AATP Sensor not starting

Copper Contributor

Hello,

did any one of you have an idea why the Service don´t start? 

 

Threat Protection Log:

[1FB8:2328][2022-09-14T16:17:07]i001: Burn v3.11.2.4516, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Windows\Temp\{6CEE5F61-004B-4051-9545-01C706B2D8A3}\.cr\Azure ATP Sensor Setup.exe
[1FB8:2328][2022-09-14T16:17:07]i000: Initializing hidden variable 'AccessKey'
[1FB8:2328][2022-09-14T16:17:07]i000: Initializing hidden variable 'ProxyConfiguration'
[1FB8:2328][2022-09-14T16:17:07]i000: Initializing hidden variable 'ProxyUserPassword'
[1FB8:2328][2022-09-14T16:17:07]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1FB8:2328][2022-09-14T16:17:07]i009: Command Line: '"-burn.clean.room=C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=420 -burn.filehandle.self=424'
[1FB8:2328][2022-09-14T16:17:07]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe'
[1FB8:2328][2022-09-14T16:17:07]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\'
[1FB8:2328][2022-09-14T16:17:07]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707.log'
[1FB8:2328][2022-09-14T16:17:07]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[1FB8:2328][2022-09-14T16:17:07]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1FB8:2328][2022-09-14T16:17:07]i000: Loading managed bootstrapper application.
[1FB8:2328][2022-09-14T16:17:08]i000: Creating BA thread to run asynchronously.
[1FB8:2328][2022-09-14T16:17:09]i100: Detect begin, 5 packages
[1FB8:2328][2022-09-14T16:17:09]i000: 2022-09-14 14:17:09.5864 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[1FB8:2328][2022-09-14T16:17:09]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1FB8:2328][2022-09-14T16:17:09]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1FB8:2328][2022-09-14T16:17:09]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1FB8:2328][2022-09-14T16:17:09]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1FB8:2328][2022-09-14T16:17:09]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461814'
[1FB8:2328][2022-09-14T16:17:09]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1FB8:2328][2022-09-14T16:17:09]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[1FB8:2328][2022-09-14T16:17:09]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1FB8:2328][2022-09-14T16:17:09]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1FB8:2328][2022-09-14T16:17:09]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1FB8:2328][2022-09-14T16:17:09]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1FB8:2328][2022-09-14T16:17:09]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1FB8:2328][2022-09-14T16:17:09]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1FB8:2328][2022-09-14T16:17:09]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1FB8:2328][2022-09-14T16:17:09]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1FB8:2328][2022-09-14T16:17:09]i101: Detected package: MsiPackage, state: Absent, cached: None
[1FB8:2328][2022-09-14T16:17:09]i199: Detect complete, result: 0x0
[1FB8:1604][2022-09-14T16:17:09]i000: 2022-09-14 14:17:09.6332 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[1FB8:1604][2022-09-14T16:17:09]i000: 2022-09-14 14:17:09.7426 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1FB8:1604][2022-09-14T16:17:48]i000: 2022-09-14 14:17:48.4385 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
[1FB8:1604][2022-09-14T16:17:48]i000: Setting string variable 'IsConfigured' to value 'True'
[1FB8:1604][2022-09-14T16:17:48]i000: Setting hidden variable 'AccessKey'
[1FB8:1604][2022-09-14T16:17:48]i000: Unsetting variable 'DelayedUpdate'
[1FB8:1604][2022-09-14T16:17:48]i000: Setting hidden variable 'ProxyConfiguration'
[1FB8:1604][2022-09-14T16:17:48]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
[1FB8:2328][2022-09-14T16:17:48]i200: Plan begin, 5 packages, action: Install
[1FB8:2328][2022-09-14T16:17:48]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
[1FB8:2328][2022-09-14T16:17:48]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[1FB8:2328][2022-09-14T16:17:48]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
[1FB8:2328][2022-09-14T16:17:48]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[1FB8:2328][2022-09-14T16:17:48]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
[1FB8:2328][2022-09-14T16:17:48]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[1FB8:2328][2022-09-14T16:17:48]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
[1FB8:2328][2022-09-14T16:17:48]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[1FB8:2328][2022-09-14T16:17:48]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707_000_MsiPackage_rollback.log'
[1FB8:2328][2022-09-14T16:17:48]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707_000_MsiPackage.log'
[1FB8:2328][2022-09-14T16:17:48]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1FB8:2328][2022-09-14T16:17:48]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1FB8:2328][2022-09-14T16:17:48]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1FB8:2328][2022-09-14T16:17:48]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1FB8:2328][2022-09-14T16:17:48]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[1FB8:2328][2022-09-14T16:17:48]i299: Plan complete, result: 0x0
