Windows 10 WMI root\microsoft\securityclient missing instance RRS feed

  • Question

  • Windows 10 LTSB 1607. Windows Defender appears to be working properly. AV definition updates are successful. SCCM client is installed on the machine and the AV policies are being applied successfully - however in SCCM the Antimalware Client Version and related Endpoint Protection Remediation Information is not being reported. (This is not an SCCM issue, it is a Windows Defender issue)

    I have troubleshooted this and  believe there is a WMI issue with Windows Defender. Using a WMI explorer and connecting to root\Microsoft\securityclient I see the 3 classes AntimalwareDetectionStatus, AntimalwareHealthStatus and AntimalwareInfectionStatus. There are no instances of AntimalwareHealthStatus or AntimalwareInfectionStatus on the affected machine.  This is completely unrelated to SCCM other than that SCCM reports the information in this instance (hence the information in SCCM being blank - I wouldn't know there is actually a problem except for my SCCM client health):

    I have tried mofcomp.exe "C:\Program Files\Windows Defender\ProtectionManagement.mof" and it says the results are successful - however after a restart the instances are still missing.

    I have run winmgmt /verifyrepository and the repository is 'consistent' I've used Microsoft's WMIDIAG tool but nothing significant is in the logs, except that on the proper client it lists a Provider: 'PROTECTIONMANAGEMENT' (PID... which is missing from the output of the erroneous machine. Note that on the erroneous machine it does list the C:\program files\windows defender\protectionmanagement.mof as found in the report.

    Aside from suggesting a full WMI rebuild, does anyone have any suggestions to resolve this (to get the 'instance' created) - or has anyone seen it before.  Note in the picture attached, both machines are 1607 LTSB running the same AV client version, engine and definitions.

    • Edited by Sara T_GC Tuesday, March 19, 2019 8:23 PM
    Tuesday, March 19, 2019 8:23 PM

All replies

  • Check: C:\windows\ccm\logs\ExternalEventAgent.log

    If you see something like

    CWmiQueryProcessor::ExecuteModule - Failed to open namespace '\\.\root\Microsoft\ProtectionManagement', error 8004100e
    Failed to get the wmi query result for error = 8004100E
    WMI callback for machine notification (SELECT * FROM MSFT_MpEvent where CategoryDiscriminant = 2) in scope
    (\\.\root\Microsoft\ProtectionManagement) for group 'EndpointProtection' is not registered.


    mofcomp "C:\Program Files\Windows Defender\ProtectionManagement.mof"

    net stop winmgmt /y

    net start winmgmt /y

    net start ccmexec /y

    Also refer to this blog for more ideas

    WMI: Missing or Failing WMI Providers or Invalid WMI Class


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, March 20, 2019 2:04 AM
  • Thank you but if you had read my post you would have seen I've already done that.

    The classes exist, it's the *instance* that does not. 

    • Edited by Sara T_GC Wednesday, March 20, 2019 2:13 AM
    Wednesday, March 20, 2019 2:09 AM
  • Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, April 9, 2019 7:57 AM
  • Unfortunately the mofcomp/service restart did not work.  winmgmt /verifyrepository resulted the repository being 'consistent'.  The namespace exists, it is the instance that does not.  On a Windows 7 machine I would simply fully uninstall SCEP and reinstall - unfortunately because this is a Windows 10 machine there is no way to "uninstall and reinstall" Windows Defender.  I'm at a loss as the 2 machines I am experiencing this on cannot experience the downtime necessary that I think it required (becuause I think the OS needs to be reinstalled to resolve 😢)

    Any other suggestions are welcome.

    Tuesday, April 9, 2019 1:00 PM