Tuesday 14.03.2023,
Or [it is] due to an update for Microsoft Defender antivirus antimalware platform? Here is version KB 4052623. version: 4.18.2301.6
This update is dated March 15, 2023 Wonder if this update may have shipped incorrectly?
Do not have an Endpoint Security Plan with MS.
Guido still wrote that he is working with Windows 11 Home 22H2 Build 22621.1413 and is probably not the only one who has the problem. He has reset Defender with on-board tools, but the problems persist. In addition, the user reports transparency problems in the Defender display. The left side is black, the right side is light gray
At this point, my thanks to Guido. Guido has also posted his problem in the German deskmodder.de forum. The hint given there, that corrupted files could be the cause did not help – a scan with sfc /scannow does not find any errors. And it was a fresh installation of Windows 11 22H2. In addition, Guido reports that the errors were noticed only after installing update(s).
The March 2023 update KB5023706 for Windows 11 22H2 is described in the blog post Patchday: Windows 11/Server 2022-Updates (March 14, 2023). But I'm not sure, whether the issue is related to this patch – there are suspection, that it's a defender update that causes the error. At the deskmodder.de forum another user reported the same error. User manu wrote:
I had the problem last night too, this morning I restored a two days old system backup and after updating Defender it works again.
Currently those affected have reset systems. Anyone else who is/was affected by this error?
The user reported in this German comment, that is is caused by Windows Defender. It may be fixed by an additional registry entry:
There is a DWORD value (32-Bit) RunAsPPL set to 2. But after restart the second DWORD value (32-Bit) RunAsPPLBoot set to 2 is missing. This entry is in Windows 11 Dev Insider Preview available by default. Guido confirmed: After adding the 2nd value and rebooting the machine, everything is working again.
Cookies helps to fund this blog: Cookie settings
I could believe that Microsoft does not actually test devices running its software after they have received security and 'quality' (what quality?) updates.
Shoddy is not an inappropriate word for the Redmond software business.
Same problem here, but under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa the entry "runasppl" is missing altogether, and no toggle button under "Device security", just that 'local security authority protection' is off. SFC scan shows no issues.
I just re-created the RunAsPPL and RunAsPPLBoost entries with value 2, and error notice in Device Security seems to have disappeared. Thank you
Had a feedback from a German reader, who re-installed the chipset drivers and reported that the error is also gone.