Problem
When performing a full system restore of Windows Server where Windows Defender is enabled, the job fails with Status 2808 or 1.
Error Message
Job Details in Activity Monitor shows the following warnings/errors when restoring the system drive:
2019/04/17 11:13:17 - Warning bpbrm (pid=12784) from client nbclient1: WRN - can't create file: C:\Program Files\Windows Defender\en-US (WIN32 5: Access is denied. )
2019/04/17 11:13:18 - Warning bpbrm (pid=12784) from client nbclient1: WRN - can't create file: C:\Program Files\Windows Defender\Offline (WIN32 5: Access is denied. )
2019/04/17 11:15:43 - Warning bpbrm (pid=12784) from client nbclient1: WRN - can't create file: C:\Windows\System32\drivers\wd (WIN32 5: Access is denied. )
2019/04/17 11:17:40 - Error bpbrm (pid=12784) client restore EXIT STATUS 5: the restore failed to recover the requested files
2019/04/17 11:17:41 - restored from image nbclient1_1555464240; restore time: 0:08:29
2019/04/17 11:17:41 - Warning bprd (pid=11532) Restore must be resumed prior to first image expiration on INFINITY
2019/04/17 11:17:42 - end Restore; elapsed time 0:08:32 Windows File System policy restore error (2808)
Job Details in Activity Monitor shows the following errors/warnings when restoring System State:
2019/04/17 11:33:43 - Warning bpbrm (pid=12836) from client nbclient1: WRN - error writing object: System State:\System Files\System Files
2019/04/17 11:33:43 - Warning bpbrm (pid=12836) from client nbclient1: WRN - error writing byte: -2146096128
2019/04/17 11:33:43 - Warning bpbrm (pid=12836) from client nbclient1: WRN - desired byte count: 65536
2019/04/17 11:33:43 - Warning bpbrm (pid=12836) from client nbclient1: WRN - actual byte count: 52653
2019/04/17 11:41:03 - Error bpbrm (pid=12836) client restore EXIT STATUS 1: the requested operation was partially successful
2019/04/17 11:41:03 - Warning bprd (pid=11784) Restore must be resumed prior to first image expiration on INFINITY
2019/04/17 11:41:03 - end Restore; elapsed time 0:15:29 The requested operation was partially successful (1)
Cause
As Windows Defender protects the system files and directories, they are not allow to be overwritten.
Solution
Before initiating a full system restore, turn off Windows Defender on the restore target client.
How to turn off Windows Defender
1. Login as an administrator. Type gpedit.msc on Run box and hit Enter.
2. Go to Local Computer Policy > Computer Configuration > Administrative templates > Windows Components > Windows Defender Antivirus.
In the right-hand panel, you’ll see the option Turn off Windows Defender Antivirus. Double-click to open it.
Note: Setting name is "Microsoft Defender Antivirus" on Windows Server 2022.
3. In the new window > select Enable > click OK to save the settings.
4. Close the Local Group Policy Editor and run gpupdate/force in command prompt to update the group policy.