Forum Discussion

LisaMelone's avatar
LisaMelone
Icon for Microsoft rankMicrosoft
Jan 10, 2022

MDI Sensors not auto updating

Since we first installed the MDI sensors they have never received an update.  Here are the logs:

Updater-Errors.log:

2022-01-10 20:15:47.8627 Error RunDeployerMinorDeploymentAction ApplyInternal finished. Deployer finished unsuccessfully
2022-01-10 20:15:48.1769 Error DeploymentAction StartMinorSoftwareUpdateAsync failed
Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMinorDeploymentAction]
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at async Task Microsoft.Tri.Sensor.Updater.SoftwareUpdater.StartMinorSoftwareUpdateAsync(byte[] deploymentFileBytes)

 

Updater.log:
2022-01-10 20:15:40.2127 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False]
2022-01-10 20:15:42.6317 Debug UnpackDeploymentPackageBytesAction Apply finished
2022-01-10 20:15:42.6317 Debug RunDeployerMinorDeploymentAction Apply started [suppressFailure=False]
2022-01-10 20:15:42.6327 Info RunDeployerMinorDeploymentAction ApplyInternal started [filePath=C:\Program Files\Azure Advanced Threat Protection Sensor\2.165.14760.3978\Microsoft.Tri.Sensor.Deployment.Deployer.exe _arguments=RGnxlTPl8wE10cxC/7pisA==]
2022-01-10 20:15:47.8627 Error RunDeployerMinorDeploymentAction ApplyInternal finished. Deployer finished unsuccessfully
2022-01-10 20:15:48.1769 Error DeploymentAction StartMinorSoftwareUpdateAsync failed
Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMinorDeploymentAction]
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at async Task Microsoft.Tri.Sensor.Updater.SoftwareUpdater.StartMinorSoftwareUpdateAsync(byte[] deploymentFileBytes)
2022-01-10 20:15:48.2969 Debug UnpackDeploymentPackageBytesAction Revert started
2022-01-10 20:15:48.3639 Debug UnpackDeploymentPackageBytesAction Revert finished
2022-01-10 21:52:06.0402 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync started [AccountName=childaccount DomainDnsName=childdomain]
2022-01-10 21:52:06.3102 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync finished [AccountName=childaccount DomainDnsName=childdomain]
2022-01-10 21:52:06.8792 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync started [AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:52:08.4453 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=AccessDenied AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:52:18.2945 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync started [AccountName=childaccount DomainDnsName=childdomain]
2022-01-10 21:52:18.3495 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync finished [AccountName=childaccount DomainDnsName=childdomain]
2022-01-10 21:52:20.4876 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync started [AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:52:21.6836 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=AccessDenied AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:52:22.0066 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync started [AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:52:23.1567 Warn GroupManagedServiceAccountImpersonationHelper GetGroupManagedServiceAccountAccessTokenAsync failed GMSA password could not be retrieved [errorCode=AccessDenied AccountName=parentaccount DomainDnsName=parentdomain]
2022-01-10 21:55:50.5515 Info SensorServiceController DisableService started
2022-01-10 21:55:52.8508 Info SensorServiceController DisableService finished

 

There are two gMSA accounts, one in the parent domain and one in the child.  This is happening to all of the child domain DCs.  We checked the gMSA account on the DCs and it is set correctly with authentication allowed.  If we manually update the sensor, it will start working again so doesn't appear to be a firewall issue.  Any help would be greatly appreciated!

5 Replies

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jan 10, 2022
    Any 3rd party security software on the machine might be blocking the API calls of the sensor when it tries to pull the password ?
    reinstallation on a new version means an exe with a new hash, it might take time for it to get blocked.
    • LisaMelone's avatar
      LisaMelone
      Icon for Microsoft rankMicrosoft
      Jan 10, 2022

      They use Palo Alto's Cortex XDR but looking through the logs it doesn't appear to be blocking anything. They use Notify not block.  We have gMSA on other machines with Cortex that aren't getting blocked (i.e. Commvault).

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Jan 10, 2022
        If you add a standard account as fallback (just for checking) does everything works ?

Resources