Forum Widgets
Latest Discussions
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?
Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started. Then setup fails with 0x80070643 and do a rollback. In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup: 2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]] at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted) at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else... The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct. Any ideas someone?
Defender for identity updated itself, now it wont start
I had defender for identity 2.240.18218.5822 working on my DCs for several weeks. Then on September 24th 2024, the ATP sensors auto-updated themselves to 2.240.18224.34815. Now about half of them won't start anymore and logs are no longer being produced in the Logs folders: No new logs produced in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18218.5822\Logs No Logs folder exists in: C:\Program Files\Azure Advanced Threat Protection Sensor\2.240.18224.34815 This is the error when the service tries to start. In the event log: The Azure Advanced Threat Protection Sensor Updater service terminated unexpectedly. It has done this 303511 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. I tried manually uninstalling and reinstalling on some of the servers but this has not worked.
ATP sensor install fails 0x80070643
I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers. All is well on about 70% of them. However I get this failure on many: During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails. I have errors in the logs but Im not sure what the cause is: === Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe === MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0 MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex. MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled. MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex. MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0 MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode. MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32 MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1 MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure. MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'. MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824 MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'. MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: '' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed. MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu' MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'. MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened. MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now: MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'. MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'. MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'. === Logging started: 10/10/2024 15:54:26 === MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes. MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: INSTALL. MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: FindRelatedProducts. MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FindRelatedProducts. Return value 1. Action start 15:54:26: LaunchConditions. MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: LaunchConditions. Return value 1. Action start 15:54:26: ValidateProductID. MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: ValidateProductID. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch Action start 15:54:26: CostInitialize. MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostInitialize. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly Action start 15:54:26: FileCost. MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FileCost. Return value 1. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table... MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Action start 15:54:26: CostFinalize. MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostFinalize. Return value 1. Action start 15:54:26: MigrateFeatureStates. MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: MigrateFeatureStates. Return value 0. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib Action start 15:54:26: InstallValidate. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallValidate. Return value 1. MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Action start 15:54:26: InstallInitialize. MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallInitialize. Return value 1. MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install MSI (s) (D8:80) [15:54:26:970]: Generating random cookie. MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014). MSI (s) (D8:74) [15:54:27:227]: Running as a service. MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server. Action start 15:54:26: InstallCustomAction. SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\ SFXCA: Binding to CLR version v4.0.30319 Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install 2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started 2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started 2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished 2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==] 2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False] 2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started 2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3] 2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3] 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3] 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished 2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished 2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction] at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session) 2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure] CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 Action ended 16:00:09: InstallCustomAction. Return value 3. MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation. MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server Action ended 16:00:09: INSTALL. Return value 3. Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2} Property(S): TARGETDIR = C:\ Property(S): ALLUSERS = 1 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Property(S): ProductLanguage = 1033 Property(S): ProductName = Azure Advanced Threat Protection Sensor Property(S): ProductVersion = 2.240.18288.55492 Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242} Property(S): ProductState = -1 Property(S): PackagecodeChanging = 1 Property(S): ARPSYSTEMCOMPONENT = 1 Property(S): MSIFASTINSTALL = 7 Property(S): ACCESSKEY = ********** Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ Property(S): REBOOT = ReallySuppress Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) Property(S): CLIENTUILEVEL = 3 Property(S): MSICLIENTUSESEXTERNALUI = 1 Property(S): CLIENTPROCESSID = 1824 Property(S): MsiSystemRebootPending = 1 Property(S): VersionDatabase = 500 Property(S): VersionMsi = 5.00 Property(S): VersionNT = 603 Property(S): VersionNT64 = 603 Property(S): WindowsBuild = 9600 Property(S): ServicePackLevel = 0 Property(S): ServicePackLevelMinor = 0 Property(S): MsiNTProductType = 3 Property(S): MsiNTSuiteDataCenter = 1 Property(S): WindowsFolder = C:\windows\ Property(S): WindowsVolume = C:\ Property(S): System64Folder = C:\windows\system32\ Property(S): SystemFolder = C:\windows\SysWOW64\ Property(S): RemoteAdminTS = 1 Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\ Property(S): ProgramFilesFolder = C:\Program Files (x86)\ Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(S): ProgramFiles64Folder = C:\Program Files\ Property(S): CommonFiles64Folder = C:\Program Files\Common Files\ Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\ Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\ Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\ Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\ Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\ Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(S): CommonAppDataFolder = C:\ProgramData\ Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\ Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\ Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(S): DesktopFolder = C:\Users\Public\Desktop\ Property(S): FontsFolder = C:\windows\Fonts\ Property(S): GPTSupport = 1 Property(S): OLEAdvtSupport = 1 Property(S): ShellAdvtSupport = 1 Property(S): MsiAMD64 = 6 Property(S): Msix64 = 6 Property(S): Intel = 6 Property(S): PhysicalMemory = 8192 Property(S): VirtualMemory = 4026 Property(S): AdminUser = 1 Property(S): MsiTrueAdminUser = 1 Property(S): LogonUser = v-<name>.admin Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610 Property(S): UserLanguageID = 1033 Property(S): ComputerName = AZVDS01 Property(S): SystemLanguageID = 1033 Property(S): ScreenX = 1024 Property(S): ScreenY = 768 Property(S): CaptionHeight = 23 Property(S): BorderTop = 1 Property(S): BorderSide = 1 Property(S): TextHeight = 16 Property(S): TextInternalLeading = 3 Property(S): ColorBits = 32 Property(S): TTCSupport = 1 Property(S): Time = 16:00:09 Property(S): Date = 10/10/2024 Property(S): MsiNetAssemblySupport = 4.8.3761.0 Property(S): MsiWin32AssemblySupport = 6.3.14393.5786 Property(S): RedirectedDllSupport = 2 Property(S): MsiRunningElevated = 1 Property(S): Privileged = 1 Property(S): DATABASE = C:\windows\Installer\69b9569f.msi Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi Property(S): UILevel = 2 Property(S): MsiUISourceResOnly = 1 Property(S): ACTION = INSTALL Property(S): ROOTDRIVE = C:\ Property(S): CostingComplete = 1 Property(S): OutOfDiskSpace = 0 Property(S): OutOfNoRbDiskSpace = 0 Property(S): PrimaryVolumeSpaceAvailable = 0 Property(S): PrimaryVolumeSpaceRequired = 0 Property(S): PrimaryVolumeSpaceRemaining = 0 Property(S): INSTALLLEVEL = 1 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603. MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603 MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed. MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation. === Logging stopped: 10/10/2024 16:00:09 === MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object. MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending. MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603 === Verbose logging stopped: 10/10/2024 16:00:09 ===
Sensor service keeps restarting (after auto upgrade)
Hi all, I've installed multiple Azure ATP Sensor Setup yesterday on Windows 2019 and 2022 servers. But one is failing to report in the console today. I've checked the system and the AATPSensor service is always in the starting / stopped / starting state. The Tri.Sensor-Errors.log shows this: 2024-02-08 13:35:20.1835 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:29.0122 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. at object Microsoft.Win32.RegistryKey.InternalGetValue(string name, object defaultValue, bool doNotExpand, bool checkSecurity) at object Microsoft.Win32.RegistryKey.GetValue(string name) at byte[] System.Diagnostics.PerformanceMonitor.GetData(string item) at byte[] System.Diagnostics.PerformanceCounterLib.GetPerformanceData(string item) at Hashtable System.Diagnostics.PerformanceCounterLib.get_CategoryTable() at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string category) at CategorySample System.Diagnostics.PerformanceCounterLib.GetCategorySample(string machine, string category) at string[] System.Diagnostics.PerformanceCounterCategory.GetCounterInstances(string categoryName, string machineName) at new Microsoft.Tri.Infrastructure.MetricManager(IConfigurationManager configurationManager) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) 2024-02-08 13:35:37.9346 Error RegistryKey System.OutOfMemoryException: Exception of type 'System.OutOfMemoryException' was thrown. I've tried rebooting the server, but that didn't fix the problem. Then I removed the installation, and reinstalled the sensor. That didn't help, either. Looks like there was an update installed after the initial setup yesterday, since there were two folders in C:\Program Files\Azure Advanced Threat Protection Sensor : 2.227.17547.62185 2.228.17612.22841 I also tried to solve the problem with a re-downloaded installer package from today (was a different size) but that didn't help. The version installed is the second one from above now. Any hints on the error message? Thanks in advance ChrisTrying to work out if Defender for Identity Default Ruleset would alert on specific Win Event IDs
Im working in CTI and im trying to work out if defender for identity alerts on all the common attack types towards AD. I have correlated all the relevant widows event IDs that are required to be monitored. Im trying to work out if Defender for Identity can capture all these types based on this? For example. Event ID Source Description 4738, 5136 Domain Controllers These events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed. Would this be spotted and alerted by Defender for ID? 4769 Domain Controllers This event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user object Malicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity. Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity. Would this be spotted and alerted by Defender for ID?
