SOLVED

Azure ATP Sensor - Update process questions

%3CLINGO-SUB%20id%3D%22lingo-sub-951967%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensor%20-%20Update%20process%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951967%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Azure%20ATP%20Tech%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20few%20questions%20in%20relation%20to%20the%20update%20process%20for%20the%20sensor%20and%20am%20hoping%20you%20can%20help%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Do%20all%20updates%20(minor%20and%20major%20revisions)%20require%20a%20reboot%20of%20the%20DC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20If%20the%20answer%20to%20the%20above%20is%20no%20-%20what%20determines%20if%20a%20reboot%20is%20required%3F%20(IE%20only%20major%20revisions%20require%20reboots%2C%20or%20does%20it%20vary%20depending%20on%20what%20the%20update%20contains%3F)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20If%20you%20check%20the%20box%20not%20to%20allow%20automatic%20DC%20reboots%20as%20part%20of%20the%20update%20process%2C%20is%20a%20health%20alert%20generated%20in%20the%20portal%2C%20post%20update%20to%20advise%20sec%20ops%20analysts%20that%20a%20reboot%20is%20pending%20on%20a%20particular%20DC%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4)%20If%20a%20post%20update%20reboot%20is%20pending%20on%20a%20DC%2C%20what%20state%20does%20that%20leave%20the%20sensor%20in%20on%20that%20DC%3F%3C%2FP%3E%3CP%3EFor%20example%2C%20does%20it%20work%20at%20all%3F%20does%20it%20work%20with%20the%20same%20functionality%20as%20it%20had%20pre-update%20but%20post%20update%20enhancements%20don't%20work%20until%20post%20reboot%2C%20or%20does%20it%20simply%20not%20report%20to%20the%20ATP%20service%20at%20all%20(therefore%20making%20sure%20reboots%20take%20place%20are%20highly%20critical%20to%20the%20function%20of%20the%20service%20overall)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-951967%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-957484%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20-%20Update%20process%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-957484%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1)%20No%3C%2FP%3E%0A%3CP%3E2)%20For%20now%20(unless%20changed%20at%20some%20point)%20only%20major.%20a%20reboot%20might%20be%20required%20if%20the%20.net%20framework%20is%20not%20in%20required%20min%20version%2C%20or%20if%20a%20cumulative%20update%20that%20is%20needed%20is%20not%20installed.%3C%2FP%3E%0A%3CP%3E3)%20no%20health%20alert%2C%20but%20it%20will%20appear%20as%20pending%20update%20in%20the%20sensor%20list%20config%20page%3C%2FP%3E%0A%3CP%3E4)%20it%20depends.%20in%20general%20we%20try%20to%20keep%20it%20so%20it%20will%20be%20functional%20without%20the%20new%20features%20(for%20a%20few%20days).%20It's%20best%20to%20upgrade%20ASAP.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-958018%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20-%20Update%20process%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-958018%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3BFollowing%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-958219%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20-%20Update%20process%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-958219%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%20-%20just%20the%20info%20I%20needed%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-958235%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20-%20Update%20process%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-958235%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%26amp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3Bmuch%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Azure ATP Tech Community,

 

I have a few questions in relation to the update process for the sensor and am hoping you can help?

 

1) Do all updates (minor and major revisions) require a reboot of the DC?

 

2) If the answer to the above is no - what determines if a reboot is required? (IE only major revisions require reboots, or does it vary depending on what the update contains?)

 

3) If you check the box not to allow automatic DC reboots as part of the update process, is a health alert generated in the portal, post update to advise sec ops analysts that a reboot is pending on a particular DC? 

 

4) If a post update reboot is pending on a DC, what state does that leave the sensor in on that DC?

For example, does it work at all? does it work with the same functionality as it had pre-update but post update enhancements don't work until post reboot, or does it simply not report to the ATP service at all (therefore making sure reboots take place are highly critical to the function of the service overall)?

 

Thanks

 

Paul 

 

4 Replies
Highlighted
Best Response confirmed by PJR_CDF (Contributor)
Solution

@PJR_CDF 

 

1) No

2) For now (unless changed at some point) only major. a reboot might be required if the .net framework is not in required min version, or if a cumulative update that is needed is not installed.

3) no health alert, but it will appear as pending update in the sensor list config page

4) it depends. in general we try to keep it so it will be functional without the new features (for a few days). It's best to upgrade ASAP. 

Highlighted

@PJR_CDF Following :)

Highlighted

Thanks @Eli Ofek  - just the info I needed

 

Highlighted

Thanks @Eli Ofek & @PJR_CDF much appreciated