Microsoft Defender for Identity | Microsoft Community Hub

Forum Widgets

Latest Discussions

Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started. Then setup fails with 0x80070643 and do a rollback. In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup: 2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]] at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted) at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else... The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct. Any ideas someone?
Solved
PhilippFoeckeler
Copper Contributor
Dec 23, 2019
36KViews
0likes
37Comments
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and the alert was accurate. But right now, we do have honeytoken activity from around 185 sources (clients) with sam-r queries so far, counting! It seems to be a bug and we will wait for the next releases from Defender for Identity, so far we couldn't find a cause which makes sense that this alert keeps being triggered... (meaning no signs of a real attack, no idea what update or other config changes could have started this behaviour) Maybe someone else experiences the same right now, this is meant as an information... BR
DefenderAdmin
Brass Contributor
Nov 30, 2022
34KViews
4likes
31Comments
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?
starman2heven
Brass Contributor
Oct 25, 2024
3.2KViews
0likes
29Comments
ATA Client on a Server 2019 Domain Controller
We have noticed that when installing the ATA client on a Windows Server 2019 domain controller the Lsass.exe service crashes every 10-25 minutes and causes the server to reboot. We also noticed that when we installed the client on multiple 2019 domain controllers they all have Lsass.exe crash at the same time and they reboot within a few moments of each other.
Paul_Brock
Brass Contributor
Nov 15, 2018
7.2KViews
0likes
28Comments
ATP sensor install fails 0x80070643
I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers. All is well on about 70% of them. However I get this failure on many: During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails. I have errors in the logs but Im not sure what the cause is: === Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe === MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0 MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex. MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled. MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex. MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0 MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode. MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32 MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1 MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure. MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'. MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824 MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'. MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: '' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed. MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu' MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'. MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened. MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now: MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'. MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'. MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'. === Logging started: 10/10/2024 15:54:26 === MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes. MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: INSTALL. MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: FindRelatedProducts. MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FindRelatedProducts. Return value 1. Action start 15:54:26: LaunchConditions. MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: LaunchConditions. Return value 1. Action start 15:54:26: ValidateProductID. MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: ValidateProductID. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch Action start 15:54:26: CostInitialize. MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostInitialize. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly Action start 15:54:26: FileCost. MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FileCost. Return value 1. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table... MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Action start 15:54:26: CostFinalize. MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostFinalize. Return value 1. Action start 15:54:26: MigrateFeatureStates. MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: MigrateFeatureStates. Return value 0. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib Action start 15:54:26: InstallValidate. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallValidate. Return value 1. MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Action start 15:54:26: InstallInitialize. MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallInitialize. Return value 1. MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install MSI (s) (D8:80) [15:54:26:970]: Generating random cookie. MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014). MSI (s) (D8:74) [15:54:27:227]: Running as a service. MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server. Action start 15:54:26: InstallCustomAction. SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\ SFXCA: Binding to CLR version v4.0.30319 Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install 2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started 2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started 2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished 2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==] 2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False] 2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started 2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3] 2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3] 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3] 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished 2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished 2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction] at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session) 2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure] CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 Action ended 16:00:09: InstallCustomAction. Return value 3. MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation. MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server Action ended 16:00:09: INSTALL. Return value 3. Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2} Property(S): TARGETDIR = C:\ Property(S): ALLUSERS = 1 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Property(S): ProductLanguage = 1033 Property(S): ProductName = Azure Advanced Threat Protection Sensor Property(S): ProductVersion = 2.240.18288.55492 Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242} Property(S): ProductState = -1 Property(S): PackagecodeChanging = 1 Property(S): ARPSYSTEMCOMPONENT = 1 Property(S): MSIFASTINSTALL = 7 Property(S): ACCESSKEY = ********** Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ Property(S): REBOOT = ReallySuppress Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) Property(S): CLIENTUILEVEL = 3 Property(S): MSICLIENTUSESEXTERNALUI = 1 Property(S): CLIENTPROCESSID = 1824 Property(S): MsiSystemRebootPending = 1 Property(S): VersionDatabase = 500 Property(S): VersionMsi = 5.00 Property(S): VersionNT = 603 Property(S): VersionNT64 = 603 Property(S): WindowsBuild = 9600 Property(S): ServicePackLevel = 0 Property(S): ServicePackLevelMinor = 0 Property(S): MsiNTProductType = 3 Property(S): MsiNTSuiteDataCenter = 1 Property(S): WindowsFolder = C:\windows\ Property(S): WindowsVolume = C:\ Property(S): System64Folder = C:\windows\system32\ Property(S): SystemFolder = C:\windows\SysWOW64\ Property(S): RemoteAdminTS = 1 Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\ Property(S): ProgramFilesFolder = C:\Program Files (x86)\ Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(S): ProgramFiles64Folder = C:\Program Files\ Property(S): CommonFiles64Folder = C:\Program Files\Common Files\ Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\ Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\ Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\ Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\ Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\ Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(S): CommonAppDataFolder = C:\ProgramData\ Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\ Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\ Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(S): DesktopFolder = C:\Users\Public\Desktop\ Property(S): FontsFolder = C:\windows\Fonts\ Property(S): GPTSupport = 1 Property(S): OLEAdvtSupport = 1 Property(S): ShellAdvtSupport = 1 Property(S): MsiAMD64 = 6 Property(S): Msix64 = 6 Property(S): Intel = 6 Property(S): PhysicalMemory = 8192 Property(S): VirtualMemory = 4026 Property(S): AdminUser = 1 Property(S): MsiTrueAdminUser = 1 Property(S): LogonUser = v-<name>.admin Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610 Property(S): UserLanguageID = 1033 Property(S): ComputerName = AZVDS01 Property(S): SystemLanguageID = 1033 Property(S): ScreenX = 1024 Property(S): ScreenY = 768 Property(S): CaptionHeight = 23 Property(S): BorderTop = 1 Property(S): BorderSide = 1 Property(S): TextHeight = 16 Property(S): TextInternalLeading = 3 Property(S): ColorBits = 32 Property(S): TTCSupport = 1 Property(S): Time = 16:00:09 Property(S): Date = 10/10/2024 Property(S): MsiNetAssemblySupport = 4.8.3761.0 Property(S): MsiWin32AssemblySupport = 6.3.14393.5786 Property(S): RedirectedDllSupport = 2 Property(S): MsiRunningElevated = 1 Property(S): Privileged = 1 Property(S): DATABASE = C:\windows\Installer\69b9569f.msi Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi Property(S): UILevel = 2 Property(S): MsiUISourceResOnly = 1 Property(S): ACTION = INSTALL Property(S): ROOTDRIVE = C:\ Property(S): CostingComplete = 1 Property(S): OutOfDiskSpace = 0 Property(S): OutOfNoRbDiskSpace = 0 Property(S): PrimaryVolumeSpaceAvailable = 0 Property(S): PrimaryVolumeSpaceRequired = 0 Property(S): PrimaryVolumeSpaceRemaining = 0 Property(S): INSTALLLEVEL = 1 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603. MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603 MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed. MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation. === Logging stopped: 10/10/2024 16:00:09 === MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object. MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending. MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603 === Verbose logging stopped: 10/10/2024 16:00:09 ===
ryan666
Copper Contributor
Oct 10, 2024
2.3KViews
0likes
23Comments
ATP Legacy portal to defeder > missing events in timeline
Hello everyone, after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers. For example: I was able to see, on an identity, who added that to a group, removed from a group and other changes to attributes, in the Azure timeline I see only activities related to security incident/alerts. Where do I find those information now? Thanks CC
Solved
erregei
Copper Contributor
Mar 07, 2023
7.1KViews
0likes
23Comments
MDI Roles/Permissions - where art thou now ?
It used to be simple. In ATP (now MDI), there used to be 3 groups used for administration/viewing (Azure ATP [workspace] Admin, Azure ATP [workspace] Users and Azure ATP [workspace] Viewers). Having gone round and round in https://learn.microsoft.com/en-us/defender-for-identity/role-groups - I am now lost on whether this is still the case, as I have recently heard a few of my MDI "admins" (with the ATP User group) can no longer manage alerts. They used to be able to, and now it is greyed out and if you hover over the button it says "You don't have permissions to perform this action". Has RBAC gone up the wazzoo since the forced transition to the new portal ? There is no menu/config for Identity permissions...so I don't even know where those groups are shown any more. Anyone know ?
StuartH .
Brass Contributor
Jul 24, 2023
3.8KViews
1like
20Comments
Directory Services Advanced Auditing is not enabled
I have received this alert recently and have tried everything to enable auditing per the recommendation found here https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-audit-policies The errors are getting in the security logs, but MS Defender for Identity continues to say there is a health issue. Any ideas?
