SOLVED

Azure ATP Sensor Setup not launching

%3CLINGO-SUB%20id%3D%22lingo-sub-2216981%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensor%20Setup%20not%20launching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2216981%22%20slang%3D%22en-US%22%3E%3CP%3EServer%202019%20CORE%20Domain%20Controller%3C%2FP%3E%3CP%3ELatest%20Cumulative%20Update%20available%3C%2FP%3E%3CP%3EAzure%20ATP%20Sensor%20Setup.exe%20version%202.0.0.0%3C%2FP%3E%3CP%3EI%20checked%20and%20the%20ntdsai.dll%20file%20is%20version%2010.0.17763.1%20(According%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fprerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fprerequisites%3C%2FA%3E%26nbsp%3Bthis%20seems%20to%20be%20correct%20%22%3CSPAN%3E*%20Requires%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F4487044%2Fwindows-10-update-kb4487044%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKB4487044%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bor%20newer%20cumulative%20update.%20Sensors%20installed%20on%20Server%202019%20without%20this%20update%20will%20be%20automatically%20stopped%20if%20the%20file%20version%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Entdsai.dll%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Bfile%20in%20the%20system%20directory%20is%20older%20than%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E10.0.17763.316%3C%2FEM%3E%3CSPAN%3E.%22)%3CBR%20%2F%3E%3CBR%20%2F%3EOriginally%20I%20attempted%20to%20run%20with%20the%20CLI%20quiet%20install%2C%20proxyurl%2C%20and%20access%20key%20options%20on%20the%20command%20line%20but%20when%20I%20saw%20that%20nothing%20got%20installed%2C%20I%20tried%20JUST%20launching%20the%20sensor%20direct%20so%20I%20could%20see%20the%20GUI%20popup%20like%20it%20does%20with%20our%202016%20servers%2C%20but%20nothing%20happened.%26nbsp%3B%20The%20screen%20flashes%20and%20then%20it%20comes%20back.%26nbsp%3B%20As%20nothing%20is%20installed%2C%20I%20don't%20see%20anything%20in%20the%20Program%20Files%20directories%20for%20logging%20purposes.%26nbsp%3B%20I%20even%20checked%20my%20AppData%20folders%20and%20the%20Event%20logs%20but%20I%20don't%20see%20anything%20related%20to%20the%20attempted%20sensor%20install.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20then%20attempted%20this%20on%20a%20second%20machine%20with%20the%20same%20specs%20and%20got%20the%20same%20result.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20I%20tried%20to%20run%20msiexec%20to%20see%20if%20I%20could%20get%20some%20install%20logging%20and%20it%20said%2C%20%22This%20installation%20package%20could%20not%20be%20opened.%26nbsp%3B%20Contact%20the%20application%20vendor%20to%20verify%20that%20this%20is%20a%20valid%20Windows%20Installer%20package.%22%26nbsp%3B%20I%20guess%20that's%20because%20it's%20not%20an%20msi%3F%26nbsp%3B%20I%20was%20just%20grasping%20at%20straws%20at%20that%20point.%3CBR%20%2F%3E%3CBR%20%2F%3EI've%20also%20downloaded%20a%20fresh%20sensor%20.exe%20and%20.json%20from%20the%20site%20with%20the%20same%20results%20(just%20in%20case).%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20something%20obvious%20I'm%20missing%20here%20or%20should%20be%20trying%3F%26nbsp%3B%20This%20didn't%20seem%20to%20happen%20on%20our%202016%20DC's.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2217278%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20Setup%20not%20launching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2217278%22%20slang%3D%22en-US%22%3E10.0.17763.1%20%26lt%3B%2010.0.17763.316%3CBR%20%2F%3EInstall%20the%20required%20KB%20please.%3CBR%20%2F%3EAnyway%2C%20you%20should%20see%20an%20indication%20in%20the%20logs%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Ftroubleshooting-using-logs%23defender-for-identity-deployment-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Ftroubleshooting-using-logs%23defender-for-identity-deployment-logs%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2217284%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20Setup%20not%20launching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2217284%22%20slang%3D%22en-US%22%3EAh%20right%20my%20bad.%20I%20got%20lost%20in%20the%20'older'%20vs.%20'greater%20than'%20context.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you.%3C%2FLINGO-BODY%3E
New Contributor

Server 2019 CORE Domain Controller

Latest Cumulative Update available

Azure ATP Sensor Setup.exe version 2.0.0.0

I checked and the ntdsai.dll file is version 10.0.17763.1 (According to https://docs.microsoft.com/en-us/defender-for-identity/prerequisites this seems to be correct "* Requires KB4487044 or newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the file version of the ntdsai.dll file in the system directory is older than 10.0.17763.316.")

