Forum Widgets
Latest Discussions
ATP sensor install fails 0x80070643
I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers. All is well on about 70% of them. However I get this failure on many: During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails. I have errors in the logs but Im not sure what the cause is: === Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe === MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0 MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex. MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled. MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex. MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0 MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode. MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32 MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1 MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure. MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'. MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824 MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'. MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: '' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed. MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu' MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'. MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened. MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now: MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'. MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'. MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'. === Logging started: 10/10/2024 15:54:26 === MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes. MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: INSTALL. MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: FindRelatedProducts. MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FindRelatedProducts. Return value 1. Action start 15:54:26: LaunchConditions. MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: LaunchConditions. Return value 1. Action start 15:54:26: ValidateProductID. MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: ValidateProductID. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch Action start 15:54:26: CostInitialize. MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostInitialize. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly Action start 15:54:26: FileCost. MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FileCost. Return value 1. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table... MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Action start 15:54:26: CostFinalize. MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostFinalize. Return value 1. Action start 15:54:26: MigrateFeatureStates. MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: MigrateFeatureStates. Return value 0. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib Action start 15:54:26: InstallValidate. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallValidate. Return value 1. MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Action start 15:54:26: InstallInitialize. MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallInitialize. Return value 1. MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install MSI (s) (D8:80) [15:54:26:970]: Generating random cookie. MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014). MSI (s) (D8:74) [15:54:27:227]: Running as a service. MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server. Action start 15:54:26: InstallCustomAction. SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\ SFXCA: Binding to CLR version v4.0.30319 Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install 2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started 2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started 2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished 2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==] 2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False] 2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started 2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3] 2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3] 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3] 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished 2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished 2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction] at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session) 2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure] CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 Action ended 16:00:09: InstallCustomAction. Return value 3. MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation. MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server Action ended 16:00:09: INSTALL. Return value 3. Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2} Property(S): TARGETDIR = C:\ Property(S): ALLUSERS = 1 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Property(S): ProductLanguage = 1033 Property(S): ProductName = Azure Advanced Threat Protection Sensor Property(S): ProductVersion = 2.240.18288.55492 Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242} Property(S): ProductState = -1 Property(S): PackagecodeChanging = 1 Property(S): ARPSYSTEMCOMPONENT = 1 Property(S): MSIFASTINSTALL = 7 Property(S): ACCESSKEY = ********** Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ Property(S): REBOOT = ReallySuppress Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) Property(S): CLIENTUILEVEL = 3 Property(S): MSICLIENTUSESEXTERNALUI = 1 Property(S): CLIENTPROCESSID = 1824 Property(S): MsiSystemRebootPending = 1 Property(S): VersionDatabase = 500 Property(S): VersionMsi = 5.00 Property(S): VersionNT = 603 Property(S): VersionNT64 = 603 Property(S): WindowsBuild = 9600 Property(S): ServicePackLevel = 0 Property(S): ServicePackLevelMinor = 0 Property(S): MsiNTProductType = 3 Property(S): MsiNTSuiteDataCenter = 1 Property(S): WindowsFolder = C:\windows\ Property(S): WindowsVolume = C:\ Property(S): System64Folder = C:\windows\system32\ Property(S): SystemFolder = C:\windows\SysWOW64\ Property(S): RemoteAdminTS = 1 Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\ Property(S): ProgramFilesFolder = C:\Program Files (x86)\ Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(S): ProgramFiles64Folder = C:\Program Files\ Property(S): CommonFiles64Folder = C:\Program Files\Common Files\ Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\ Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\ Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\ Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\ Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\ Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(S): CommonAppDataFolder = C:\ProgramData\ Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\ Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\ Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(S): DesktopFolder = C:\Users\Public\Desktop\ Property(S): FontsFolder = C:\windows\Fonts\ Property(S): GPTSupport = 1 Property(S): OLEAdvtSupport = 1 Property(S): ShellAdvtSupport = 1 Property(S): MsiAMD64 = 6 Property(S): Msix64 = 6 Property(S): Intel = 6 Property(S): PhysicalMemory = 8192 Property(S): VirtualMemory = 4026 Property(S): AdminUser = 1 Property(S): MsiTrueAdminUser = 1 Property(S): LogonUser = v-<name>.admin Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610 Property(S): UserLanguageID = 1033 Property(S): ComputerName = AZVDS01 Property(S): SystemLanguageID = 1033 Property(S): ScreenX = 1024 Property(S): ScreenY = 768 Property(S): CaptionHeight = 23 Property(S): BorderTop = 1 Property(S): BorderSide = 1 Property(S): TextHeight = 16 Property(S): TextInternalLeading = 3 Property(S): ColorBits = 32 Property(S): TTCSupport = 1 Property(S): Time = 16:00:09 Property(S): Date = 10/10/2024 Property(S): MsiNetAssemblySupport = 4.8.3761.0 Property(S): MsiWin32AssemblySupport = 6.3.14393.5786 Property(S): RedirectedDllSupport = 2 Property(S): MsiRunningElevated = 1 Property(S): Privileged = 1 Property(S): DATABASE = C:\windows\Installer\69b9569f.msi Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi Property(S): UILevel = 2 Property(S): MsiUISourceResOnly = 1 Property(S): ACTION = INSTALL Property(S): ROOTDRIVE = C:\ Property(S): CostingComplete = 1 Property(S): OutOfDiskSpace = 0 Property(S): OutOfNoRbDiskSpace = 0 Property(S): PrimaryVolumeSpaceAvailable = 0 Property(S): PrimaryVolumeSpaceRequired = 0 Property(S): PrimaryVolumeSpaceRemaining = 0 Property(S): INSTALLLEVEL = 1 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603. MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603 MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed. MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation. === Logging stopped: 10/10/2024 16:00:09 === MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object. MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending. MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603 === Verbose logging stopped: 10/10/2024 16:00:09 ===ryan666Nov 08, 2024Copper Contributor623Views0likes19CommentsSecure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?starman2hevenNov 06, 2024Brass Contributor811Views0likes14CommentsApp secret (application secret) Azure AD - Azure AD App Secrets
Hello everyone, Please ,I want to know what is a "Secret App", by default what is the secret app lifetime ? What is the lifespan of App Secret ?is it recommended to use short-lived app secrets or use certificate authentication ??? How do you find secret apps? commentscanner to find Secret App?Solvedayoub92635Nov 03, 2024Copper Contributor131KViews0likes11CommentsTrying to work out if Defender for Identity Default Ruleset would alert on specific Win Event IDs
Im working in CTI and im trying to work out if defender for identity alerts on all the common attack types towards AD. I have correlated all the relevant widows event IDs that are required to be monitored. Im trying to work out if Defender for Identity can capture all these types based on this? For example. Event ID Source Description 4738, 5136 Domain Controllers These events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed. Would this be spotted and alerted by Defender for ID? 4769 Domain Controllers This event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user object Malicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity. Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity. Would this be spotted and alerted by Defender for ID?NyxxxNov 02, 2024Copper Contributor193Views0likes2CommentsMDI sensor best recommendations
Here’s a corrected version of your text: I am in the middle of setting up MDI in my environment. I have one Server 2019 and five additional domain controllers running unsupported versions like 2012 R2. My question is: I have already installed the MDI sensor on the 2019 DC. Will my environment benefit from MDI protection? Please share your best recommendations. Additionally, I am using the local system account as my action account instead of GMSA, as Microsoft states it’s optional. Is there a way to configure remediation actions manually, or are they automated?KailashjNov 02, 2024Copper Contributor300Views0likes2CommentsSensor service keeps restarting (after auto upgrade)
Hi all, I've installed multiple Azure ATP Sensor Setup yesterday on Windows 2019 and 2022 servers. But one is failing to report in the console today. I've checked the system and the AATPSensor service is always in the starting / stopped / starting state. The Tri.Sensor-Errors.log shows this: 2024-02-08 13:35:20.1835 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:29.0122 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:37.9346 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. I've tried rebooting the server, but that didn't fix the problem. Then I removed the installation, and reinstalled the sensor. That didn't help, either. Looks like there was an update installed after the initial setup yesterday, since there were two folders in C:\Program Files\Azure Advanced Threat Protection Sensor : 2.227.17547.62185 2.228.17612.22841 I also tried to solve the problem with a re-downloaded installer package from today (was a different size) but that didn't help. The version installed is the second one from above now. Any hints on the error message? Thanks in advance ChrisChrisVieOct 27, 2024Copper Contributor1.4KViews0likes7CommentsDifferent DAS Accounts for SAM-R in a Tier model
My Customer works with a local tier system Tier 0 DC Controller Tier 1 RODC and Member Server Tier 2 normal clients with InternetAccess In order to make SAM-R queries, the GMSA account (Tier0) must be stored in the GPO for all clients and servers, which represents a break in the Tier model Question Can additional accounts be created and used explicitly for T1 and T2 by distributing different GPOs? If yes, how does the Defender for Identity know which account is allowed to do what?Steve89Oct 27, 2024Copper Contributor414Views3likes2CommentsSecure Score - Accounts with non-default Primary Group ID failing to return exposed entities
When trying to complete this secure score item on the "General Tab" it states under Users affected "No data to show". Going to the "Exposed Entities" tab I get "Failed to load data, please try again later". This has been happening for a couple of days since I first looked at this item and I am not able to progress it. Please can you advise... Also the help link on the "Implementation" tab sends you to the defender home page which isn't very helpful... this link is this https://security.microsoft.com/%E2%80%AFhttps://go.microsoft.com/fwlink/?linkid=2283220 Thanksshaun_russellOct 24, 2024Copper Contributor329Views0likes5CommentsAzure ATP Sensor Setup - service not starting - missing dependency
When installingAzure ATP Sensor Setup it just stalls midway and the rolls back the installation. I've looked into the logs and can see its unable to startup the serviceAATPSensorUpdater. I did a dependecy check and the WMI Performance Adapter (wmiApSrv) service is missing, which is adependecy. We got 3 domain controllers, the setup only completed on one (it also got theWMI Performance Adapter (wmiApSrv) service). My question is now, how do I get theWMI Performance Adapter (wmiApSrv) service on the other 2 domain controllers so I can complete the installation? We are running virtual servers with VMware (WS2019)Marthin2770Oct 22, 2024Copper Contributor11KViews1like18CommentsActive Directory attributes reconnaissance using LDAP alert
Hi Team, I need to enable alert"Active Directory attributes reconnaissance (LDAP) (external ID 2210)" in MDI. How I can enable it. Please help me where i can find out all alert list.akshay25juneOct 22, 2024Copper Contributor309Views0likes1Comment
Resources
Tags
- Sensor44 Topics
- Microsoft 365 Defender40 Topics
- Identity Protection31 Topics
- Alerts15 Topics
- security posture15 Topics
- logging11 Topics
- Azure Active Directory10 Topics
- Updates9 Topics
- Investigations7 Topics
- Requirements6 Topics