Dec 06 2023 01:51 AM - edited Dec 06 2023 01:53 AM
Hello
Does anyone has this issue with Defender for Identity sensor version 2.222.17390.40606 on Windows server 2022 ?
"The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 3650 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service."
Dec 06 2023 02:01 AM
Dec 06 2023 02:18 AM
@Arngrimur Magnusson Does it still happen now or resolved already?
Dec 06 2023 02:26 AM - edited Dec 06 2023 02:27 AM
@Eli Ofek Still happing right now at 6. Dec. 2023 at 10:26 UTC.
I have sensors installed on 6 servers and all have the same behavior.
Workspace version 2.222.17387.18816 , Geolocation United Kingdom
Dec 06 2023 02:49 AM
Dec 15 2023 12:39 PM
@Eli Ofek The issue is fixed, but that is no way thanks to Microsoft support. That was a complete waste of time. Really looking forward to fill out the customer survey.
Anyway, it looks like we were yet another victim of the Windows Secure Time Seeding. The puzzle pieces are falling into place. The timeline is roughly like this:
1. At 5DEC2023 at 4:57 AM the time jumps to 12MAY2024-4:48 AM, logs show that W32time service did that.
2. About 6 minutes later W32time server corrects the time back to 5DEC2023 5:03 AM
3. When people come to work in the morning a lot of people cannot login with their Windows Hello PIN number.
4. Group manage service account for Windows Defender for Identity stops working
5. Audit trails on SQL production database has the wrong date
And I am pretty sure that there is a lot more to be uncovered. This will take many weeks to discover and document what went wrong.
Microsoft has made many bad products and features over the years, but Windows STS got to be on the top 5 list.
So my recommendation is to disable Windows STS ASAP.