Microsoft Windows Server 2016

Question

Microsoft Windows Server 2016

Rave WONG 0

Hi Microsoft Support,

I have encountered issue onboarding Defender for cloud MDE extension on one of my Windows Server 2016. Based on CoPilot, it says that the OS build or version is old.

Best Regards
[moderation note: personal information removed]

Moved from Microsoft 365 and Office | Microsoft 365 Defender | For home | Windows

Rave WONG 0 Reputation points

2026-02-11T03:35:15.1133333+00:00

Hi

Server has been onboarded to Azure ARC, however MDE extension failed.

Best Regards

Rave Wong
Ankit Yadav 12,205 Reputation points Microsoft External Staff Moderator

2026-02-11T04:19:50.2666667+00:00

Hello @Rave WONG

Thank you for contacting us about the issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know.

We appreciate your patience while we work on this.
Sridevi Machavarapu 22,525 Reputation points Microsoft External Staff Moderator

2026-02-11T04:39:10.7933333+00:00
Hello Rave WONG,

For Windows Server 2016, the Defender for Endpoint (MDE) extension requires the OS to be fully updated.

If the OS build is outdated, the extension may fail even though Azure Arc onboarding is successful.

Please check:

The server is installed with the latest cumulative updates.

The OS build using winver.

The Azure Arc agent is up to date.

Extension deployment logs for the exact error.

After updating the server, try reinstalling the MDE extension.

If it still fails, please share the exact error message and screenshots for further review.

Hope this helps! Feel free to reach out for further queries.
Rave WONG 0 Reputation points

2026-02-11T06:13:14.58+00:00

Hi below is the error encountered when i manually onboard the server to Azure ARC.

Below is the current version of the server. Best Regards

Rave Wong
Rave WONG 0 Reputation points

2026-02-13T02:42:10.64+00:00

Any body has any idea on the above error?
Sridevi Machavarapu 22,525 Reputation points Microsoft External Staff Moderator

2026-02-13T02:52:30.62+00:00
Hello Rave WONG,

The error “Enable-WindowsOptionalFeature: The referenced assembly could not be found” on Windows Server 2016 is usually caused by missing system updates or corrupted system components.

Even though Defender features appear as Available or Installed, the required files for Defender for Endpoint (MDE) may not be present if the OS is not fully updated.

What this means:

For Windows Server 2016, MDE and the Azure Arc extension depend on components that are delivered through cumulative updates. If the server is running an older build or missing updates, the feature installation and onboarding will fail.

Please try the following:

Make sure the server is fully updated Install all pending Windows updates, including:

Latest Servicing Stack Update (SSU)

Latest Cumulative Update (LCU)

After updating, check:
winver

Repair system files Run these commands in an elevated prompt:
DISM /Online /Cleanup-Image /RestoreHealth sfc /scannow

Restart the server

Update Azure Arc agent
Confirm the Azure Arc agent is up to date.

Reinstall the MDE extension
Remove and redeploy the Defender for Endpoint extension from Azure Portal.

If the issue continues

Please share:

Updated winver output

Full error message from the extension

Logs from:

C:\ProgramData\AzureConnectedMachineAgent\Log
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-02-19T16:13:40.0633333+00:00

Hello Rave WONG,

Lets connect via private messages!

1 answer

Your answer

Rave WONG 0 Reputation points

2026-02-11T03:35:15.1133333+00:00

Hi

Server has been onboarded to Azure ARC, however MDE extension failed.

Best Regards

Rave Wong
Ankit Yadav 12,205 Reputation points Microsoft External Staff Moderator

2026-02-11T04:19:50.2666667+00:00

Hello @Rave WONG

Thank you for contacting us about the issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know.

We appreciate your patience while we work on this.
Sridevi Machavarapu 22,525 Reputation points Microsoft External Staff Moderator

2026-02-11T04:39:10.7933333+00:00

Hello Rave WONG,

For Windows Server 2016, the Defender for Endpoint (MDE) extension requires the OS to be fully updated.

If the OS build is outdated, the extension may fail even though Azure Arc onboarding is successful.

Please check:

The server is installed with the latest cumulative updates.

