Manually uninstall the Azure ATP sensor

%3CLINGO-SUB%20id%3D%22lingo-sub-238344%22%20slang%3D%22en-US%22%3EManually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238344%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3EJust%20looking%20for%20a%20bit%20of%20guidance%20on%20the%20following.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDeploying%20the%20Azure%20ATP%20sensor%20to%20all%20our%20domain%20controllers%2C%20we've%20had%20one%20installation%20fail.%26nbsp%3B%20Looking%20in%20Programs%20and%20Features%20it%20is%20listed%20as%20being%20installed%2C%20however%20there%20is%20no%20Azure%20ATP%20sensor%20service%20on%20the%20domain%20controller.%26nbsp%3B%20Azure%20ATP%20is%20reporting%20the%20sensor%20stopped%20communicating.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20trying%20to%20uninstall%20the%20Azure%20ATP%20sensor%20from%20Programs%20and%20Features%2C%20the%20uninstallation%20doesn't%20even%20start%20and%20the%20error%20is%20%22Object%20reference%20not%20set%20to%20an%20instance%20of%20an%20object%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20trying%20to%20uninstall%20via%20command%20line%20%22Azure%20ATP%20Sensor%20Setup.exe%20%2Funinstall%22%20the%20error%20is%20%22Product%20is%20not%20installed%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20program%20is%20registered%20in%20the%20Uninstall%20registry%2C%20so%20when%20trying%20to%20uninstall%20via%20%22msiexec%20%2Fx%20%7Bguid%7D%22%20-%20it%20says%20to%20verify%20the%20package%20exists.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETrying%20to%20reinstall%20the%20Azure%20ATP%20Sensor%20says%20%22Azure%20Advanced%20Threat%20Protection%20Sensor%202.0.0.0%20is%20already%20installed.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20believe%20if%20I%20can%20manually%20uninstall%20it%20(delete%20files%20and%20associated%20registry%20entries)%20and%20try%20to%20reinstall%20it%20again%20it%20should%20be%20fine.%26nbsp%3B%20The%20original%20installation%20was%20pushed%20out%20via%20SCCM%2C%20so%20I'm%20not%20sure%20what%20happened%20during%20the%20install%20(if%20the%20server%20rebooted%20in%20the%20middle%20or%20what).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20shed%20some%20light%20on%20the%20reg%20settings%20etc%20I%20need%20to%20delete%3F%26nbsp%3B%20Or%20if%20there%20is%20a%20way%20I%20can%20%22force%22%20a%20reinstall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ENoel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260450%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260450%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20similar%20issue%20with%20another%20customer%26nbsp%3B%20back%20than%2C%20the%20new%20sensor%20will%20know%20how%20to%20handle%20this%20case%20better%2C%20but%20if%20you%20are%20still%20stuck%20with%20the%20old%20version%2C%20the%20only%20way%20to%20uninstall%20it%2C%3C%2FP%3E%0A%3CP%3Eis%20to%20copy%20the%20binary%20exe%20from%20another%20sensor%2C%20and%26nbsp%3B%20register%20the%20service%20manually%20so%20the%20uninstall%20can%20find%20it.%20(the%20new%20code%20should%20not%20fail%20if%20it%20does%20not%20find%20it).%3C%2FP%3E%0A%3CP%3Esc%20create%26nbsp%3B%20AATPSensor%20binPath%3D%20%22C%3A%5CProgram%20Files%5CAzure%20Advanced%20Threat%20Protection%20Sensor%5CXXXXXX%5CMicrosoft.Tri.Sensor.exe%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ewhere%20XXXXXX%20is%20the%20exact%20number%20of%26nbsp%3Bthe%20version%20we%20try%20to%20uninstall%2C%20for%20example%3A%26nbsp%3B2.39.5033.27241%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20that%2C%20you%20can%20try%20to%20uninstall%20again%20(don't%20need%20to%20actually%20run%20the%20service).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20how%20it%20goes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260178%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260178%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eli%2C%3C%2FP%3E%3CP%3EI've%20actually%20had%20the%20same%20issue%20occur%20now%20on%20a%20separate%20domain%20controller.%26nbsp%3B%20It%20looks%20like%20when%20the%20ATP%20Sensor%20went%20to%20self%20update%2C%20it%20broke%20itself%20during%20the%20install%20process.%26nbsp%3B%20And%20again%20the%20same%20result%20-%20it%20reports%20as%20not%20responding%20in%20the%20portal.%26nbsp%3B%20On%20the%20Domain%20Controller%2C%20there%20is%20no%20ATP%20service%20listed%20in%20services.msc%2C%20and%20the%20sensor%20is%20unable%20to%20be%20uninstalled%20(because%20it%20doesn't%20exist)%20and%20it's%20unable%20to%20be%20reinstalled%20because%20it%20thinks%20it%20already%20is.