Constant starting failures with sensor version 2.222.17390.40606

Brass Contributor


Does anyone has this issue with Defender for Identity sensor version 2.222.17390.40606 on Windows server 2022 ?

"The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 3650 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service."

5 Replies
And yes I have rebooted, uninstalled, rebooted, installed again, rebooted, still the same errors.

@Arngrimur Magnusson Does it still happen now or resolved already?

@Eli Ofek Still happing right now at 6. Dec. 2023 at 10:26 UTC.
I have sensors installed on 6 servers and all have the same behavior.
Workspace version 2.222.17387.18816 , Geolocation United Kingdom

Please open a support case, supply the tenant id and the name of the machines that fail.
Then send me in a private message the case # and name of engineer assigned to the case so I can monitor it.

@Eli Ofek The issue is fixed, but that is no way thanks to Microsoft support. That was a complete waste of time. Really looking forward to fill out the customer survey.
Anyway, it looks like we were yet another victim of the Windows Secure Time Seeding. The puzzle pieces are falling into place. The timeline is roughly like this:

1. At 5DEC2023 at 4:57 AM the time jumps to 12MAY2024-4:48 AM, logs show that W32time service did that.

2. About 6 minutes later W32time server corrects the time back to 5DEC2023 5:03 AM

3. When people come to work in the morning a lot of people cannot login with their Windows Hello PIN number.

4. Group manage service account for Windows Defender for Identity stops working

5. Audit trails on SQL production database has the wrong date


And I am pretty sure that there is a lot more to be uncovered. This will take many weeks to discover and document what went wrong. 

Microsoft has made many bad products and features over the years, but Windows STS got to be on the top 5 list. 

So my recommendation is to disable Windows STS ASAP.