Event 10016 Windows.SecurityCenter Warnings

If we install Windows 11 and we look in the Event System Log, we can see three types of “Event 10016 Windows.SecurityCenter DistributedCOM” Warnings:

1. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
   Windows.SecurityCenter.WscCloudBackupProvider
   and APPID
   Unavailable
   to the user Username SID (…) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
2. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
   Windows.SecurityCenter.SecurityAppBroker
   and APPID
   Unavailable
   to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
3. The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
   Windows.SecurityCenter.WscDataProtection
   and APPID
   Unavailable
   to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Microsoft recommendation is (DCOM event ID 10016 is logged in Windows):
“These events can be safely ignored because they don’t adversely affect functionality and are by design. It’s the recommend action for these events.”

However, these warnings are very annoying and can confuse anyone, that something is wrongly configured.

Analysis:

The problem is related to the Windows Security Center. The Windows Security Center service (wscsvc) has a delayed automatic start. WscCloudBackupProvider, SecurityAppBroker and WscDataProtection objects start earlier with the OS. As soon as the objects are active, they try to communicate with the Windows Security Center service (wscsvc), which is not started. That is why, we get Event 10016 warnings.

Solution:

Solution of this problem is unusual. It has nothing to do with Local Launch permissions. We should start Windows Security Center service earlier, during OS starting procedure.

If we look at the registry with Registry Editor (regedit.exe), we can find Windows Security Center service settings at:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

We have to change the DelayedAutoStart DWORD Value From 1 to 0.

We can’t do it right away, because we don’t have a permission to do it. We right click on the wscsvc Registry Key and select Permissions…First, we need to change the owner of Registry Key. Go to Advanced, Change Owner from System to the Administrators group (local Administrators group, if computer is member of domain), select OK twice. Then open the Permissions window once again and change permissions of Administrators group to Full Control.

Now, we can change the DelayedAutoStart DWORD Value From 1 to 0. In this way, the Windows Security Center will start earlier.

That’s it. After OS restart, we will not see Event 10016 Windows.SecurityCenter Warnings anymore.

I invite you to solve also Event 10016 PerAppRuntimeBroker Warning in Windows 11!