[1FB8:2328][2022-09-14T16:17:48]i300: Apply begin
[1FB8:2328][2022-09-14T16:17:48]i010: Launching elevated engine process.
[1FB8:2328][2022-09-14T16:17:49]i011: Launched elevated engine process.
[1FB8:2328][2022-09-14T16:17:49]i012: Connected to elevated engine.
[21E8:1C34][2022-09-14T16:17:49]i358: Pausing automatic updates.
[21E8:1C34][2022-09-14T16:17:52]i359: Paused automatic updates.
[21E8:1C34][2022-09-14T16:17:52]i360: Creating a system restore point.
[21E8:1C34][2022-09-14T16:17:52]i362: System restore disabled, system restore point not created.
[21E8:1C34][2022-09-14T16:17:52]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80a28827-fca2-4fc4-a340-abee8d399e56}, options: 0x7, disable resume: No
[21E8:1C34][2022-09-14T16:17:52]i000: Caching bundle from: 'C:\Windows\Temp\{B0299F6D-FCC1-43B6-BFE2-D16668B5EAF4}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{80a28827-fca2-4fc4-a340-abee8d399e56}\Azure ATP Sensor Setup.exe'
[21E8:1C34][2022-09-14T16:17:53]i320: Registering bundle dependency provider: {80a28827-fca2-4fc4-a340-abee8d399e56}, version: 2.185.15524.950
[21E8:1C34][2022-09-14T16:17:53]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80a28827-fca2-4fc4-a340-abee8d399e56}, resume: Active, restart initiated: No, disable resume: No
[21E8:2188][2022-09-14T16:17:53]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{B089D895-371E-47EA-B030-3D9C69BA9A85}v2.185.15524.950\Microsoft.Tri.Sensor.Deployment.Package.msi.
[21E8:2188][2022-09-14T16:17:53]i305: Verified acquired payload: cab9C68882706A1052319FE6C1B5DE23439 at path: C:\ProgramData\Package Cache\.unverified\cab9C68882706A1052319FE6C1B5DE23439, moving to: C:\ProgramData\Package Cache\{B089D895-371E-47EA-B030-3D9C69BA9A85}v2.185.15524.950\1.
[21E8:1C34][2022-09-14T16:17:53]i323: Registering package dependency provider: {B089D895-371E-47EA-B030-3D9C69BA9A85}, version: 2.185.15524.950, package: MsiPackage
[21E8:1C34][2022-09-14T16:17:53]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{B089D895-371E-47EA-B030-3D9C69BA9A85}v2.185.15524.950\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\"'
[1FB8:2328][2022-09-14T16:18:21]i319: Applied execute package: MsiPackage, result: 0x0, restart: None
[21E8:1C34][2022-09-14T16:18:21]i325: Registering dependency: {80a28827-fca2-4fc4-a340-abee8d399e56} on package provider: {B089D895-371E-47EA-B030-3D9C69BA9A85}, package: MsiPackage
[21E8:1C34][2022-09-14T16:18:21]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80a28827-fca2-4fc4-a340-abee8d399e56}, resume: ARP, restart: None, disable resume: No
[21E8:1C34][2022-09-14T16:18:21]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80a28827-fca2-4fc4-a340-abee8d399e56}, resume: ARP, restart initiated: No, disable resume: No
[1FB8:2328][2022-09-14T16:18:21]i399: Apply complete, result: 0x0, restart: None, ba requested restart: No
[1FB8:1604][2022-09-14T16:18:28]i000: 2022-09-14 14:18:28.2697 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=0 isRestartRequired=False[\]]
[1FB8:2328][2022-09-14T16:18:28]i500: Shutting down, exit code: 0x0
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: AccessKey = *****
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: IsConfigured = True
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: Kb4019990Windows2008R2Exists = 0
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: Kb4019990Windows2012Exists = 0
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: NetFrameworkRegistryValue = 461814
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: RebootPending = 0
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: VersionNT64 = 6.3.0.0
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleAction = 5
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleElevated = 1
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleLog = C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707.log
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleLog_MsiPackage = C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707_000_MsiPackage.log
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleOriginalSource = C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleOriginalSourceFolder = C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleProviderKey = {80a28827-fca2-4fc4-a340-abee8d399e56}
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\AD-SPI~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20220914161707_000_MsiPackage_rollback.log
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleSourceProcessFolder = C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleSourceProcessPath = C:\Users\ad-spiessma\Desktop\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleTag =
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleUILevel = 4
[1FB8:2328][2022-09-14T16:18:28]i410: Variable: WixBundleVersion = 2.185.15524.950
[1FB8:2328][2022-09-14T16:18:29]i007: Exit code: 0x0, restarting: No

