Recent Discussions
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?
Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started. Then setup fails with 0x80070643 and do a rollback. In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup: 2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]] at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted) at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else... The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct. Any ideas someone?Join us on December 3rd for our Post-Ignite Security Tech Community Live!
Ask us anything about simplified, end-to-end, AI-driven protection with Microsoft Security! Visit https://aka.ms/TCL/Security to see more details and view all the session pages! Catch up on thelatest security product innovations at Microsoft Ignite, then join us to get answers to your questions. Engineering and product teams will answering live, providing insights on camera and in chat. Post early, post often. We're here to help! The event will start at 7:00AM PST on December 3rd, see you there! I'm in! How do I sign up? There's no registration necessary. Just visit https://aka.ms/TCL/Security, then selectAttend on the session pages that catch your eye. Each AMA page also features a helpful link to add that session to your calendar! What if I can't attend live? While this is a live event, all sessions will be recorded and available on demand after we conclude. Visit the session pages and post your questions in advance so you can get the answers you need.
RSS feeds to security blogs?
Hello, After the update of blogs here i no longer see any RSS feeds or links. Where can those RSS feed be found now? It was the only newsfeed where blogs could be aggregated. perhaps im just blind :) but i cant find the new RSS feeds. Thank you! Previously (before this weeks update) the links to those RSS feed was as follows: https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityandCompliance https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Identity https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=CoreInfrastructureandSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=AzureNetworkSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=IdentityStandards https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftThreatProtectionBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderCloudBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderATPBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderIoTBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderExternalAttackSurfaceMgmtBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Vulnerability-Management https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderThreatIntelligence https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityExperts https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSentinelBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderforOffice365BlogToday’s Fraud Protection Tech Community Live Event & Recording Link
Thank you very much to all who joined us at our Fraud Protection Tech Community Live event earlier today from 9am to 9:30am PST. We hope you found it to be useful and informative. For those who couldn't attend or if you’d like to revisit the session, don't worry! We've got you covered. You can catch up on everything by watching the event recording through the event page link below. During the livestream, we delved into the new Dynamics 365 Fraud Protection (DFP) Support Model and discussed how customers can effectively leverage our Customer Service and Support. Additionally, we highlighted the benefits of our newly launched Fraud Protection discussion forum in the Security, Compliance, and Identity HUB. We also provided a demo on how to best utilize and engage within the Microsoft Tech Community. You can find the link to the TCL event page with the recording here: Fraud Protection Tech Community Live! | Microsoft Community Hub Thank you for your time and for being part of this community. We look forward to seeing you at our next event! Best wishes, The DFP Product Team
Defender for identity updated itself, now it wont start
I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815. Now about half of them won't start anymore and logs are no longer being produced in the Logs folders: No new logs produced in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs No Logs folder exists in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815 This is the error when the service tries to start. In the event log: The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly. It has done this 303511 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. I tried manually uninstalling and reinstalling on some of the servers but this has not worked.Monitor logical disk space through Intune
Hi All, We have a requirement to monitor low disk space, particularly on devices with less than 1GB of available space. We were considering creating a custom compliance policy, but this would lead to blocking access to company resources as soon as the device becomes non-compliant. Therefore, we were wondering if there are any other automated methods we could use to monitor the logical disk space (primarily the C drive) using Intune or Microsoft Graph. Thanks in advance, Dilan
Assign Microsoft Defender for Endpoint Server
Hi Everyone, We are considering purchasing Microsoft Defender for Endpoint Server on our server, but I know that these licenses should be assigned, but I am not sure why we should assign these to users and how we could configure these on the on-prem servers. Is there a specific guideline that we could follow in that regard? Thanks
ATP sensor install fails 0x80070643