Originally I attempted to run with the CLI quiet install, proxyurl, and access key options on the command line but when I saw that nothing got installed, I tried JUST launching the sensor direct so I could see the GUI popup like it does with our 2016 servers, but nothing happened.  The screen flashes and then it comes back.  As nothing is installed, I don't see anything in the Program Files directories for logging purposes.  I even checked my AppData folders and the Event logs but I don't see anything related to the attempted sensor install.

 

I then attempted this on a second machine with the same specs and got the same result.

 

So I tried to run msiexec to see if I could get some install logging and it said, "This installation package could not be opened.  Contact the application vendor to verify that this is a valid Windows Installer package."  I guess that's because it's not an msi?  I was just grasping at straws at that point.

I've also downloaded a fresh sensor .exe and .json from the site with the same results (just in case).

Is there something obvious I'm missing here or should be trying?  This didn't seem to happen on our 2016 DC's.

5 Replies
10.0.17763.1 < 10.0.17763.316
Install the required KB please.
Anyway, you should see an indication in the logs:
https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs#defender-for-ident...
Ah right my bad. I got lost in the 'older' vs. 'greater than' context.

Thank you.
So I triple checked and it has the latest cumulative update KB5001568. According to the catalog site KB4487044 was replaced by KB4598296 which was replaced by KB5001568 (Makes sense given they are cumulative I guess), however, I noticed the .dll file didn't update its version.

In the logs, it's mentioning a connectivity error, even though on the proxy it's showing a connection over 443 to our tenant site when the attempt is made. Do I need to add the proxy information in the web.config file for .NET as well as using the command line switch?

