SOLVED

Sensor Updater Service won't start under the context of a Service Account

Brass Contributor

Hello,

 

Installed the sensor on a DC and managed to get the Sensor Service started running under the context of the service account but not the Updater Service.  The Updater Service will only run under Local System.  The only way we could get the sensor service to start was to add the service account into the Built in Performance Log and Performance Local groups.

The documentation only mentions that the service account needs 'Log on as a service' user right which has been assigned.

Any thoughts?

Rob

5 Replies
The updater is running as local system thus should have the permissions without any change. The sendir service account inherits local service, and should also have permissions by default. Most likely the system was hardened compared to default.
On a quick side issue, i've got all of this up and running in the Defender 365 Security center. It would appear that the only rights that will allow me access to Identity settings and incidents and alerts is Azure Global Admin. Is this correct?
By default global or security admin.
On workspaces creation new groups were created in your aad for admin, user and viewer roles, and you can add specific accounts there
Is that only true in the ATP portal? I can't see anything on this page as a Security Admin, only a Global Admin
https://security.microsoft.com/settings/identities?tabid=sensor
best response confirmed by rob_wood_8894 (Brass Contributor)
Solution
No, as far as I know the same permissions should work the same in the old native portal and the new security portal.
If you see it work differently, where you can access one but not the other I suggest to open a support case.
1 best response

Accepted Solutions
best response confirmed by rob_wood_8894 (Brass Contributor)
Solution
No, as far as I know the same permissions should work the same in the old native portal and the new security portal.
If you see it work differently, where you can access one but not the other I suggest to open a support case.

View solution in original post