ATP connectivity challenge HTTP Error 400

MVP

Hi, I am trying to onboard an ATP client on Windows 10 using SCCM.

 

SCCM states the policy was applied correctly. The ATP service is running, the sense logs only contains warning and error messages stating the following:

Contacted server 20 times, failed 14 times and succeeded 6 times. URI: https://winatp-gw-neu.microsoft.com/. Last HTTP error code: 400

 

The ATP connectivity verifier states the client is onboarded along with HTTP code 200 success messages.

 

Any ideas what to check?

11 Replies

@kim oppalfens- exact same problem here...
WDATPConnectivityAnalyzer shows no errors at all, but the Eventlog shows Connection failed - error 400.

 

I've opened a support ticket and have had one session with a support engineer. No results so far.
Is your data in Europe by any chance?
Yes, we are in Europe as well.
Please keep me posted on progress. I'll do the same. I think I am going to try analyse the network traffic involved
Upgraded one of the machines involved to Windows 10 1903 without result.
Are all of your machines affected?

@kim oppalfens 

 

Same issue here, I get lots of the following errors in the SENSE event logs.

 

Contacted server 58 times, all failed, URI: https://winatp-gw-eus.microsoft.com/. Last HTTP error code: 400

 

Have you had any luck from support?

My issue was resolved by offboarding from a different tenant and onboard subsequently.

Even if you reset the device, if it has been part of a previous poc on atp the onboarding will fail.

@Mark Aldridge 

@kim oppalfens 

and if we can't remember the tenant that we used before to login and get the offboarding script I assume there is nothing else we can do?

Support was looking at creating an offboarding script based on data found in the registry. There wasn't an easy way to create that ourselves. I managed to find my tenant back and eventhough it had long expired I could still log into it and download an offboarding script. If you still know what mailbox the poc was requested in you might find the mail with your login. It should contain this string Analyst@Windows.

 

Good luck

@Mark Aldridge 

For anyone else having a similar problem you can use the MDATPClientAnalyzer tool at

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

It finds the issue I was having and that I need to off-board my device from my previous Azure Tenant.

clipboard_image_0.png

 

 

@kim oppalfens 

Check your proxy and firewall.