Forum Discussion

Mohamed's avatar
Mohamed
Brass Contributor
May 16, 2022

Please delete this post

Please delete this post

  • AhmedBadawy's avatar
    AhmedBadawy
    Copper Contributor

    I would believe this is normal, The first task of the script is to run the service. When you open CMD of the onboarding script check line 82.

    It should start with
    "echo Starting the service, if not already running"


    I believe you are onboarded correctly. If you would like to ensure you are reporting to the correct tenant, run the test threat script which you can download from the security portal. It should be reflected to the tenant in 5 minutes as threat under this specific server status.


    You can also check if the correct Tenant ID has been set on your machine. You should get your onboarding tenant ID from the script line 63 under reg key "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

     

    according to the message you displayed, your onboarding didn't fail, it was success

     

    Hope this helps

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      I think you would have to wipe the machine if you don't have access to the original tenant to generate the signed offboarding package. I could be wrong, I am relatively new at this, but AFAIK this is by design, we don't want attackers to be able to simply offboard machines to cover their tracks.

Resources