Forum Discussion
TherealKillerbe
Sep 20, 2023Brass Contributor
The Sensor fails to start
We are implementing Windows Defender for Identity. As our domain controllers are not allowed to communicate with the internet, we have setup a dedicated member server for the sensor. The operati...
- Sep 20, 2023What happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.
Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.
Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.
EliOfek
Microsoft
Sep 21, 2023Can you run on this machine:
sc query adfssrv
And paste the results ?
What error did you get when trying to use the command line switch proxy option?
sc query adfssrv
And paste the results ?
What error did you get when trying to use the command line switch proxy option?
TherealKillerbe
Sep 22, 2023Brass Contributor
i Ran the following command Azure ATP Sensor Setup.exe ProxyURL="http://10.0.100.4:8080"
2023-09-22 09:36:22.3192 Info Program Main Deployer started [arguments=UupWdR8YVoHtaVBj0WBPKQ==] 2023-09-22 09:36:22.4129 Debug InstallActionGroup Apply started 2023-09-22 09:36:22.4129 Debug CreateCertificateAction Apply started [suppressFailure=False] 2023-09-22 09:36:26.4754 Debug CreateCertificateAction Apply finished 2023-09-22 09:36:26.4754 Debug CreateSensorAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.1004 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:2 + (Get-Command Get-AdfsProperties).Source + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand adfssrv state=null user=Contoso\administrator] 2023-09-22 09:36:27.6629 Debug CreateSensorAction Apply finished 2023-09-22 09:36:27.6629 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.8661 Debug TestCertificateAndProxyAction Apply finished 2023-09-22 09:36:27.8661 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.8973 Debug SaveSensorMandatoryConfigurationAction Apply finished 2023-09-22 09:36:27.8973 Debug CreateServicesActionGroup Apply started 2023-09-22 09:36:27.8973 Debug CreateServiceAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.8973 Debug CreateServiceAction Apply finished 2023-09-22 09:36:27.8973 Debug SetServiceDescriptionAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9129 Debug SetServiceDescriptionAction Apply finished 2023-09-22 09:36:27.9129 Debug ConfigureServiceAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9285 Debug ConfigureServiceAction Apply finished 2023-09-22 09:36:27.9285 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9285 Debug SetServicePreshutdownTimeoutAction Apply finished 2023-09-22 09:36:27.9285 Debug CreateServiceAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9285 Debug CreateServiceAction Apply finished 2023-09-22 09:36:27.9285 Debug SetServiceDescriptionAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9285 Debug SetServiceDescriptionAction Apply finished 2023-09-22 09:36:27.9285 Debug ConfigureServiceAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9442 Debug ConfigureServiceAction Apply finished 2023-09-22 09:36:27.9442 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9442 Debug SetServicePreshutdownTimeoutAction Apply finished 2023-09-22 09:36:27.9442 Debug CreateServicesActionGroup Apply finished 2023-09-22 09:36:27.9442 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9754 Debug ConfigureVirtualServiceAccountAction Apply finished 2023-09-22 09:36:27.9754 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9754 Debug RegisterCrashDumpsAction Apply finished 2023-09-22 09:36:27.9754 Debug EnableTls12Action Apply started [suppressFailure=False] 2023-09-22 09:36:27.9754 Debug EnableTls12Action Apply finished 2023-09-22 09:36:27.9754 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False] 2023-09-22 09:36:27.9754 Debug CopyServiceLogsOnRevertAction Apply finished 2023-09-22 09:36:27.9754 Debug StartServiceAction Apply started [suppressFailure=False] 2023-09-22 09:36:34.8232 Debug StartServiceAction Apply finished 2023-09-22 09:36:34.8232 Debug InstallActionGroup Apply finished 2023-09-22 09:36:34.8232 Info Program Main Deployer finished |
- TherealKillerbeSep 26, 2023Brass Contributordeployed the sensors on the DC directly using the Proxyurl switch.
Services started as expected.