Microsoft published KB5043950 which describes an issue where the Defender for Endpoint agent (Sense client) isn’t installed as expected on Windows 11 24H2. This can happen when a device is upgraded from Home to Pro: that feature now isn’t present in Home, and it doesn’t get added when the device is “transmogged” to Pro. As a result, MDE doesn’t work.
OK, but how common is that scenario? Most corporate devices are purchased with Pro already installed (as a qualifying OS for Enterprise, or at least to get the Pro-level features). Well, it might be uncommon for IT administrators to make this change (maybe a little more likely in the short term as people bought Copilot+ devices before the “commercial” devices were available). But apparently there’s another more common scenario: the OEM does it. An OEM could apply a Windows 11 24H2 Home image to the device as part of the manufacturing process, but then upgrade it to Pro before shipping it to the customer. So you may not even know that the device was upgraded, because that happened before you ever saw the device.
There have been a variety of conversations on X about that. Since 24H2 isn’t yet shipping on x64-based devices, with any luck this won’t be seen outside of the ARM64 devices that have already shipped, since OEMs should have been notified by now to take actions to avoid this.
Fortunately, the workaround for this is pretty simple: manually add the missing Sense client feature, which you can do via DISM or PowerShell.
DISM /online /Add-Capability /CapabilityName:Microsoft.Windows.Sense.Client~~~~Just in case this happens on devices being provisioned via Autopilot, I’ve added a line to the configuration XML file used by the Autopilot Branding package to add this component. If it’s already there, it will just log a message and continue on, so there’s no harm in trying. You can pick up the latest version on GitHub.
Out of Office Hours 