Manage Learn to apply best practices and optimize your operations.

Recent Win10 Updates Bollix Defender Module Hashes

After recent Windows Defender updates and the latest 1903 Windows 10 CU (KB4507453) Windows 10 may show interesting misbehavior. Symptom: running the sfc /scannow command produces error text rather than a clean bill of health. Reports from TenForums and Bleeping Computer confirm and describe this phenomenon. If you check the CBS.log file that the System File Checker produces, it identifies a Win10 Module named Windows-Defender-Management-Powershell as the culprit. The specific error says “Hashes for file member <filename> do not match.” In fact, what apparently causes recent Win10 updates bollix defender module hashes is proper resynchronization with the Component Store. I’ll depict the fix, then explain it further. [Note: this pathology is directly connected to Windows Defender, so Win10 PCs running some other AV/antimalware package aren’t affected. Interestingly, I did find the same error on current Insider Preview Builds, too.]

On both 1903 and 20H1 (18936.1000) systems, the symptom and the fix are the same, shown here.
[Click image for full-sized view.]

Fixing Win10 Updates Bollix Defender Module Hashes

The preceding PowerShell screen grab shows the symptom, and the multi-step fix. The symptom presents when sfc /scannow reports that “Windows Resource Protect found corrupt files but was unable to fix some of them.” Based on the nature of the actual error, this is a housekeeping problem. Microsoft’s installer clean-up apparently failed to synchronize hashes for those files as compared to the Component Store. Thus, the fix requires two steps, with a third to confirm a successful resolution:

  1. DISM /online /cleanup-image /restorehealth checks all the Windows files and replaces any it finds out of whack with known, good versions from the Component Store. This creates the situation where all copies of such files match.
  2. sfc /scannow, now able to work with matching sets of files, can now effect a proper repair because the hash values now match.
  3. A final iteration of sfc /scannowconfirms that all is well (“Windows Resource Protection did not find any integrity violations.”)

Problem solved. All this said, the fix may be something to entertain those with OCD tendencies rather than the general population. With issue reports abounding, MS should fix this issue soon. That means some upcoming Windows Defender update or Cumulative Update should obliterate this misbehavior. My money’s on a fix via Windows Defender updates, because this issue appears on Win 10 1903 PCs running Build 18362.239, Slow Ring Insider Preview PCs running 18362.1005, and Insider Preview PCs  running Build 18936.1000. The only thing all those machines have in common is the same set of Windows Defender updates. Let’s hope it happens sooner, rather than later!

Note Added 1 Day Later (July 18)

This morning, I updated my Surface Pro 3 PC, running a recent Slow Ring Insider Preview (Build 18362.1005). The only new package that came through was Defender stuff (1.237.1331.0). Out of curiosity I next ran sfc /scannow. Sure enough, the same error message (and CBS.log file contents) recurred. Apparently, MS has not yet fixed this issue and the hash mismatch reappears upon obtaining new Defender updates. How hard can this be to fix? Please: get it together, MS!