The OS build using winver.

The Azure Arc agent is up to date.

Extension deployment logs for the exact error.

After updating the server, try reinstalling the MDE extension.

If it still fails, please share the exact error message and screenshots for further review.

Hope this helps! Feel free to reach out for further queries.
Rave WONG 0 Reputation points

2026-02-11T06:13:14.58+00:00

Hi below is the error encountered when i manually onboard the server to Azure ARC.

Below is the current version of the server. Best Regards

Rave Wong
Rave WONG 0 Reputation points

2026-02-13T02:42:10.64+00:00

Any body has any idea on the above error?
Sridevi Machavarapu 22,525 Reputation points Microsoft External Staff Moderator

2026-02-13T02:52:30.62+00:00

Hello Rave WONG,

The error “Enable-WindowsOptionalFeature: The referenced assembly could not be found” on Windows Server 2016 is usually caused by missing system updates or corrupted system components.

Even though Defender features appear as Available or Installed, the required files for Defender for Endpoint (MDE) may not be present if the OS is not fully updated.

What this means:

For Windows Server 2016, MDE and the Azure Arc extension depend on components that are delivered through cumulative updates. If the server is running an older build or missing updates, the feature installation and onboarding will fail.

Please try the following:

Make sure the server is fully updated Install all pending Windows updates, including:

Latest Servicing Stack Update (SSU)

Latest Cumulative Update (LCU)

After updating, check:
winver

Repair system files Run these commands in an elevated prompt:
DISM /Online /Cleanup-Image /RestoreHealth sfc /scannow

Restart the server

Update Azure Arc agent
Confirm the Azure Arc agent is up to date.

Reinstall the MDE extension
Remove and redeploy the Defender for Endpoint extension from Azure Portal.

If the issue continues

Please share:

Updated winver output

Full error message from the extension

Logs from:

C:\ProgramData\AzureConnectedMachineAgent\Log
Rukmini 30,115 Reputation points Microsoft External Staff Moderator

2026-02-19T16:13:40.0633333+00:00

Hello Rave WONG,

Lets connect via private messages!

Answer 1

Hello,

The onboarding failure you’re seeing with the Defender for Cloud MDE extension on Windows Server 2016 is indeed tied to OS build support. Microsoft Endpoint Detection and Response (EDR) capabilities in Defender for Endpoint require a minimum baseline of Windows Server 2016 with the latest cumulative updates and servicing stack installed. Older builds of Server 2016 do not contain the kernel hooks and telemetry APIs that the MDE extension relies on, which is why the onboarding process rejects them as unsupported.

The first step is to confirm the exact OS build. Run winver or check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion for ReleaseId and UBR. For MDE onboarding, Microsoft requires Server 2016 to be at least on 1607 with KB5007206 or later cumulative update. If your build is older, the extension will fail with the “OS build/version is old” message.

If you are already on the latest patch level and onboarding still fails, check whether the Defender for Endpoint agent prerequisites are installed. Specifically, the Microsoft Monitoring Agent (MMA) and the Sense service must be present and running. You can verify by checking services.msc for “Windows Defender Advanced Threat Protection Service” (Sense). If it is missing, the onboarding package cannot complete.

In some environments, onboarding fails because the server is configured with legacy WSUS policies that block the Defender platform updates. Ensure that the following registry keys are not pointing to stale WSUS servers:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer and WIStatusServer. If they exist and are invalid, clear them and force a policy refresh.

In short, the error is not a generic failure but a strict version check. Update Server 2016 fully, confirm the Sense service is present, and ensure update policies allow Defender platform updates. If the build is already current and onboarding still fails, the supported path is to escalate to Microsoft support, as they can confirm whether your tenant requires the newer unified agent (MDE unified solution) instead of the legacy MMA‑based onboarding.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

Domic Vo.

Rave WONG 0 Reputation points

2026-02-27T06:42:32.86+00:00

Hi

Is KB5075902 and KB5075999 supported? I have these updates available for installation on my Windows Server 2016.

Best Regards

Rave Wong

Share via

Microsoft Windows Server 2016

1 answer

Your answer