Forum Discussion

Sanjay O P's avatar
Sanjay O P
Copper Contributor
Jan 27, 2023

Repoint Azure ATP Sensor to new ATP portal

How do we repoint an Azure ATP Sensor to the new ATP portal? I have tried uninstalling the existing Sensor from the programs and installing it again using the new sensor and JSON file downloaded from the new portal. But the installation fails with the below error on the Azure Advanced Threat Protection Sensor log.

 

I can see the DeploymentAction=Upgrade instead of Install. On DC's where I install the sensor for the first time works fine and gets pointed to the new ATP portal. But there I can see the DeploymentAction=Install.

 

Debug DeploymentModel .ctor [\[]DeploymentAction=Upgrade[\]]
Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=[\]]
Error DeploymentManager ShowErrorMessage System.ArgumentNullException: Value cannot be null.

 

I would appreciate it if anyone has any suggestions on this.

  • Sanjay O P 

    What do you mean by old and new ATP Portal?
    Unless you are migrating from ATA to MDI, there's no need to remove and reinstall sensors for them to work with the M365 defender portal.

    As for your install/upgrade issue, if the sensor installation thinks it's an upgrade, it means that there are still leftovers on the system.

    You can open a support ticket to get assistance in the cleanup process, but in general the steps are:

     

    Uninstall:
    Try running command line setup uninstall from ProgramData\PackageCache folder
    Ex. C:\ProgramData\Package Cache\{########-####-####-####-############} [The GUID is different for each machine/install]
    "Azure ATP Sensor Setup.exe" /uninstall

    Services:
    To remove Services leftover from a previous install, run from an elevated prompt:
    sc.exe delete aatpsensor
    sc.exe delete aatpsensorupdater

    Manual removal:
    Verify the Sensor & Sensor.Updater services no longer exist
    Verify Program Folder no longer exists: C:\Program Files\Azure Advanced Threat Protection Sensor
    Rename ProgramData\PackageCache{GUID} folder for the sensor cache
    Check Install registry keys
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\{GUID}: Azure Advanced Threat Protection Sensor
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\{GUID}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\{GUID}
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}

     

    • Sanjay O P's avatar
      Sanjay O P
      Copper Contributor
      Thanks for replying Martin!

      What I meant with old and new ATP portal is that we already had the sensors pointed to our <atpsensor1>.atp.azure.com and now we want to repoint them all to <atpsensor2>.atp.azure.com. With my research found that the only to do this is to uninstall and reinstall the sensor with new ATP portal details.

      I will check on the manual cleanup procedures you suggested and see if that helps. Thanks again!
      • Martin_Schvartzman's avatar
        Martin_Schvartzman
        Icon for Microsoft rankMicrosoft

        Sanjay O P 

        Ok, yes. In cases where you need to migrate to a different workspace there's no other option but to remove and reinstall the sensors.

Resources