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20some%20more%20information%20this%20time.%26nbsp%3B%20It%20appears%20to%20have%20happened%20on%20August%2029th%20(a%20while%20ago%20I%20know%20-%20I%20only%20just%20got%20around%20to%20doing%20a%20better%20look%20into%20it).%26nbsp%3B%20I%20can%20see%20the%20following%20events%20in%20the%20application%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSPAN%3EEvent%20ID%201040%20(MSI%20Installer)%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBeginning%20a%20Windows%20Installer%20transaction%3A%20C%3A%5CProgramData%5CPackage%20Cache%5C%7BD3EE6325-F634-4C55-9AA8-A197DB7781A4%7Dv2.0.0.0%5CMicrosoft.Tri.Sensor.Deployment.Package.msi.%20Client%20Process%20Id%3A%205644.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3EEvent%20ID%2010000%20(RestartManager)%3CBR%20%2F%3EStarting%20session%200%20-%20%3F2018%3F-%3F08%3F-%3F29T04%3A54%3A37.351639000Z.%3C%2FDIV%3E%3CDIV%3E%3CBR%20%2F%3EEvent%20ID%201026%20(.NET%20Runtime)%3CBR%20%2F%3EApplication%3A%20rundll32.exe%3CBR%20%2F%3EFramework%20Version%3A%20v4.0.30319%3CBR%20%2F%3EDescription%3A%20The%20process%20was%20terminated%20due%20to%20an%20unhandled%20exception.%3CBR%20%2F%3EException%20Info%3A%20exception%20code%20c0000005%2C%20exception%20address%2000007FFE6D3034D2%3CBR%20%2F%3EStack%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EEvent%20ID%201000%20(Application%20Error)%3CBR%20%2F%3EFaulting%20application%20name%3A%20rundll32.exe_MSIE9AD.tmp%2C%20version%3A%206.3.9600.17415%2C%20time%20stamp%3A%200x54504eb8%3CBR%20%2F%3EFaulting%20module%20name%3A%20MSIE9AD.tmp%2C%20version%3A%202.43.5215.24283%2C%20time%20stamp%3A%200x590746fd%3CBR%20%2F%3EException%20code%3A%200xc0000005%3CBR%20%2F%3EFault%20offset%3A%200x00000000000034d2%3CBR%20%2F%3EFaulting%20process%20id%3A%200xbdc%3CBR%20%2F%3EFaulting%20application%20start%20time%3A%200x01d43f5463b51c8a%3CBR%20%2F%3EFaulting%20application%20path%3A%20C%3A%5CWindows%5Csystem32%5Crundll32.exe%3CBR%20%2F%3EFaulting%20module%20path%3A%20C%3A%5CWindows%5CInstaller%5CMSIE9AD.tmp%3CBR%20%2F%3EReport%20Id%3A%20addfe5ab-ab47-11e8-810b-000d3ad01b38%3CBR%20%2F%3EFaulting%20package%20full%20name%3A%3CBR%20%2F%3EFaulting%20package-relative%20application%20ID%3A%3C%2FDIV%3E%3CDIV%3E%3CBR%20%2F%3EEvent%20ID%2011707%20(MSIINSTALLER)%3CBR%20%2F%3EProduct%3A%20Azure%20Advanced%20Threat%20Protection%20Sensor%20--%20Installation%20completed%20successfully.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EEvent%20ID%201033%20(MSIINSTALLER)%3CBR%20%2F%3EWindows%20Installer%20installed%20the%20product.%20Product%20Name%3A%20Azure%20Advanced%20Threat%20Protection%20Sensor.%20Product%20Version%3A%202.0.0.0.%20Product%20Language%3A%201033.%20Manufacturer%3A%20Microsoft%20Corporation.%20Installation%20success%20or%20error%20status%3A%200.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EEvent%20ID%201042%20(MSIINSTALLER)%3CBR%20%2F%3EEnding%20a%20Windows%20Installer%20transaction%3A%20C%3A%5CProgramData%5CPackage%20Cache%5C%7BD3EE6325-F634-4C55-9AA8-A197DB7781A4%7Dv2.0.0.0%5CMicrosoft.Tri.Sensor.Deployment.Package.msi.%20Client%20Process%20Id%3A%205644.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EEvent%20ID%2010001%20(RestartManager)%3CBR%20%2F%3EEnding%20session%200%20started%20%3F2018%3F-%3F08%3F-%3F29T04%3A54%3A37.351639000Z.%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BSo%20it's%20at%20this%20point%20the%20installation%20has%20failed%20-%20but%20actually%20finishes%20with%20a%20success%20code.%20%26nbsp%3B%20It%20looks%20as%20though%20this%20is%20another%20instance%20that%20will%20need%20to%20be%20manually%20cleaned%20up%20and%20then%20reinstalled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20it%20makes%20any%20difference%20-%20but%20in%20the%20ATP%20portal%20I%20can%20see%20the%20failed%20sensor%20as%20last%20reporting%20v2.43.5215.%26nbsp%3B%20On%20the%20DC%20under%20C%3A%5CProgram%20Files%5CAzure%20Advanced%20Threat%20Protection%20-%20I%20can%20see%20v2.47.544.8863%20and%202.48.5521.36675%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239419%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239419%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20share%20the%20failing%20call%20stack%20from%20the%20deployment%20log%3F%3C%2FP%3E%0A%3CP%3EI%20wonder%20if%20I%20can%20change%20the%20code%20to%20auto%20recover%20from%20this%20situation.%3C%2FP%3E%0A%3CP%3EThe%20call%20stack%20might%20help%20me%20do%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-239262%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-239262%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Eli!