MeatHeadPro
Copper Contributor
Jan 20, 2023
20KViews
0likes
20Comments
Npcap keeps updating and crashing the Sensors
Since last week, I keep having an issue where Npcap updates to a newer version than 1.0 and then sensors no longer work. I have uninstalled and reinstalled everything, but an autoupdate hits somehow a few hours later and crashes everything. Anyone else seeing this?
Solved
kmcdermott
Copper Contributor
Oct 25, 2022
5.8KViews
0likes
19Comments
Installing ATP Sensor on DC 2019 gives an 0x800070643
I have 2 DC Server 2019. 1 DC installed fine, the other give an error on installation : 0x80070643 np proxy no core Fully patches. [1FE0:10F4][2021-03-23T21:27:05]i001: Burn v3.11.2.4516, Windows v10.0 (Build 17763: Service Pack 0), path: C:\WINDOWS\Temp\{D6EA0EAB-9A71-43B8-BEE0-A4349FB8C26A}\.cr\Azure ATP Sensor Setup.exe [1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'AccessKey' [1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'ProxyConfiguration' [1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'ProxyUserPassword' [1FE0:10F4][2021-03-23T21:27:05]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui' [1FE0:10F4][2021-03-23T21:27:05]i009: Command Line: '"-burn.clean.room=C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=704 -burn.filehandle.self=616' [1FE0:10F4][2021-03-23T21:27:05]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe' [1FE0:10F4][2021-03-23T21:27:05]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\' [1FE0:10F4][2021-03-23T21:27:06]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706.log' [1FE0:10F4][2021-03-23T21:27:07]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor' [1FE0:10F4][2021-03-23T21:27:07]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation' [1FE0:10F4][2021-03-23T21:27:13]i000: Loading managed bootstrapper application. [1FE0:10F4][2021-03-23T21:27:17]i000: Creating BA thread to run asynchronously. [1FE0:10F4][2021-03-23T21:27:24]i100: Detect begin, 5 packages [1FE0:10F4][2021-03-23T21:27:24]i000: 2021-03-24 01:27:24.8699 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]] [1FE0:10F4][2021-03-23T21:27:25]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2' [1FE0:10F4][2021-03-23T21:27:25]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0 [1FE0:10F4][2021-03-23T21:27:25]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1' [1FE0:10F4][2021-03-23T21:27:25]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0 [1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461814' [1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1' [1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1' [1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false. [1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false. [1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None [1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None [1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: Complete [1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: Complete [1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: MsiPackage, state: Absent, cached: None [1FE0:10F4][2021-03-23T21:27:25]i199: Detect complete, result: 0x0 [1FE0:1FF0][2021-03-23T21:27:25]i000: 2021-03-24 01:27:25.3699 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]] [1FE0:1FF0][2021-03-23T21:27:26]i000: 2021-03-24 01:27:26.7917 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]] [1FE0:1FF0][2021-03-23T21:28:21]i000: 2021-03-24 01:28:21.2695 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=SensorInstallationConfiguration[\]] [1FE0:1FF0][2021-03-23T21:28:21]i000: 2021-03-24 01:28:21.6601 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=EndpointData[\]] [1FE0:1FF0][2021-03-23T21:28:25]i000: 2021-03-24 01:28:25.2767 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=ValidateCreateSensorResponse[\]] [1FE0:1FF0][2021-03-23T21:28:25]i000: 2021-03-24 01:28:25.4127 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]] [1FE0:1FF0][2021-03-23T21:28:25]i000: Setting string variable 'IsConfigured' to value 'True' [1FE0:1FF0][2021-03-23T21:28:25]i000: Setting hidden variable 'AccessKey' [1FE0:1FF0][2021-03-23T21:28:25]i000: Setting hidden variable 'ProxyConfiguration' [1FE0:1FF0][2021-03-23T21:28:25]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor' [1FE0:10F4][2021-03-23T21:28:25]i200: Plan begin, 5 packages, action: Install [1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'VersionNT64 = v6.1' evaluates to false. [1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package [1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'VersionNT64 = v6.2' evaluates to false. [1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package [1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true. [1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer [1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false. [1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore [1FE0:10F4][2021-03-23T21:28:25]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage_rollback.log' [1FE0:10F4][2021-03-23T21:28:25]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage.log' [1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None [1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None [1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None [1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None [1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register [1FE0:10F4][2021-03-23T21:28:25]i299: Plan complete, result: 0x0 [1FE0:10F4][2021-03-23T21:28:25]i300: Apply begin [1FE0:10F4][2021-03-23T21:28:25]i010: Launching elevated engine