[1E88:1C24][2021-03-18T07:12:19]i001: Burn v3.11.0.1701, Windows v10.0 (Build 17763: Service Pack 0), path: C:\Users\username\AppData\Local\Temp\3\{EF2C31E1-05DE-4092-B1C8-C82A418538A4}\.cr\Azure ATP Sensor Setup.exe
[1E88:1C24][2021-03-18T07:12:19]i000: Initializing hidden variable 'AccessKey'
[1E88:1C24][2021-03-18T07:12:19]i000: Initializing hidden variable 'ProxyConfiguration'
[1E88:1C24][2021-03-18T07:12:19]i000: Initializing hidden variable 'ProxyUserPassword'
[1E88:1C24][2021-03-18T07:12:19]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1E88:1C24][2021-03-18T07:12:19]i009: Command Line: '"-burn.clean.room=C:\Users\username\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=636 -burn.filehandle.self=656 /quiet NetFrameworkCommandLineArguments=/q ProxyUrl=http://proxy.ip.address:80 AccessKey=*****'
[1E88:1C24][2021-03-18T07:12:19]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\username\Azure ATP Sensor Setup.exe'
[1E88:1C24][2021-03-18T07:12:19]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\username\'
[1E88:1C24][2021-03-18T07:12:19]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\username\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210318071219.log'
[1E88:1C24][2021-03-18T07:12:20]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[1E88:1C24][2021-03-18T07:12:20]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1E88:1C24][2021-03-18T07:12:20]i000: Loading managed bootstrapper application.
[1E88:1C24][2021-03-18T07:12:20]i000: Creating BA thread to run asynchronously.
[1E88:1C24][2021-03-18T07:12:21]i100: Detect begin, 5 packages
[1E88:1C24][2021-03-18T07:12:21]i000: 2021-03-18 11:12:21.4388 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[1E88:1C24][2021-03-18T07:12:21]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1E88:1C24][2021-03-18T07:12:21]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1E88:1C24][2021-03-18T07:12:21]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1E88:1C24][2021-03-18T07:12:21]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1E88:1C24][2021-03-18T07:12:21]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461814'
[1E88:1C24][2021-03-18T07:12:21]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1E88:1C24][2021-03-18T07:12:21]i000: Registry value not found. Key = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels', Value = 'Server-Gui-Shell'
[1E88:1C24][2021-03-18T07:12:21]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1E88:1C24][2021-03-18T07:12:21]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1E88:1C24][2021-03-18T07:12:21]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1E88:1C24][2021-03-18T07:12:21]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1E88:1C24][2021-03-18T07:12:21]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1E88:1C24][2021-03-18T07:12:21]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1E88:1C24][2021-03-18T07:12:21]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1E88:1C24][2021-03-18T07:12:21]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1E88:1C24][2021-03-18T07:12:21]i101: Detected package: MsiPackage, state: Absent, cached: None
[1E88:1C24][2021-03-18T07:12:21]i199: Detect complete, result: 0x0
[1E88:1870][2021-03-18T07:12:21]i000: 2021-03-18 11:12:21.4701 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[1E88:1870][2021-03-18T07:12:21]i000: 2021-03-18 11:12:21.5951 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1E88:17A4][2021-03-18T07:12:25]i000: 2021-03-18 11:12:25.1107 Error DeploymentModel ValidateCreateSensorAsync Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [\[]Type=System.Net.Http.HttpRequestExceptionMessage=kZbHZ02cunBcHiKyFrnbkg==StackTrace= at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[\[][\]] requestBytes, int offset, int count)
at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[\[][\]] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [\[]Type=System.Net.WebExceptionMessage=qjknu4hBXwvJI0E0QdTPeg==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)
at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [\[]Type=System.Security.Authentication.AuthenticationExceptionMessage=6z1uGhDl9oSwNuQo3dIDfw==StackTrace= at void System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at void System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
at void System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)InnerException=[\]][\]][\]]
at Microsoft.Tri.Common.CommunicationWebClient.<SendWithRetryAsync>d__9`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Common.CommunicationWebClient.<SendAsync>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Sensor.Common.WorkspaceApplicationSensorApiDeploymentProxy.<SendAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.<ValidateCreateSensorAsync>d__52.MoveNext() failed connecting to service. The issue can be caused by a transparent proxy configuration [\[]WorkspaceApplicationSensorApiEndpoint=Unspecified/tenantnamesensorapi.atp.azure.com:443[\]]
[1E88:1870][2021-03-18T07:12:25]i000: 2021-03-18 11:12:25.1107 Info DeploymentManager Run ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=FailedConnectivity[\]]
[1E88:1870][2021-03-18T07:12:25]i000: 2021-03-18 11:12:25.1107 Error DeploymentManager Run Failed to connect to server
[1E88:1870][2021-03-18T07:12:25]i000: 2021-03-18 11:12:25.1107 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]]
[1E88:1C24][2021-03-18T07:12:25]i500: Shutting down, exit code: 0x642
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: Kb4019990Windows2008R2Exists = 0
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: Kb4019990Windows2012Exists = 0
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: NetFrameworkRegistryValue = 461814
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: RebootPending = 0
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleAction = 5
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleElevated = 1
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleLog = C:\Users\username\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210318071219.log
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleOriginalSource = C:\Users\username\Azure ATP Sensor Setup.exe
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleOriginalSourceFolder = C:\Users\username\
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleProviderKey = {7159ef02-2939-4ecd-905d-6ec71a60c4b5}
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleSourceProcessFolder = C:\Users\username\
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleSourceProcessPath = C:\Users\username\Azure ATP Sensor Setup.exe
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleTag =
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleUILevel = 2
[1E88:1C24][2021-03-18T07:12:25]i410: Variable: WixBundleVersion = 2.0.0.0
[1E88:1C24][2021-03-18T07:12:25]i007: Exit code: 0x642, restarting: No
best response confirmed by I_tried (New Contributor)
Solution
Use this method to check the file version:
wmic datafile where name="C:\\Windows\\System32\\drivers\\ntdsai.dll" get version
It work better for a patched image on windows... I am guessing you will see a higher version.

The error in the log also suggest you have gone past this version test.
The proxy you supplied as parameter looks OK. we can reach the backend vis 443 for the initial communication which is based on TLS + access key.
the communication breaks when we switch to mutual certificate authentication.
This is likely happening if your proxy is doing SSL inspection which we do not support....
Another issue might be that you are missing root CAs.
See
https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#proxy-authentica...

We already had SSL scanning turned off for those sites and I had imported the certificates we were using for the 2016 servers but it looks like we left one out. Not sure how the other sensors are working without the one, but they are...

Just wanted to update you and thank you for your help. It's working now.