%3C%2FP%3E%3CP%3EYour%20suggestion%20did%20help%20and%20it%20got%20me%20going%20in%20the%20right%20path.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20ended%20up%20being%20relatively%20straight%20forward%20so%20here%20are%20the%20steps%20I%20took%20if%20anybody%20has%20this%20in%20the%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20On%20the%20domain%20controller%20where%20the%20ATP%20Sensor%20had%20failed%2C%20I%20searched%20the%20registry%20for%20%22Azure%20Advanced%22%20(without%20the%20quotes)%2C%20and%20deleted%20all%20keys%20and%20subkeys%20where%20this%20was%20found.%26nbsp%3B%20%26nbsp%3BI%20just%20made%20sure%20it%20was%20referencing%20the%20sensor.%26nbsp%3B%20There%20were%20several%20keys%20that%20needed%20to%20be%20deleted%20from%20HKCR%20and%20HKLM.%26nbsp%3B%20%26nbsp%3BJust%20to%20be%20sure%20to%20be%20sure....make%20a%20backup%20of%20the%20registry%20before%20you%20delete%20the%20keys.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20I%20deleted%20the%20folder%20C%3A%5CProgram%20Files%5CAzure%20Advanced%20Threat%20Protection%20Sensor%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20Manually%20re-installing%20the%20sensor%20worked%20and%20it%20is%20reporting%20as%20expected%20in%20the%20portal.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20I%20had%20to%20manually%20delete%20the%20old%20(failed)%20sensor%20entry%20from%20the%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHopefully%20this%20will%20help%20someone%20else%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777960%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777960%22%20slang%3D%22en-US%22%3EThis%20fixed%20it%20up%20for%20me.%20Many%20thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788403%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788403%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ran%20into%20a%20similar%20issue%20today%20on%20a%202008%20R2%20DC%20(I%20know...).%26nbsp%3B%20It%20was%20listed%20in%20programs%20and%20features%20list%20that%20it%20wasn't%20installed%2C%20but%20the%20installer%20wouldn't%20let%20me%20run.%26nbsp%3B%20Found%202%20entries%20in%20the%20registry%20with%20%22Azure%20Advanced%22%20that%20were%20related%20to%20this%2C%20removed%20them%2C%20and%20then%20the%20installer%20went%20through.%26nbsp%3B%20Experienced%20an%20issue%20with%20the%20installer%20not%20being%20able%20to%20find%20msvcr120_clr0400.dll%20as%20well.%26nbsp%3B%20I%20installed%20the%20.Net%20Framework%202013%20redistributables%20and%20then%20had%20to%20re-install%20.Net%204.7%20and%20finally%20it's%20all%20good.%26nbsp%3B%3C%2FP%3E%3CP%3EAlso...%20any%20idea%20why%20the%202019%20DC's%20are%20reporting%20an%20error%20that%20NetBIOS%20over%20137%20isn't%20working%20properly%3F%26nbsp%3B%20The%202008%20R2's%2C%202012's%2C%20and%202016's%20are%20all%20%22healthy%22%20in%20the%20console%2C%20but%20I've%20noticed%203%20different%202019%20DC's%20(with%20Windows%20Firewall%20disabled)%20are%20reporting%20an%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238471%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238471%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20grab%20the%20deployment%20logs%20before%20you%20close%20the%20error%20window%3F%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Ftroubleshooting-atp-using-logs%23azure-atp-deployment-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Ftroubleshooting-atp-using-logs%23azure-atp-deployment-logs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20you%20might%20be%20able%20to%20clean%20things%26nbsp%3B%20up%20with%20this%20tool%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F17588%2Fwindows-fix-problems-that-block-programs-being-installed-or-removed%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F17588%2Fwindows-fix-problems-that-block-programs-being-installed-or-removed%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20known%20to%20sometimes%20help%20before%20for%20similar%20situations.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%26nbsp%3B%20exact%20version%20of%20AATP%20sensor%20is%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1674436%22%20slang%3D%22en-US%22%3ERe%3A%20Manually%20uninstall%20the%20Azure%20ATP%20sensor%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1674436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66779%22%20target%3D%22_blank%22%3E%40Noel%20Fairclough%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECleaning%20the%20registry%20key%20worked.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all,

