SOLVED

ATP Onboarding fails

%3CLINGO-SUB%20id%3D%22lingo-sub-3378768%22%20slang%3D%22en-US%22%3EATP%20Onboarding%20fails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3378768%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Folks!%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20onboard%20a%20machine%20to%20a%20new%20tenant%2C%20but%20it%20says%20%22The%20Microsoft%20Defender%20for%20Endpoint%20Service%20is%20already%20running%22%20as%20shows%20on%20the%20screenshot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MohamedAbdulmoez_0-1652630495365.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371739i1F93E07F4A53B5F0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22MohamedAbdulmoez_0-1652630495365.png%22%20alt%3D%22MohamedAbdulmoez_0-1652630495365.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehowever%2C%20I%20went%20to%20the%20event%20viewer%20to%20check%20the%20issue%2C%20on%20source%3A%26nbsp%3BWDATPOnboarding%2C%20found%20ID%2010%20which%20means%20%22The%20Microsoft%20Defender%20for%20Endpoint%20Service%20is%20already%20running!%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20remember%20I%20onboarded%20this%20machine%20on%20different%20tenant%20long%20ago%2C%20and%20I%20forgot%20it%20as%20it%20was%20a%20trail%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%2C%20how%20can%20I%20disassociate%20the%20machine%20from%20the%20old%20tenant%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3378929%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Onboarding%20fails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3378929%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20believe%20this%20is%20normal%2C%20The%20first%20task%20of%20the%20script%20is%20to%20run%20the%20service.%20When%20you%20open%20CMD%20check%20line%2082.%20It%20should%20start%20with%3CBR%20%2F%3E%22echo%20Starting%20the%20service%2C%20if%20not%20already%20running%22%3CBR%20%2F%3EI%20believe%20you%20are%20good.%20If%20you%20would%20like%20to%20ensure%20you%20are%20reporting%20to%20the%20correct%20tenant%2C%20run%20the%20test%20script%20which%20you%20can%20download%20from%20he%20security%20portal.%20It%20should%20be%20reflected%20to%20the%20correct%20tenant%20in%205%20minutes%20as%20threat.%3CBR%20%2F%3EYou%20can%20also%20check%20if%20the%20correct%20Tenant%20ID%20as%20been%20set%20on%20your%20machine.%20You%20should%20get%20your%20onboarding%20tenant%20ID%20from%20the%20script%20line%2063%20under%20reg%20key%20%22HKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Advanced%20Threat%20Protection%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eaccording%20to%20the%20message%20you%20displayed%2C%20your%20onboarding%20didn't%20fail%2C%20it%20was%20success%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3379327%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Onboarding%20fails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3379327%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F447262%22%20target%3D%22_blank%22%3E%40AhmedBadawy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20onboarded%20another%20machine%2C%20and%20it%20works%20fine%20and%20it%20shows%20on%20Device%20Inventory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22IMG_20220515_194654_edit_870528904820813.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371823i02CFFF6628D57FE5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22IMG_20220515_194654_edit_870528904820813.jpg%22%20alt%3D%22IMG_20220515_194654_edit_870528904820813.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20message%20displays%20is%20different%20from%20the%20message%20on%20the%20post.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EMoreover%2C%20I%20have%20run%20the%20script%20which%20I%20have%20downloaded%20from%20security.microsoft.com.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20went%20through%26nbsp%3B%3CSPAN%3E%22HKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Advanced%20Threat%20Protection%22%26nbsp%3BOnboardingInfo%20%2C%20and%20I%20couldn't%20find%20the%20tenant%20ID%20there.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3380196%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Onboarding%20fails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3380196%22%20slang%3D%22en-US%22%3EI%20think%20you%20would%20have%20to%20wipe%20the%20machine%20if%20you%20don't%20have%20access%20to%20the%20original%20tenant%20to%20generate%20the%20signed%20offboarding%20package.%20I%20could%20be%20wrong%2C%20I%20am%20relatively%20new%20at%20this%2C%20but%20AFAIK%20this%20is%20by%20design%2C%20we%20don't%20want%20attackers%20to%20be%20able%20to%20simply%20offboard%20machines%20to%20cover%20their%20tracks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3381952%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20Onboarding%20fails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3381952%22%20slang%3D%22en-US%22%3EIt%20works%20after%20formatting%20the%20machine%2C%20I%20wouldn't%20have%20it%20so.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20I%20have%20seen%20this%20message%20%22The%20Microsoft%20Defender%20for%20Endpoint%20Service%20is%20already%20running!%22%20it%20means%20this%20service%20must%20be%20stopped%20or%20removed%20to%20deploy%20the%20new%20one.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1385891%22%20target%3D%22_blank%22%3E%40jbmartin6%3C%2FA%3E%20for%20your%20reply.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello Folks!

I am trying to onboard a machine to a new tenant, but it says "The Microsoft Defender for Endpoint Service is already running" as shows on the screenshot.

 

MohamedAbdulmoez_0-1652630495365.png

 

 

 

however, I went to the event viewer to check the issue, on source: WDATPOnboarding, found ID 10 which means "The Microsoft Defender for Endpoint Service is already running!"

 

As I remember I onboarded this machine on different tenant long ago, and I forgot it as it was a trail tenant.

 

 

so, how can I disassociate the machine from the old tenant?

 

 

Thank you!

4 Replies

I would believe this is normal, The first task of the script is to run the service. When you open CMD of the onboarding script check line 82.

It should start with
"echo Starting the service, if not already running"


I believe you are onboarded correctly. If you would like to ensure you are reporting to the correct tenant, run the test threat script which you can download from the security portal. It should be reflected to the tenant in 5 minutes as threat under this specific server status.


You can also check if the correct Tenant ID has been set on your machine. You should get your onboarding tenant ID from the script line 63 under reg key "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

 

according to the message you displayed, your onboarding didn't fail, it was success

 

Hope this helps

Hi @AhmedBadawy 

 

 

I have onboarded another machine, and it works fine and it shows on Device Inventory.

 

IMG_20220515_194654_edit_870528904820813.jpg

 

 

the message displays is different from the message on the post.


Moreover, I have run the script which I have downloaded from security.microsoft.com.

 

I went through "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" OnboardingInfo , and I couldn't find the tenant ID there.

 

 

I think you would have to wipe the machine if you don't have access to the original tenant to generate the signed offboarding package. I could be wrong, I am relatively new at this, but AFAIK this is by design, we don't want attackers to be able to simply offboard machines to cover their tracks.
best response confirmed by Mohamed Abdulmoez (Occasional Contributor)
Solution
It works after formatting the machine, I wouldn't have it so.

As I have seen this message "The Microsoft Defender for Endpoint Service is already running!" it means this service must be stopped or removed to deploy the new one.


Thank you @jbmartin6 for your reply.