Oct 22 2020 05:31 PM
Oct 22 2020 05:31 PM
Crossposting from the Security and Compliance forum...
I'm attempting to onboard some clients to Defender ATP using Microsoft Endpoint Configuration Manager. I've followed the instructions here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
However, the clients are not being onboarded, and when I look at the C:\Windows\CCM\Logs\ATPHandler.log file, I see the following:
ATPHandler: Handling policy originating from AdminConsole: AdvancedThreatProtectionSettings_Configuration 2020-10-21 5:09:35 PM 10148 (0x27A4) ATPHandler: Unexpected ConfigurationType, 2020-10-21 5:09:35 PM 10148 (0x27A4) ATPHandler: Failure in CATPHandler::HandleUIPolicy: 0x80070057 2020-10-21 5:09:35 PM 10148 (0x27A4)
I haven't found any reference to this "ATPHandler: Unexpected ConfigurationType" error anywhere. Does anyone know what I should be looking at to troubleshoot this?
MECM Client version 5.00.9012.1034, site version 5.0.9012.1000
Oct 23 2020 05:57 AM
@Ryan Steele Are you sure the affected devices ran the WindowsDefenderATPOnboardingScript.cmd successfully? Did you deploy this script using a package/program or as an application? When using an application (which I would prefer), make sure you define the registry-based detection rule using the OnboardingState value correctly, as described in the article. Did you set the AllowSampleCollection registry value correctly? Please note that this has to be a REG_DWORD value.
Oct 23 2020 07:17 AM - edited Oct 23 2020 07:44 AM
Okay, now I'm really confused
I just realized that the link I provided above isn't actually the link to the instructions I was following. I was following these ones: Microsoft Defender Advanced Threat Protection. Nowhere in those instructions does it say anything about deploying a .cmd file.
To my reading, the .cmd file isn't required when deploying with a current version of Configuration Manager. Indeed, the deployment package that is downloaded from the Onboarding page in the Defender ATP console when selecting the "Microsoft Endpoint Configuration Manager current branch and later" deployment method contains a .onboarding file, not a .cmd file.
Edit: I also forgot to mention that one of the machines in this group was successfully onboarded, but the rest were not. I haven't yet investigated whether there were any particular configuration differences which would account for this.
Oct 23 2020 07:56 AMSolution
Okay, I've just checked again, and all devices have enrolled as expected. There must have been an issue on the Defender ATP back end that was causing this error which has since been resolved.
Oct 26 2020 06:05 AM
@Ryan Steele My bad; I failed to noticed that the instructions you referred to were outdated. Anyway, glad to hear that the issue is resolved!