Oct 19 2020 11:52 AM - edited Oct 19 2020 11:57 AM
Hello everybody,
we are currently deploying MDATP through SCCM and found something out that is, at least for me, quite shocking:
The onboarding is only processed correctly, after an user is signed in on the device.
If you have a couple of machines that are turned on, but are not frequently used, this could become a problem. For example, we have a lot of virtual machines which are mostly used for testing purposes, so it can happen that they are not used some time.
If no one is signed in after onboarding, there is Event Nr. 19 in the SENSE Eventlog stating that ‚OOBE has not yet completed‘ and the onboarding will not continues (e.g. Defender ATP is not running, device is not onboarded in the cloud portal)
In our case, OOBE is processed via the SCCM Tasksequence and Unattended.xml during the production of the machine, our users doesn‘t see the OOBE at any point.
The devices affected where not freshly build, but used for a couple of time and had countless userlogons - but not after Defender ATP was deployed.
The ATP onboarding is not performed until an „interactive logon“ was performed (either physically or via RDP). It’s not enough to establish a WINRM session.
After a successful logon, the SENSE Eventlog showing the Event Nr. 18 ‚OOBE is completed‘ and the onboardingprocess begins.
We opened a Ticket to the Microsoft Support and got the info that this is the expected behaviour.
If a Dev or Product Manager is reading: Could someone please tell me what was the design decision behind this behaviour? This could lead to severe security problems, because the devices are not ATP onboarded and a possible attacker could execute his attack on such devices and no one would see it, cause they are not protected by ATP.
Best regards
Stefan
Oct 21 2020 07:25 PM
@SteBeSec I recently just requested that they update the doc's to reflect this missing step.
In a troubleshooting article (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troublesh...) there is a section that hints you need to log on with the following
"Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed"
There is a section below that has a very interesting way of dealing with that creating a package that will force a service to start and update the registery to get past this limitation. this might worth for you..but from a Intune\MEM point of view it doesn't help.
Oct 21 2020 10:26 PM
May 07 2021 01:05 PM
@SteBeSec Hi, Do you have any update on this ?
May 08 2021 11:14 AM - edited May 08 2021 11:15 AM
Yes, last week an escalation engineer told me that the fix is part of the current Cumulative Update preview (April C Release) and will be Part of the next „normal“ Cumulative Update (May B release.
I can confirm that the fix works as expected.
May 14 2021 02:32 AM
May 21 2021 03:51 AM