Repoint Azure ATP Sensor to new ATP portal

Copper Contributor

How do we repoint an Azure ATP Sensor to the new ATP portal? I have tried uninstalling the existing Sensor from the programs and installing it again using the new sensor and JSON file downloaded from the new portal. But the installation fails with the below error on the Azure Advanced Threat Protection Sensor log.

 

I can see the DeploymentAction=Upgrade instead of Install. On DC's where I install the sensor for the first time works fine and gets pointed to the new ATP portal. But there I can see the DeploymentAction=Install.

 

Debug DeploymentModel .ctor [\[]DeploymentAction=Upgrade[\]]
Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=[\]]
Error DeploymentManager ShowErrorMessage System.ArgumentNullException: Value cannot be null.

 

I would appreciate it if anyone has any suggestions on this.

3 Replies

@Sanjay O P 

What do you mean by old and new ATP Portal?
Unless you are migrating from ATA to MDI, there's no need to remove and reinstall sensors for them to work with the M365 defender portal.

As for your install/upgrade issue, if the sensor installation thinks it's an upgrade, it means that there are still leftovers on the system.

You can open a support ticket to get assistance in the cleanup process, but in general the steps are:

 

Uninstall:
Try running command line setup uninstall from ProgramData\PackageCache folder
Ex. C:\ProgramData\Package Cache\{########-####-####-####-############} [The GUID is different for each machine/install]
"Azure ATP Sensor Setup.exe" /uninstall

Services:
To remove Services leftover from a previous install, run from an elevated prompt:
sc.exe delete aatpsensor
sc.exe delete aatpsensorupdater

Manual removal:
Verify the Sensor & Sensor.Updater services no longer exist
Verify Program Folder no longer exists: C:\Program Files\Azure Advanced Threat Protection Sensor
Rename ProgramData\PackageCache{GUID} folder for the sensor cache
Check Install registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\{GUID}: Azure Advanced Threat Protection Sensor
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\{GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\{GUID}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{GUID}

 

Thanks for replying Martin!

What I meant with old and new ATP portal is that we already had the sensors pointed to our <atpsensor1>.atp.azure.com and now we want to repoint them all to <atpsensor2>.atp.azure.com. With my research found that the only to do this is to uninstall and reinstall the sensor with new ATP portal details.

I will check on the manual cleanup procedures you suggested and see if that helps. Thanks again!

@Sanjay O P 

Ok, yes. In cases where you need to migrate to a different workspace there's no other option but to remove and reinstall the sensors.