I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers. All is well on about 70% of them. However I get this failure on many: During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails. I have errors in the logs but Im not sure what the cause is: === Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe === MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0 MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex. MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled. MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex. MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0 MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode. MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32 MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1 MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure. MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'. MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824 MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'. MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: '' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed. MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu' MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'. MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened. MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now: MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'. MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'. MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'. === Logging started: 10/10/2024 15:54:26 === MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes. MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: INSTALL. MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: FindRelatedProducts. MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FindRelatedProducts. Return value 1. Action start 15:54:26: LaunchConditions. MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: LaunchConditions. Return value 1. Action start 15:54:26: ValidateProductID. MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: ValidateProductID. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch Action start 15:54:26: CostInitialize. MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostInitialize. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly Action start 15:54:26: FileCost. MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FileCost. Return value 1. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table... MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Action start 15:54:26: CostFinalize. MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostFinalize. Return value 1. Action start 15:54:26: MigrateFeatureStates. MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: MigrateFeatureStates. Return value 0. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib Action start 15:54:26: InstallValidate. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallValidate. Return value 1. MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Action start 15:54:26: InstallInitialize. MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallInitialize. Return value 1. MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install MSI (s) (D8:80) [15:54:26:970]: Generating random cookie. MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014). MSI (s) (D8:74) [15:54:27:227]: Running as a service. MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server. Action start 15:54:26: InstallCustomAction. SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\ SFXCA: Binding to CLR version v4.0.30319 Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install 2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started 2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started 2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished 2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==] 2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False] 2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started 2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3] 2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3] 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3] 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished 2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished 2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction] at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session) 2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure] CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 Action ended 16:00:09: InstallCustomAction. Return value 3. MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation. MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server Action ended 16:00:09: INSTALL. Return value 3. Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2} Property(S): TARGETDIR = C:\ Property(S): ALLUSERS = 1 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Property(S): ProductLanguage = 1033 Property(S): ProductName = Azure Advanced Threat Protection Sensor Property(S): ProductVersion = 2.240.18288.55492 Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242} Property(S): ProductState = -1 Property(S): PackagecodeChanging = 1 Property(S): ARPSYSTEMCOMPONENT = 1 Property(S): MSIFASTINSTALL = 7 Property(S): ACCESSKEY = ********** Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ Property(S): REBOOT = ReallySuppress Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) Property(S): CLIENTUILEVEL = 3 Property(S): MSICLIENTUSESEXTERNALUI = 1 Property(S): CLIENTPROCESSID = 1824 Property(S): MsiSystemRebootPending = 1 Property(S): VersionDatabase = 500 Property(S): VersionMsi = 5.00 Property(S): VersionNT = 603 Property(S): VersionNT64 = 603 Property(S): WindowsBuild = 9600 Property(S): ServicePackLevel = 0 Property(S): ServicePackLevelMinor = 0 Property(S): MsiNTProductType = 3 Property(S): MsiNTSuiteDataCenter = 1 Property(S): WindowsFolder = C:\windows\ Property(S): WindowsVolume = C:\ Property(S): System64Folder = C:\windows\system32\ Property(S): SystemFolder = C:\windows\SysWOW64\ Property(S): RemoteAdminTS = 1 Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\ Property(S): ProgramFilesFolder = C:\Program Files (x86)\ Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(S): ProgramFiles64Folder = C:\Program Files\ Property(S): CommonFiles64Folder = C:\Program Files\Common Files\ Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\ Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\ Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\ Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\ Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\ Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(S): CommonAppDataFolder = C:\ProgramData\ Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\ Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\ Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(S): DesktopFolder = C:\Users\Public\Desktop\ Property(S): FontsFolder = C:\windows\Fonts\ Property(S): GPTSupport = 1 Property(S): OLEAdvtSupport = 1 Property(S): ShellAdvtSupport = 1 Property(S): MsiAMD64 = 6 Property(S): Msix64 = 6 Property(S): Intel = 6 Property(S): PhysicalMemory = 8192 Property(S): VirtualMemory = 4026 Property(S): AdminUser = 1 Property(S): MsiTrueAdminUser = 1 Property(S): LogonUser = v-<name>.admin Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610 Property(S): UserLanguageID = 1033 Property(S): ComputerName = AZVDS01 Property(S): SystemLanguageID = 1033 Property(S): ScreenX = 1024 Property(S): ScreenY = 768 Property(S): CaptionHeight = 23 Property(S): BorderTop = 1 Property(S): BorderSide = 1 Property(S): TextHeight = 16 Property(S): TextInternalLeading = 3 Property(S): ColorBits = 32 Property(S): TTCSupport = 1 Property(S): Time = 16:00:09 Property(S): Date = 10/10/2024 Property(S): MsiNetAssemblySupport = 4.8.3761.0 Property(S): MsiWin32AssemblySupport = 6.3.14393.5786 Property(S): RedirectedDllSupport = 2 Property(S): MsiRunningElevated = 1 Property(S): Privileged = 1 Property(S): DATABASE = C:\windows\Installer\69b9569f.msi Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi Property(S): UILevel = 2 Property(S): MsiUISourceResOnly = 1 Property(S): ACTION = INSTALL Property(S): ROOTDRIVE = C:\ Property(S): CostingComplete = 1 Property(S): OutOfDiskSpace = 0 Property(S): OutOfNoRbDiskSpace = 0 Property(S): PrimaryVolumeSpaceAvailable = 0 Property(S): PrimaryVolumeSpaceRequired = 0 Property(S): PrimaryVolumeSpaceRemaining = 0 Property(S): INSTALLLEVEL = 1 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603. MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603 MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed. MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation. === Logging stopped: 10/10/2024 16:00:09 === MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object. MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending. MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603 === Verbose logging stopped: 10/10/2024 16:00:09 ===
Sensor service keeps restarting (after auto upgrade)
Hi all, I've installed multiple Azure ATP Sensor Setup yesterday on Windows 2019 and 2022 servers. But one is failing to report in the console today. I've checked the system and the AATPSensor service is always in the starting / stopped / starting state. The Tri.Sensor-Errors.log shows this: 2024-02-08 13:35:20.1835 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:29.0122 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:37.9346 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. I've tried rebooting the server, but that didn't fix the problem. Then I removed the installation, and reinstalled the sensor. That didn't help, either. Looks like there was an update installed after the initial setup yesterday, since there were two folders in C:\Program Files\Azure Advanced Threat Protection Sensor : 2.227.17547.62185 2.228.17612.22841 I also tried to solve the problem with a re-downloaded installer package from today (was a different size) but that didn't help. The version installed is the second one from above now. Any hints on the error message? Thanks in advance ChrisGet $25 USD for reviewing a Microsoft Security product on Gartner Peer Insights
We love hearing more about our customers’ experience with our products! We’re currently working on growing our product reviews of Microsoft Security products on Gartner Peer Insights. We would love for you to participate and share your thoughts, feedback, and experiences using Microsoft Security products to help others in their buying process. To provide feedback on the capabilities ofthe Microsoft Security products, please click on the link below. You will need to first log in to your Gartner Peer Insights account or take 30 seconds to create a free account. Once you have completed your review, GPI will prompt you to choose a gift card option. Gift cards are valued at $25 USD, and they are available in multiple currencies worldwide. As soon as your review is approved, the card will be made available to you digitally. Microsoft Defender for Endpoint Microsoft Defender Vulnerability Management Microsoft Sentinel Microsoft Entra ID Governance Microsoft Defender for Cloud Microsoft Defender for Cloud Apps Each person is limited to one review per product on the above-mentioned site. Only Microsoft customers are eligible to participate. Microsoft partners and MVPs are not eligible. The offer is good only for those who submit a product review on Gartner Peer Insights as linked on this page. Any gift returned as non-deliverable will not be re-sent. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. The offer is non-transferable and cannot be combined with any other offer. This offer runs through June 30, 2025, or while supplies last, and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. This offer does not apply to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China. Please see the below for more information Microsoft Privacy Statement Gartner’s Community Guidelines & Gartner Peer Insights Review GuideReminder to join our Fraud Protection On-Camera AMA tomorrow at 9AM PST!
