Forum Discussion
The Sensor fails to start
We are implementing Windows Defender for Identity. As our domain controllers are not allowed to communicate with the internet, we have setup a dedicated member server for the sensor.
The operating system is Windows Server 2019 (10.0.17763). We have installed the sensor, however the sensor fails to start. The Log "Azure Advanced Threat Protection Sensor" does not hold any information besides the installation:
| [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleOriginalSource = C:\temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleOriginalSourceFolder = C:\temp\Azure ATP Sensor Setup\ [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleProviderKey = {47d0bc49-a03e-408c-bc8d-251917ef0d75} [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\ADM_JD~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20230919144435_000_MsiPackage_rollback.log [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleSourceProcessFolder = C:\temp\Azure ATP Sensor Setup\ [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleSourceProcessPath = C:\temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleTag = [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleUILevel = 4 [07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleVersion = 2.213.17071.5302 [07B8:0A9C][2023-09-19T14:46:36]i007: Exit code: 0x0, restarting: No |
the only thing we see is the event in the system event log:
The Azure Advanced Threat Protection Sensor service terminated unexpectedly
The majority of the logs described here are missing
Troubleshooting the sensor using logs - Microsoft Defender for Identity | Microsoft Learn
the only ones we see are:
Name : Azure Advanced Threat Protection Sensor_20230920102142.log
Name : Azure Advanced Threat Protection Sensor_20230920102208.log
Name : Azure Advanced Threat Protection Sensor_20230920102208_000_MsiPackage.log
Name : Azure Advanced Threat Protection Sensor_20230920102427.log
Name : Azure Advanced Threat Protection Sensor_20230920102427_000_MsiPackage.log
Name : Microsoft.Tri.Sensor.Deployment.Deployer_20230920082231.log
Name : Microsoft.Tri.Sensor.Deployment.Deployer_20230920082542.log
- What happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.
Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.
Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.
- EliOfek
Microsoft
The issue should appear in Microsoft.Tri.Sensor.Deployment.Deployer_20230920082542.log.
Share the data from it.- 2023-09-20 13:52:34.3007 Info Program Main Deployer started [arguments=iEgYX6Z1ahtUzF/mpsUN9Q==]
2023-09-20 13:52:34.4569 Debug InstallActionGroup Apply started
2023-09-20 13:52:34.4569 Debug CreateCertificateAction Apply started [suppressFailure=False]
2023-09-20 13:52:38.8944 Debug CreateCertificateAction Apply finished
2023-09-20 13:52:38.8944 Debug CreateSensorAction Apply started [suppressFailure=False]
2023-09-20 13:52:39.4413 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ (Get-Command Get-AdfsProperties).Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand
adfssrv state=null user=Contoso\Administrator]
2023-09-20 13:52:39.8442 Debug CreateSensorAction Apply finished
2023-09-20 13:52:39.8442 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0630 Debug TestCertificateAndProxyAction Apply finished
2023-09-20 13:52:40.0630 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug SaveSensorMandatoryConfigurationAction Apply finished
2023-09-20 13:52:40.0942 Debug CreateServicesActionGroup Apply started
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.0942 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1098 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1255 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1411 Debug CreateServicesActionGroup Apply finished
2023-09-20 13:52:40.1411 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug ConfigureVirtualServiceAccountAction Apply finished
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply finished
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply finished
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply finished
2023-09-20 13:52:40.1723 Debug StartServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:46.2365 Debug StartServiceAction Apply finished
2023-09-20 13:52:46.2365 Debug InstallActionGroup Apply finished
2023-09-20 13:52:46.2365 Info Program Main Deployer finished- EliOfekWhat happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.
Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.
Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.
