Forum Discussion
Solved
Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced T...
Actually, the solution in our case was to use Silent Installation (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation#proxy-authentication) and provide the Proxy Information in the commandline.
Thank you all for helping and advising!!!
After 5 hours of troubleshooting, we found a solution to our problem beyond the steps listed below. The solution involved removing the account (gMSA in our case) from the Directory Services accounts under security.microsoft.com > Settings > Identities > Directory Services accounts. Once we re-added the account, the sensor "service status" changed to "running" and the sensor status to "up to date."
Cause of the problem: The update from the Azure ATP Sensor likely went wrong.
Steps Taken:
1- Disabled Services: We disabled both the "Azure Advanced Threat Protection Sensor Updater" and "Azure Advanced Threat Protection Sensor" services.
2- Software Removal: We removed the Azure ATP sensor software from the affected Domain Controller (DC). We encountered difficulties during this process and had to use the Microsoft support article https://support.microsoft.com/en-gb/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d to resolve them before running the uninstall program from Windows itself.
3- File Deletion: We deleted all files located in the "C:\Program Files\Azure Advanced Threat Protection Sensor" directory.
4- Service Removal (Command Prompt): As administrator, we ran the following commands in a command prompt window to remove the services:
sc delete AATPSensor
sc delete AATPSensorUpdater
5- Server Reboot: We rebooted the server.
6- Readiness Script: We ran the script provided by Microsoft https://github.com/microsoft/Microsoft-Defender-for-Identity (all checks resulted in "OK").
7- New Sensor Deployment: We returned to the Microsoft portal and added a new sensor. We ensured we used the same access key from the downloaded installer.
8- IPv4 TSO Offload: Since we were working with a virtual machine (VM), we disabled IPv4 TCP Segmentation Offloading (TSO) as recommended in the Microsoft documentation https://learn.microsoft.com/en-us/connectors/wdatp/.
9- gMSA Account Removal and Re-addition: We removed and then re-added the gMSA account under [invalid URL removed] > Settings > Identities > Directory Services accounts.
Following these steps, everything functioned correctly, and the service was running.
Additional Tip: Don't overlook your log files! Check for relevant information in "C:\Program Files\Azure Advanced Threat Protection Sensor\VersionInUse\Logs"
I hope this helps someone else out!
Cause of the problem: The update from the Azure ATP Sensor likely went wrong.
Steps Taken:
1- Disabled Services: We disabled both the "Azure Advanced Threat Protection Sensor Updater" and "Azure Advanced Threat Protection Sensor" services.
2- Software Removal: We removed the Azure ATP sensor software from the affected Domain Controller (DC). We encountered difficulties during this process and had to use the Microsoft support article https://support.microsoft.com/en-gb/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d to resolve them before running the uninstall program from Windows itself.
3- File Deletion: We deleted all files located in the "C:\Program Files\Azure Advanced Threat Protection Sensor" directory.
4- Service Removal (Command Prompt): As administrator, we ran the following commands in a command prompt window to remove the services:
sc delete AATPSensor
sc delete AATPSensorUpdater
5- Server Reboot: We rebooted the server.
6- Readiness Script: We ran the script provided by Microsoft https://github.com/microsoft/Microsoft-Defender-for-Identity (all checks resulted in "OK").
7- New Sensor Deployment: We returned to the Microsoft portal and added a new sensor. We ensured we used the same access key from the downloaded installer.
8- IPv4 TSO Offload: Since we were working with a virtual machine (VM), we disabled IPv4 TCP Segmentation Offloading (TSO) as recommended in the Microsoft documentation https://learn.microsoft.com/en-us/connectors/wdatp/.
9- gMSA Account Removal and Re-addition: We removed and then re-added the gMSA account under [invalid URL removed] > Settings > Identities > Directory Services accounts.
Following these steps, everything functioned correctly, and the service was running.
Additional Tip: Don't overlook your log files! Check for relevant information in "C:\Program Files\Azure Advanced Threat Protection Sensor\VersionInUse\Logs"
I hope this helps someone else out!
Thanks!!!!! That help.
