Forum Discussion

autopoiesis's avatar
autopoiesis
Copper Contributor
Nov 13, 2024

On-prem, Server2022, onboarded via GPO, not visible in Portal..?

Per Title, this affects just one server (AFAIK).

Additional info:

  • Onboarding GPO configured as per docs (and identically to other AOK machines in this Domain)
  • Application Log, EventID 20: "Successfully onboarded machine to Microsoft Defender for Endpoint" as expected
  • MDE Client Analyzer Results
    • correct OrgID is shown
    • DeviceID is shown
    • One error (MDECloud cert pinning: "Certificate pinning validation for https://ecs.office.com/config/v1/MicrosoftWindowsDefenderClient/1.0.0.0 has failed.
      The test has failed because an error occured when fetching the root CA in the cert chain. The certificate issuer that was fetched from the URL was: CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US")
    • But
      • FW logs show successful connections to ecs.office.com, no drops/denies
      • manual navigation to that URL from affected box returns some JSON, inc StatusCode: 200 (which I assume is "OK")
  • Using old connectivity mode/method (not streamlined)

Unlike all other devices, this one cannot be found in the Portal, by name, DeviceID, account logins, etc.  No trace at all...

Could this be explained by the Certificate Pinning issue?

What are best steps to troubleshoot this box's non-appearance in Portal?

  • Mks_1973's avatar
    Mks_1973
    Iron Contributor

    Check the DigiCert Cloud Services CA-1 certificate is present in the Trusted Root Certification Authorities.

    Verify network connectivity and disable TLS inspection for MDE URLs.

    Re-onboard the device by offboarding and re-onboarding via GPO or script.

    Switch to streamlined connectivity mode if possible:
    Configure the server to use cloud-delivered protection if not already configured. This can be done by setting the Defender CSP (Configuration Service Provider) policies or by using PowerShell.
    Set-MpPreference -CloudBlockLevel High
    Set-MpPreference -SubmitSamplesConsent 2
    Set-MpPreference -MAPSReporting Advanced


    Run MDE diagnostics using MPCmdRun and review logs in C:\ProgramData\Microsoft\Windows Defender


    Advanced Threat Protection:
    Check the MDE logs located at C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\ for any specific errors or indications of issues with the service registration or connectivity. Key files to review include: SenseLogs: These logs capture data about the device’s registration and communication with the MDE cloud service.
    EventsLogs: Look for any errors or warnings that could hint at connectivity or configuration issues.



    Ensure the latest updates are installed on Windows Server 2022.

  • autopoiesis's avatar
    autopoiesis
    Copper Contributor

    Resolved...

    Server got created/staged in the wrong OU.  GPO wasn't applying.

    🤦‍♂️

Resources