Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender for Identity - new version 2.194 - is there something wrong with it?

Copper Contributor

Hi All,

 

I am a consultant and have deployed MDI for a few different clients.

As of Nov 10th, MDI released their latest version - 2.194 which is what all my current sensors are in.

 

What I have noticed is, all the sensors are currently failing to start - the health alerts have come up starting nov 13, nov 15, nov 23.

All after they were updated to the latest version.

The health alert shown is the directory services account credentials are incorrect - but I am using a gMSA (group managed service account) on all the deployments - which are passwordless. The domain names are also configured correctly.

 

I also tried reinstalling the ATP sensor on one of the DCs and it isnt coming back up as running and failing to start.

I checked the event viewer and it shows error - event id 7031 - "ATP sensor service terminated unexpectedly - it has done so 8000 times. The following corrective action will be taken in 5000 miliseconds: Restart the service"

 

All the sensors were working correctly until this new update. And keep in mind these are three different domains, tenants etc. No connections whatsoever.

 

Any help appreciated.

2 Replies
Update: Changing from a gMSA to a "normal" user account with password fixed this issue. Any ideas why?
Check if DC received november update. It break gMSA. There is a OOB to deploy to correct this.