Just looking for a bit of guidance on the following.

 

Deploying the Azure ATP sensor to all our domain controllers, we've had one installation fail.  Looking in Programs and Features it is listed as being installed, however there is no Azure ATP sensor service on the domain controller.  Azure ATP is reporting the sensor stopped communicating.  

 

When trying to uninstall the Azure ATP sensor from Programs and Features, the uninstallation doesn't even start and the error is "Object reference not set to an instance of an object".

 

When trying to uninstall via command line "Azure ATP Sensor Setup.exe /uninstall" the error is "Product is not installed". 

 

The program is registered in the Uninstall registry, so when trying to uninstall via "msiexec /x {guid}" - it says to verify the package exists.  

 

Trying to reinstall the Azure ATP Sensor says "Azure Advanced Threat Protection Sensor 2.0.0.0 is already installed."

 

I believe if I can manually uninstall it (delete files and associated registry entries) and try to reinstall it again it should be fine.  The original installation was pushed out via SCCM, so I'm not sure what happened during the install (if the server rebooted in the middle or what).

 

Can someone shed some light on the reg settings etc I need to delete?  Or if there is a way I can "force" a reinstall?

 

Thanks,

Noel.

8 Replies
Highlighted

Can you grab the deployment logs before you close the error window?

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/troubleshooting-atp-using-logs#azu...

 

Also, you might be able to clean things  up with this tool:

https://support.microsoft.com/en-us/help/17588/windows-fix-problems-that-block-programs-being-instal...

 

It is known to sometimes help before for similar situations.

 

What  exact version of AATP sensor is it?

Highlighted

Thanks Eli!

Your suggestion did help and it got me going in the right path.

 

This ended up being relatively straight forward so here are the steps I took if anybody has this in the future.

 

1. On the domain controller where the ATP Sensor had failed, I searched the registry for "Azure Advanced" (without the quotes), and deleted all keys and subkeys where this was found.   I just made sure it was referencing the sensor.  There were several keys that needed to be deleted from HKCR and HKLM.   Just to be sure to be sure....make a backup of the registry before you delete the keys.

