Forum Discussion
Azure ATP Sensor install failing (Updater Service do not start)
Hello All!
We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point
...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started.
Then setup fails with 0x80070643 and do a rollback.
In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup:
2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)
at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]]
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request)
at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted)
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else...
The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct.
Any ideas someone?
Actually, the solution in our case was to use Silent Installation (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation#proxy-authentication) and provide the Proxy Information in the commandline.
Thank you all for helping and advising!!!
- Download the Npcap version 0.9984 installer from https://nmap.org/npcap/.
Alternatively, request the OEM version of the Npcap driver (that supports silent installation) from the support team.
Copies of Npcap do not count towards the five copy, five computer or fiver user licensing limitation if they are installed and used solely in conjunction with Azure ATP. For more information, see NPCAP licensing.
If you have not yet installed the sensor:
Uninstall WinPcap, if it was installed.
Install Npcap with the following options: loopback_support=no & winpcap_mode=yes.
If using the GUI installer, deselect the loopback support and select WinPcap mode.
Install the sensor package.
If you already installed the sensor:
Uninstall the sensor.
Uninstall WinPcap.
Install Npcap with the following options: loopback_support=no & winpcap_mode=yes
If using the GUI installer, deselect the loopback support and select WinPcap mode.
Reinstall the sensor package.- thanks Lewis, i have issue while installing NPCAP 0.9984
- EliOfek
Microsoft
minah if npcap is failing but you see npf service is running, that means you most likely have winpcap installed on the machine.
try uninstalling it, and if there is no reference to it, try to stop and delete the npf service:
sc stop npf
sc delete npf
and try the npcap install again.
If it still fails, open a support case, we can escalate this to npcap support, and we will need the full npcap install logs...
- After 5 hours of troubleshooting, we found a solution to our problem beyond the steps listed below. The solution involved removing the account (gMSA in our case) from the Directory Services accounts under security.microsoft.com > Settings > Identities > Directory Services accounts. Once we re-added the account, the sensor "service status" changed to "running" and the sensor status to "up to date."
Cause of the problem: The update from the Azure ATP Sensor likely went wrong.
Steps Taken:
1- Disabled Services: We disabled both the "Azure Advanced Threat Protection Sensor Updater" and "Azure Advanced Threat Protection Sensor" services.
2- Software Removal: We removed the Azure ATP sensor software from the affected Domain Controller (DC). We encountered difficulties during this process and had to use the Microsoft support article https://support.microsoft.com/en-gb/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d to resolve them before running the uninstall program from Windows itself.
3- File Deletion: We deleted all files located in the "C:\Program Files\Azure Advanced Threat Protection Sensor" directory.
4- Service Removal (Command Prompt): As administrator, we ran the following commands in a command prompt window to remove the services:
sc delete AATPSensor
sc delete AATPSensorUpdater
5- Server Reboot: We rebooted the server.
6- Readiness Script: We ran the script provided by Microsoft https://github.com/microsoft/Microsoft-Defender-for-Identity (all checks resulted in "OK").
7- New Sensor Deployment: We returned to the Microsoft portal and added a new sensor. We ensured we used the same access key from the downloaded installer.
8- IPv4 TSO Offload: Since we were working with a virtual machine (VM), we disabled IPv4 TCP Segmentation Offloading (TSO) as recommended in the Microsoft documentation https://learn.microsoft.com/en-us/connectors/wdatp/.
9- gMSA Account Removal and Re-addition: We removed and then re-added the gMSA account under [invalid URL removed] > Settings > Identities > Directory Services accounts.
Following these steps, everything functioned correctly, and the service was running.
Additional Tip: Don't overlook your log files! Check for relevant information in "C:\Program Files\Azure Advanced Threat Protection Sensor\VersionInUse\Logs"
I hope this helps someone else out!Thanks!!!!! That help.
- EliOfek
PhilippFoeckeler Effectively this error means it was blocked.
Is your proxy doing SSL inspection?
No - there is no SSL inspection on the proxy... and in the proxy logs no blocks for this server. Very strange.
Local Firewall is switched off. So for this SSL connection to localhost on port 444, i cannot see any reasons that this should be not possible.
- EliOfek
PhilippFoeckeler , Any chance you can temporary bypass this proxy just to see if it resolves the issue?
At least for the error sample you published, the problem is going to the azure backend, not to localhost.
PhilippFoeckeler how did you solve this issue? We are facing exactly the same. 1DC cannot connect to endpoint, all others can. Authentication and TLS inpection are already disabled on proxy.
Vishal_Sharma_4224- ricklahaye Please try silent install and use proxy URL in the command used. Also, select bypass proxy server for local server option in LAN settings of the browser.
Something like below:-
"Azure ATP sensor Setup.exe" /quiet ProxyUrl="http://abc.com:port number of proxy" NetFrameworkCommandLineArguments="/q" AccessKey=""Let me know if that helps.Vishal_Sharma_4224 HI Vishal
We are having same issue while instilling ATP sensor .
Tried to install silently but same error code it is getting. 0x80070643
Our DC is hosted on private LB.
we are using proxy settings to connect the internet
- Nickbk
Try to execute the steps described here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy#configure-the-proxy
Actually, the solution in our case was to use Silent Installation (https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation#proxy-authentication) and provide the Proxy Information in the commandline.
Thank you all for helping and advising!!!
