Forum Discussion
ATP onboarding - only possible after interactive login?
Hello everybody,
we are currently deploying MDATP through SCCM and found something out that is, at least for me, quite shocking:
The onboarding is only processed correctly, after an user is signed in on the device.
If you have a couple of machines that are turned on, but are not frequently used, this could become a problem. For example, we have a lot of virtual machines which are mostly used for testing purposes, so it can happen that they are not used some time.
If no one is signed in after onboarding, there is Event Nr. 19 in the SENSE Eventlog stating that ‚OOBE has not yet completed‘ and the onboarding will not continues (e.g. Defender ATP is not running, device is not onboarded in the cloud portal)
In our case, OOBE is processed via the SCCM Tasksequence and Unattended.xml during the production of the machine, our users doesn‘t see the OOBE at any point.
The devices affected where not freshly build, but used for a couple of time and had countless userlogons - but not after Defender ATP was deployed.
The ATP onboarding is not performed until an „interactive logon“ was performed (either physically or via RDP). It’s not enough to establish a WINRM session.
After a successful logon, the SENSE Eventlog showing the Event Nr. 18 ‚OOBE is completed‘ and the onboardingprocess begins.
We opened a Ticket to the Microsoft Support and got the info that this is the expected behaviour.
If a Dev or Product Manager is reading: Could someone please tell me what was the design decision behind this behaviour? This could lead to severe security problems, because the devices are not ATP onboarded and a possible attacker could execute his attack on such devices and no one would see it, cause they are not protected by ATP.
Best regards
Stefan
6 Replies
Yes, last week an escalation engineer told me that the fix is part of the current Cumulative Update preview (April C Release) and will be Part of the next „normal“ Cumulative Update (May B release.
I can confirm that the fix works as expected.- Hi, Thanks for this information. Very useful to know a hotfix is available!
Do you have a hotfix KB number?
I've had a look through the patch release notes for April Preview / May Release but can't see any reference to this fix being included.
SteBeSec I recently just requested that they update the doc's to reflect this missing step.
In a troubleshooting article (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding) there is a section that hints you need to log on with the following
"Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed"
There is a section below that has a very interesting way of dealing with that creating a package that will force a service to start and update the registery to get past this limitation. this might worth for you..but from a Intune\MEM point of view it doesn't help.
- Hi Jlouden,
I know this article, but unfortunately that is not the case in our situation.
The Sense Service is running and onboardinginformation is present on affected machines, but the on boarding is still not performed.
You have to login to a machine, to start the onboardingprocess.