Learn more about improving your lines of defense with the Fraud Protection team! We will talk about some of the new assets that our customers can leverage, see some updates on the engagement model (Community Discussion Space, other ways to engage, etc.) and our experts are available to answer any other questions you might have! So tune in and get your fraud juices flowing. The event page is here to watch and ask questions: Fraud Protection Tech Community Live! | Microsoft Community Hub See you there!Additional commonly asked Q&A related to ‘Device Fingerprinting’ in DFP continued
We're excited to keep our weekly spotlight series going on various topics within our Microsoft Fraud Protection Tech Community to help you maximize the benefits of Microsoft Dynamics 365 Fraud Protection (DFP). This week, we're continuing our focus on commonly asked questions about DFP 'Device Fingerprinting' which you can check out the Q&A details here: If you have any questions, please feel free to reach out in the Fraud Protection Tech Community. Your feedback is incredibly valuable to us. Best wishes, DFP Product Team ------------------ 1. Is device fingerprinting necessary? For DFP to provide the most accurate scores, device fingerprinting is highly recommended as it provides hundreds of device attributes. These critical attributes are used by DFP's machine learning to constantly improve the accuracy of your system. For more information, see the DFP Documentation site: Overview of device fingerprinting - Dynamics 365 Fraud Protection | Microsoft Learn 2. What is DFP Device Fingerprinting and how does it work? For a description of DFP Device Fingerprinting and how it works, please refer to the following DFP documentation: Overview of device fingerprinting - Dynamics 365 Fraud Protection | Microsoft Learn 3. What data isretained by DFP Device Fingerprinting and for how long? The data collected by the device fingerprinting feature is stored in a Microsoft designated data center closest to the location of the transaction source for up to 28 days. The data could also be stored along with the transaction that was sent against this profiling session in the customer’s selected geography, if the customer has opted in to storing data with DFP. (Note – for legacy Purchase assessment, data storage is not optional) 4. How can I tell if device fingerprinting has stopped for some reason? In Microsoft Dynamics 365 Fraud Protection, you can tell if device fingerprinting has stopped by monitoring the SSL certificate status and ensuring it is up to date. If the SSL certificate used for device fingerprinting is not renewed before its expiration date, device fingerprinting will stop collecting information. You should receive notifications regarding the SSL certificate for renewal status, as it is a critical component for the device fingerprinting service. Additionally, you can monitor the health and status of device fingerprinting through the Dynamics 365 Fraud Protection portal, which provides metrics that refresh near real-time. These monitors are designed to assist in detecting unusual transaction patterns or anomalies in observation events, such as fraud attacks and faulty rule releases. References: Overview of device fingerprinting - Dynamics 365 Fraud Protection | Microsoft Learn Web setup of device fingerprinting - Dynamics 365 Fraud Protection | Microsoft Learn Monitoring - Dynamics 365 Fraud Protection | Microsoft Learn 5. Outline the device profiling capabilities you support, if any. D365 Fraud Protection (DFP) supports probabilistic device identification, which involves returning an assigned device ID to the client along with device enrichment information. 6. What kind of device metadata can be gathered from the device being used? Data categories collected for web include: UserAgent information Canvas/WebGL data HTTP data Within and across session anomaly information IP, network, VPN and geo intelligence TCP Signature SSL/TLS Signature Client hints Javascript collected information like OS, processor, screen resolution, round trip time, etc. Data categories collected for iOS and Android include: Accelerometer and gyroscope data Location data Emulator and rooted information SIM card information Device specification data like advertising ID, screen size, total memory, screen refresh rate, build ID, etc. User preference data like is closed captioning enabled, is speak screen enabled, is haptic feedback enabled, etc. For a full list of attributes we collect across web, Android, and iOS, see Attributes in device fingerprinting - Dynamics 365 Fraud Protection | Microsoft Learn. 7. How is the metadata evaluated to identify anomalies and create sticky identifiers for device recognition? D365 Fraud Protection (DFP) enriches the attributes collected from the device and runs these attributes through an embedding model, creating a vector representation of a device that remains sticky over time. DFP then checks similarity to determine device ID assignment. With device vectors, we can consistently identify returning devices. 8. What kind of challenges (e.g., CAPTCHAs) are invoked if suspicious activity is detected? D365 Fraud Protection (DFP) doesn't provide challenge capabilities in the product, however, clients can invoke different kinds of challenges that suit their own business needs (CAPTCHA, RECAPTCHA or MFA, for example), through a “challenge” decision based on the bot score rules they configure in our rule engine. 9. What if clients are using a device fingerprinting of their own and they would like to complement with MS DFP, could they use both? Yes, they could use both services. The client can integrate with DFP and their other device fingerprinting and use the data from both on their end. 10. In the portal UX for classic PP, can attributes returned by device fingerprinting only be used in the "Post Risk Scoring" clause section? No, you can reference @"deviceAttributes.trueIp" (for example; gets returned from Device Fingerprinting) in both types of rule clauses – Prior to Scoring, Post Risk Scoring – as this is different than generating a risk score.Microsoft Security Product Reviews on TrustRadius: Give product feedback & get rewarded!
