Forum Discussion

admin Administrator's avatar
admin Administrator
Copper Contributor
May 03, 2022
Solved

can't install AzureATP sensor on DC 2022, help with logs?

setup goes through , installs and DC shows up on the azure site with correct dc name etc with serviceas stopped, two new azure services appear in windows services on the DC then it times out half wa...
  • admin Administrator's avatar
    admin Administrator
    May 17, 2022
    For anyone who finds similar errors,
    opening IISCRYPTO to "server defaults template" lets everything install properly and run correctly. Using IIScrypto "best practice template" afterward installation re breaks sensor updater and causes schannel errors in event log.
    still trying to work out exactly what does/doesn't work in IISCRYPTO but can confirm it is now working using only TLS 1.0,1.1 and 1.2 server/client protocols with all ciphers enabled
    "best practices template" disables too much but havn't proved what exactly
admin Administrator's avatar
admin Administrator
Copper Contributor
May 17, 2022
For anyone who finds similar errors,
opening IISCRYPTO to "server defaults template" lets everything install properly and run correctly. Using IIScrypto "best practice template" afterward installation re breaks sensor updater and causes schannel errors in event log.
still trying to work out exactly what does/doesn't work in IISCRYPTO but can confirm it is now working using only TLS 1.0,1.1 and 1.2 server/client protocols with all ciphers enabled
"best practices template" disables too much but havn't proved what exactly
  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Dec 03, 2023
    Not sure what was the expected scenario...

    To my understanding:
    The 2022 machine has TLS 1.3 and TLS 1.2 enabled.
    You disabled TLS 1.2
    Removed required ciphers for TLS 1.3, effectively disabling 1.3
    Now the sensor fails to use 1.3, but it also fails to use 1.2 as it was disabled.

    Were you expecting it to use 1.2 even though it was disabled by the OS ?
  • lehmann43's avatar
    lehmann43
    Copper Contributor
    Nov 29, 2023

    EliOfek 

    Thank you for the response, but this is where the potentially unexpected behavior lies.

    We do not have TLS 1.2 disabled on the machine. So it appears if TLS 1.3 is enabled the sensor does seem not properly fall back to TLS 1.2, instead it fails outright.

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Nov 29, 2023

    lehmann43 
    Those 2 ciphers are a requirement for TLS 1.3 not for the sensor itself.
    Assuming you have disabled TLS 1.2 on the machine, if those ciphers are missing,
    the sensor has nothing to fallback to and thus will fail.
    Those ciphers should exist by default on server 2022 vanilla to enable TLS 1.3.

    See 
    https://datatracker.ietf.org/doc/html/rfc8446#section-9.1

  • lehmann43's avatar
    lehmann43
    Copper Contributor
    Nov 27, 2023

    admin Administrator Martin_Schvartzman EliOfek 
    Painstakingly narrowed this down to what seems like at least one of the following Cipher Suites need to remain enabled with TLS1.3:

    TLS_AES_256_GCM_SHA384

    TLS_AES_128_GCM_SHA256

    A similar/error issue was affecting our ADFS Server ATP Sensors only (2.220.17339.6819) (Windows server 2022)

    Can anyone confirm if this is a known requirement or have any additional info?

  • admin Administrator's avatar
    admin Administrator
    Copper Contributor
    May 25, 2022

     

    got some way through and got to a point where I was happy,working like this, definitely something in the best practice settings is too restricted but this is close to those settings

    Martin_Schvartzman 

  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Icon for Microsoft rankMicrosoft
    May 25, 2022

    admin Administrator 

    Did you continue the investigation and were you able to find the setting that breaks the updater comms?

Resources