 

2. I deleted the folder C:\Program Files\Azure Advanced Threat Protection Sensor

 

3. Manually re-installing the sensor worked and it is reporting as expected in the portal.   

 

Note: I had to manually delete the old (failed) sensor entry from the portal.

 

Hopefully this will help someone else out.

Highlighted

Can you share the failing call stack from the deployment log?

I wonder if I can change the code to auto recover from this situation.

The call stack might help me do that.

Highlighted

Hi Eli,

I've actually had the same issue occur now on a separate domain controller.  It looks like when the ATP Sensor went to self update, it broke itself during the install process.  And again the same result - it reports as not responding in the portal.  On the Domain Controller, there is no ATP service listed in services.msc, and the sensor is unable to be uninstalled (because it doesn't exist) and it's unable to be reinstalled because it thinks it already is.

 

I have some more information this time.  It appears to have happened on August 29th (a while ago I know - I only just got around to doing a better look into it).  I can see the following events in the application log.

 

Event ID 1040 (MSI Installer)

Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.

 

Event ID 10000 (RestartManager)
Starting session 0 - ?2018?-?08?-?29T04:54:37.351639000Z.

Event ID 1026 (.NET Runtime)
Application: rundll32.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 00007FFE6D3034D2
Stack:
 
Event ID 1000 (Application Error)
Faulting application name: rundll32.exe_MSIE9AD.tmp, version: 6.3.9600.17415, time stamp: 0x54504eb8
Faulting module name: MSIE9AD.tmp, version: 2.43.5215.24283, time stamp: 0x590746fd
Exception code: 0xc0000005
Fault offset: 0x00000000000034d2
Faulting process id: 0xbdc
Faulting application start time: 0x01d43f5463b51c8a
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\Installer\MSIE9AD.tmp
Report Id: addfe5ab-ab47-11e8-810b-000d3ad01b38
Faulting package full name:
Faulting package-relative application ID:

Event ID 11707 (MSIINSTALLER)
Product: Azure Advanced Threat Protection Sensor -- Installation completed successfully.
 
Event ID 1033 (MSIINSTALLER)
Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
 
Event ID 1042 (MSIINSTALLER)
Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.
 
Event ID 10001 (RestartManager)
Ending session 0 started ?2018?-?08?-?29T04:54:37.351639000Z.

 


 

 So it's at this point the installation has failed - but actually finishes with a success code.   It looks as though this is another instance that will need to be manually cleaned up and then reinstalled.

 

I'm not sure if it makes any difference - but in the ATP portal I can see the failed sensor as last reporting v2.43.5215.  On the DC under C:\Program Files\Azure Advanced Threat Protection - I can see v2.47.544.8863 and 2.48.5521.36675

 

 

 

 

Highlighted

I had a similar issue with another customer  back than, the new sensor will know how to handle this case better, but if you are still stuck with the old version, the only way to uninstall it,

is to copy the binary exe from another sensor, and  register the service manually so the uninstall can find it. (the new code should not fail if it does not find it).

sc create  AATPSensor binPath= "C:\Program Files\Azure Advanced Threat Protection Sensor\XXXXXX\Microsoft.Tri.Sensor.exe"

 

where XXXXXX is the exact number of the version we try to uninstall, for example: 2.39.5033.27241

 

Once you have that, you can try to uninstall again (don't need to actually run the service).

 

Let me know how it goes.

Highlighted
This fixed it up for me. Many thanks.
Highlighted

@Eli Ofek 

I ran into a similar issue today on a 2008 R2 DC (I know...).  It was listed in programs and features list that it wasn't installed, but the installer wouldn't let me run.  Found 2 entries in the registry with "Azure Advanced" that were related to this, removed them, and then the installer went through.  Experienced an issue with the installer not being able to find msvcr120_clr0400.dll as well.  I installed the .Net Framework 2013 redistributables and then had to re-install .Net 4.7 and finally it's all good. 

Also... any idea why the 2019 DC's are reporting an error that NetBIOS over 137 isn't working properly?  The 2008 R2's, 2012's, and 2016's are all "healthy" in the console, but I've noticed 3 different 2019 DC's (with Windows Firewall disabled) are reporting an error.

 

Thanks.

Highlighted

@Noel Fairclough 

 

Cleaning the registry key worked.

 

Thank you,