Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sensor update failed, can't start or re-install ATP Sensor on DC?

Brass Contributor

I noticed that one of my DCs was reporting offline in the ATP portal. 

The Azure Advanced Threat Protection Sensor Updater service failed to start due to the following error:
The system cannot find the file specified.

The Azure Advanced Threat Protection Sensor service depends on the Azure Advanced Threat Protection Sensor Updater service which failed to start because of the following error:
The system cannot find the file specified.

I tried to re-install, I get this:

[0CA8:11A8][2022-09-14T08:44:19]i000: 2022-09-14 15:44:19.7700 Debug DeploymentModel .ctor [\[]DeploymentAction=Upgrade[\]]
[0CA8:11A8][2022-09-14T08:44:19]i000: 2022-09-14 15:44:19.7720 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[0CA8:11A8][2022-09-14T08:44:20]i000: 2022-09-14 15:44:20.0170 Debug ServiceControllerExtension GetServiceCommandLine [\[]BinaryPathName=eoh7lycNot44o8Rb/lhGxQ==[\]]
[0CA8:11A8][2022-09-14T08:44:20]i000: 2022-09-14 15:44:20.0230 Error DeploymentManager ShowErrorMessage System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Program Files\Azure Advanced Threat Protection Sensor\2.185.15527.50158\SensorConfiguration.json'.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
   at System.IO.File.InternalReadAllText(String path, Encoding encoding, Boolean checkHost)
   at System.IO.File.ReadAllText(String path)
   at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentStatusUpdater..ctor(DeploymentModel deploymentModel)
   at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.Run()
   at Microsoft.Tri.Sensor.Deployment.Bundle.UI.SilentDeploymentManager.Run()
   at Microsoft.Tri.Sensor.Deployment.Bundle.UI.SensorBootstrapperApplication.Run()

It seems that the installer detects the sensor is there, attempts to update it but is looking at the wrong version directory, in Program Files there is only below..

PS C:\Program Files\Azure Advanced Threat Protection Sensor> dir


Directory: C:\Program Files\Azure Advanced Threat Protection Sensor


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/16/2022 7:24 AM 2.186.15587.11173
d----- 8/24/2022 12:49 AM 2.187.15617.15690

Looks like something went wrong with a sensor update...

 

How can I remove and re-install the sensor?

1 Reply
If a simple uninstall fails, the best way is to call support so they can guide you step by step how to "clean" the current install and reinstall the sensor from scratch.