We love hearing more about our customers’ experience with our products! We’re currently working on growing our product reviews of Microsoft Security products on TrustRadius. We would love for you to participate and share your thoughts, feedback, and experiences using Microsoft Security products to help others in their buying process. To provide feedback on the capabilities of the Microsoft Security products, please click on the link below. You will need to first log in to your TrustRadius account or take 30 seconds to create a free account. Here are some Guidelines and Tips for Reviewers & About TrustRadius Reviews - Frequently Asked Questions Once you have completed your review, you will receive a $25 USD (or local currency equivalent) digital gift card via email as a thank-you from TrustRadius for each in-depth review that you publish. Microsoft Entra ID Microsoft 365 Defender Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender for Endpoint The offer is good only for those customers who submit a product review on the above-mentioned site. Limit one per person The offer is non-transferable and cannot be combined with any other offer. This offer runs through December 31, 2023, or while supplies last, and is not redeemable for cash. Taxes, if any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. This offer does not apply to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China Customers, Microsoft partners and MVPs are eligible to participate. Please see Microsoft Privacy Statement and TrustRadius Privacy Policy for more information.Insider Builds
I have been an avid Microsoft user for many years with only a couple of small issues every now and again. The 6 weeks have been unbelievably stressful and disheartening. I thought trying samples of New Insider builds and enlisting in Azure for some up to date training for myself to help with what I wanted to roll out for my business. This has been the worst experience i have ever been apart of. I now have multiple computers and hardware in disarray but more importantly the loss of time and patience is paramount . I have come to realise the repetitive responses and requests for data collection on feedback or issues is one-sided The amount of user data submissions is not the issue though. It is the assistance from Microsoft regarding issue via portals, help-desk etc. The inclusion of many backend functions for the purpose of better user experience is heavily flawed. Unless end-user inadvertently has or encounters issues in there OS life is good. Heavily automated program tiggers sit through all OS builds for example. One drive. Regardless whether this is declined or removed it will always be running in the background. If you system had been compromised this is a perfect place for root-kit other Malware to spread. Xcopy: A Microsoft background function which has the ability clone and copy 99% of drivers of operating info structure. Can be controlled by ghost script directives or embedded dll to aid malware. Anti-virus or defender find difficulties identifying or distinguishing authentic and re-pro-ducted data. In time this type of incursion can mimic a vast amount of OS functionality. Microsoft OS validity. I have trailed numerous builds with all sharing this characteristic. Invalid or expired software and driver certificates & TPM flaws even after a full clean reset and TPM turned off in bios. Inevitably this can introduce compromised software without end-user knowledge. The impact leads to unauthorised access in many elements of the OS platform especially data access and embedded .dll which can run inline or above elevated authorisation. A lot of this is undetectable. Once embedded in OS and bios this is impossible to clean without expert assistance and can be very costly. For the most part the inclusion of new AI functionality across the OS platform is very welcomed. Unfortunately there are a large amount of bugs to be ironed out especially in the platform navigation. Advice provided via OS AI can be mis-leading or incorrect. .
Microsoft account login error
Hello, I'm looking for a solution to my problem. I haven't been able to find one with hours of searching and trouble shooting. The error pops up after an attempt to sign into my account "Something went wrong please try again later. 0x8007000e." If there's anyone that can help me solve this error please reply to my discussion.My laptop has been blocked by BitLocker.
However, there is no BitLocker recovery keys on my Microsoft account. I have tried to call Microsoft support, but I only get bot messages that take me to sites that asks me to go and check my Microsoft account. Is there any way I can chat with a human that can actually help me how to get around this BitLocker? thanks
Events
Have questions about how to best use Microsoft Security Copilot to respond to cyberthreats quickly and assess risk exposure in minutes? Ask Microsoft Anything! This session is your opportunity to get...
Online
Join our panel of experts with your questions about the Microsoft Entra Suite. Want to secure access for your employees and extend Conditional Access to all apps – including on-premises? Want to reti...
Online
Recent Blogs
- Discover how Microsoft Purview Insider Risk Management helps you safeguard your data in the AI era and empowers security operations centers to enhance incident investigations with comprehensive data ...Nov 19, 2024
- Organizations face challenges with fragmented data security solutions and the amplified risks due to generative AI. We are now introducing Microsoft Purview Data Security Posture Management (DSPM) in...Nov 19, 2024