process. [1FE0:10F4][2021-03-23T21:28:27]i011: Launched elevated engine process. [1FE0:10F4][2021-03-23T21:28:27]i012: Connected to elevated engine. [1524:1788][2021-03-23T21:28:27]i358: Pausing automatic updates. [1524:1788][2021-03-23T21:28:27]i359: Paused automatic updates. [1524:1788][2021-03-23T21:28:27]i360: Creating a system restore point. [1524:1788][2021-03-23T21:28:27]i362: System restore disabled, system restore point not created. [1524:1788][2021-03-23T21:28:27]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, options: 0x7, disable resume: No [1524:1788][2021-03-23T21:28:27]i000: Caching bundle from: 'C:\WINDOWS\Temp\{6DE9852F-8D93-493F-B36D-48CCE0C42AD0}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}\Azure ATP Sensor Setup.exe' [1524:1788][2021-03-23T21:28:27]i320: Registering bundle dependency provider: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, version: 2.0.0.0 [1524:1788][2021-03-23T21:28:27]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: Active, restart initiated: No, disable resume: No [1524:1ABC][2021-03-23T21:28:28]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. [1524:1788][2021-03-23T21:28:28]i323: Registering package dependency provider: {C5D46D5F-4BD9-4120-BE93-43672FC3C74F}, version: 2.0.0.0, package: MsiPackage [1524:1788][2021-03-23T21:28:28]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\"' [1524:1788][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to install MSI package. [1524:1788][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to execute MSI package. [1FE0:10F4][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to configure per-machine MSI package. [1FE0:10F4][2021-03-23T21:28:54]i000: 2021-03-24 01:28:54.3612 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]] [1FE0:10F4][2021-03-23T21:28:54]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None [1FE0:10F4][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to execute MSI package. [1524:1788][2021-03-23T21:28:54]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent [1FE0:10F4][2021-03-23T21:28:54]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None [1524:1788][2021-03-23T21:28:54]i329: Removed package dependency provider: {C5D46D5F-4BD9-4120-BE93-43672FC3C74F}, package: MsiPackage [1524:1788][2021-03-23T21:28:54]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\ [1524:1788][2021-03-23T21:28:54]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: None, restart: None, disable resume: No [1524:1788][2021-03-23T21:28:54]i330: Removed bundle dependency provider: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5} [1524:1788][2021-03-23T21:28:54]i352: Removing cached bundle: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, from path: C:\ProgramData\Package Cache\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}\ [1524:1788][2021-03-23T21:28:54]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: None, restart initiated: No, disable resume: No [1FE0:10F4][2021-03-23T21:28:54]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No [1FE0:1FF0][2021-03-23T21:34:20]i000: 2021-03-24 01:34:20.3723 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=-2147023293 isRestartRequired=False[\]] [1FE0:10F4][2021-03-23T21:34:20]i500: Shutting down, exit code: 0x80070643 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: AccessKey = ***** [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: IsConfigured = True [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: Kb4019990Windows2008R2Exists = 0 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: Kb4019990Windows2012Exists = 0 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: NetFrameworkRegistryValue = 461814 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: RebootPending = 0 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: ServerLevelsServerCoreRegistryValue = 1 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: VersionNT64 = 10.0.0.0 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleAction = 5 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleElevated = 1 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleLog = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706.log [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleLog_MsiPackage = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage.log [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleManufacturer = Microsoft Corporation [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleOriginalSource = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleOriginalSourceFolder = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\ [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleProviderKey = {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5} [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage_rollback.log [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleSourceProcessFolder = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\ [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleSourceProcessPath = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleTag = [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleUILevel = 4 [1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleVersion = 2.0.0.0 [1FE0:10F4][2021-03-23T21:34:20]i007: Exit code: 0x80070643, restarting: No
Solved
Jean-Philippe Breton
Iron Contributor
Mar 24, 2021
28KViews
0likes
19Comments

Resources

Tags

Sensor48 Topics
microsoft 365 defender43 Topics
identity protection36 Topics
alerts17 Topics
security posture17 Topics
logging13 Topics
azure active directory11 Topics
updates10 Topics
requirements8 Topics
Investigations8 Topics