Forum Discussion

wwarobert's avatar
wwarobert
Copper Contributor
Aug 21, 2024

Unable to onboard devices in Defender anymore

We have number of AVD's which are onboarded automatically in Defender, suddenly this process started to fail.

 

We can see interesting error message:

VERBOSE: [2024-08-21 09:26:11Z][Information] Preparing onboarding package
VERBOSE: [2024-08-21 09:26:11Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-08-21 09:26:11Z][Information] Decode onboarding script successfully
VERBOSE: [2024-08-21 09:26:11Z][Information] Verifying JSON signature
VERBOSE: [2024-08-21 09:26:11Z][Information] Signature verification result: True
VERBOSE: [2024-08-21 09:26:11Z][Error] base chain cetificate is not valid because: PartialChain
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Chain valid: False
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate chain verification result: False
VERBOSE: [2024-08-21 09:26:11Z][Error] Onboarding blob signature is not valid

 

It looked a little different in the past - seems like the certificate was not verified:

VERBOSE: [2024-04-10 07:14:35Z][Information] Preparing onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string completed successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Onboarding package prepared successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Running onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Successfully started process, waiting to finish with timeout
VERBOSE: [2024-04-10 07:14:54Z][Information] Onboarding package script completed successfully
VERBOSE: [2024-04-10 07:14:54Z][Information] Setting Azure Defender for Server identifiers in registry
VERBOSE: [2024-04-10 07:14:54Z][Information] Path HKLM:\Software\Policies\Microsoft\Windows Advanced Threat Protection already exists
VERBOSE: [2024-04-10 07:14:54Z][Information] Registry path HKLM:\Software\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging doesn't exist, creating it

 

We can see that version of Windows.MDE(?) has change currently it is 1.0.10.3 previously (for onboarded devices) it was 1.0.9.5  - I cant find version history anywhere - this is just the name of the folder where the logs are located.

 

We've checked all the policies we have implemented for these devices but we were unable to find anything which could break this.

 

Does anyone experience the same? Do you have any ideas what went wrong here?

2 Replies

  • D3monaz's avatar
    D3monaz
    Copper Contributor
    Aug 27, 2024
    We have the same issue on some machines in our environment. This propblem pops up randomly with older versions as well.
  • LukH1925's avatar
    LukH1925
    Copper Contributor
    Aug 22, 2024

    Hi, we are facing a similar problem. What's strange is that it only happens to us on servers in one domain, the rest work normally.

     

    Details from log:

     

    Extension Message: Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid, executionlog: [2024-08-22 14:39:54Z][Information] Signature verification result: True
    [2024-08-22 14:40:24Z][Error] base chain cetificate is not valid because: PartialChain
    [2024-08-22 14:40:39Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: False
    [2024-08-22 14:40:39Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
    [2024-08-22 14:40:39Z][Information] Chain valid: False
    [2024-08-22 14:40:39Z][Information] Certificate chain verification result: False
    [2024-08-22 14:40:39Z][Error] Onboarding blob signature is not valid
    [2024-08-22 14:40:39Z][Error] Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid
    [2024-08-22 14:40:39Z][Error] Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid
    [2024-08-22 14:40:39Z][Information] Set handler status (C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\status\0.status), Status=error, Code=888, Message='Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid'
    Extension Error:
    C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3>Powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\\MdeExtensionHandlerWrapper.ps1 -Action enable
    VERBOSE: [2024-08-22 14:39:48Z][Information] Start executing handler action:
    enable
    VERBOSE: [2024-08-22 14:39:49Z][Information] Set handler status
    (C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10
    .3\status\0.status), Status=transitioning, Code=1, Message='Configuration In
    Progress'
    VERBOSE: [2024-08-22 14:39:49Z][Information] Invoking MdeExtensionHandler.ps1
    in background process in order to install/configuration/onboard MDE
    VERBOSE: [2024-08-22 14:39:49Z][Information] End executing handler action:
    enable with exit code: 0