cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ATP Onboarding fails

Mohamed
Brass Contributor

‎May 16 2022 01:39 AM

‎May 16 2022 01:39 AM

ATP Onboarding fails

Hello Folks!

I am trying to onboard a machine to a new tenant, but it says "The Microsoft Defender for Endpoint Service is already running" as shows on the screenshot.

 

MohamedAbdulmoez_0-1652630495365.png

 

 

 

however, I went to the event viewer to check the issue, on source: WDATPOnboarding, found ID 10 which means "The Microsoft Defender for Endpoint Service is already running!"

 

As I remember I onboarded this machine on different tenant long ago, and I forgot it as it was a trail tenant.

 

 

so, how can I disassociate the machine from the old tenant?

 

 

Thank you!

2,360 Views
0 Likes
4 Replies
Reply
4 Replies
AhmedBadawy

‎May 16 2022 02:21 AM - edited ‎May 16 2022 02:55 AM

‎May 16 2022 02:21 AM - edited ‎May 16 2022 02:55 AM

Re: ATP Onboarding fails

I would believe this is normal, The first task of the script is to run the service. When you open CMD of the onboarding script check line 82.

It should start with
"echo Starting the service, if not already running"


I believe you are onboarded correctly. If you would like to ensure you are reporting to the correct tenant, run the test threat script which you can download from the security portal. It should be reflected to the tenant in 5 minutes as threat under this specific server status.


You can also check if the correct Tenant ID has been set on your machine. You should get your onboarding tenant ID from the script line 63 under reg key "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"

 

according to the message you displayed, your onboarding didn't fail, it was success

 

Hope this helps

0 Likes
Reply
Mohamed

‎May 16 2022 03:15 AM

‎May 16 2022 03:15 AM

Re: ATP Onboarding fails

Hi @AhmedBadawy 

 

 

I have onboarded another machine, and it works fine and it shows on Device Inventory.

 

IMG_20220515_194654_edit_870528904820813.jpg

 

 

the message displays is different from the message on the post.


Moreover, I have run the script which I have downloaded from security.microsoft.com.

 

I went through "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" OnboardingInfo , and I couldn't find the tenant ID there.

 

 

0 Likes
Reply
jbmartin6

‎May 16 2022 06:00 AM

‎May 16 2022 06:00 AM

Re: ATP Onboarding fails

I think you would have to wipe the machine if you don't have access to the original tenant to generate the signed offboarding package. I could be wrong, I am relatively new at this, but AFAIK this is by design, we don't want attackers to be able to simply offboard machines to cover their tracks.
0 Likes
Reply
best response confirmed by Mohamed (Brass Contributor)
Mohamed

‎May 16 2022 09:57 AM

‎May 16 2022 09:57 AM

Solution

Re: ATP Onboarding fails

It works after formatting the machine, I wouldn't have it so.

As I have seen this message "The Microsoft Defender for Endpoint Service is already running!" it means this service must be stopped or removed to deploy the new one.


Thank you @jbmartin6 for your reply.

0 Likes
Reply