 

TriSensor Log:

 

2022-09-14 14:18:03.2374 Info Program Main Deployer started [arguments=PW8ZXWxgDAfgHB+Uq5tmHg==]
2022-09-14 14:18:03.3312 Debug InstallActionGroup Apply started
2022-09-14 14:18:03.3312 Debug CreateCertificateAction Apply started [suppressFailure=False]
2022-09-14 14:18:08.7208 Debug CreateCertificateAction Apply finished
2022-09-14 14:18:08.7208 Debug CreateSensorAction Apply started [suppressFailure=False]
2022-09-14 14:18:09.3900 Debug CreateSensorAction Apply finished
2022-09-14 14:18:09.3900 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2022-09-14 14:18:09.7651 Debug TestCertificateAndProxyAction Apply finished
2022-09-14 14:18:09.7651 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2022-09-14 14:18:09.7963 Debug SaveSensorMandatoryConfigurationAction Apply finished
2022-09-14 14:18:09.7963 Debug CreateServicesActionGroup Apply started
2022-09-14 14:18:09.7963 Debug CreateServiceAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.1401 Debug CreateServiceAction Apply finished
2022-09-14 14:18:10.1401 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.1557 Debug SetServiceDescriptionAction Apply finished
2022-09-14 14:18:10.1557 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.1713 Debug ConfigureServiceAction Apply finished
2022-09-14 14:18:10.1713 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.1869 Debug SetServicePreshutdownTimeoutAction Apply finished
2022-09-14 14:18:10.1869 Debug CreateServiceAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.1869 Debug CreateServiceAction Apply finished
2022-09-14 14:18:10.1869 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.2026 Debug SetServiceDescriptionAction Apply finished
2022-09-14 14:18:10.2026 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.2182 Debug ConfigureServiceAction Apply finished
2022-09-14 14:18:10.2182 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.2182 Debug SetServicePreshutdownTimeoutAction Apply finished
2022-09-14 14:18:10.2182 Debug CreateServicesActionGroup Apply finished
2022-09-14 14:18:10.2182 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.3276 Debug ConfigureVirtualServiceAccountAction Apply finished
2022-09-14 14:18:10.3276 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.3276 Debug RegisterCrashDumpsAction Apply finished
2022-09-14 14:18:10.3276 Debug EnableTls12Action Apply started [suppressFailure=False]
2022-09-14 14:18:10.3276 Debug EnableTls12Action Apply finished
2022-09-14 14:18:10.3276 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2022-09-14 14:18:10.3276 Debug CopyServiceLogsOnRevertAction Apply finished
2022-09-14 14:18:10.3276 Debug StartServiceAction Apply started [suppressFailure=False]
2022-09-14 14:18:20.3757 Debug StartServiceAction Apply finished
2022-09-14 14:18:20.3757 Debug InstallActionGroup Apply finished
2022-09-14 14:18:20.3757 Info Program Main Deployer finished

5 Replies
Take a look in the actual sensor logs, not the deployment logs.
It appear deployment went well, but sensor was blocked from starting, and the answer should be there.
These are the Sensor Logs:
2022-09-14 16:51:46.8050 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__47 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=<DCName>]
at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)
2022-09-14 16:51:46.8206 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas=<DCName>]
at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IDomainTrustMappingManager domainTrustMappingManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Connection to AD is failing. check the log entries before this fail to see exact error codes.

@EliOfek where can i find this logs? 

Same place you copied the above , below the folder that holds the sensor's binary, under "Logs" folder. if the setup rolled back, it would be copied to temp.