cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

The Sensor fails to start

TherealKillerbe
Brass Contributor

‎Sep 20 2023 01:41 AM

‎Sep 20 2023 01:41 AM

The Sensor fails to start

We are implementing Windows Defender for Identity. As our domain controllers are not allowed to communicate with the internet, we have setup  a dedicated member server for the sensor.

 

The operating system is Windows Server 2019 (10.0.17763). We have installed the sensor, however the sensor fails to start. The Log "Azure Advanced Threat Protection Sensor" does not hold any information besides the installation:

 

[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleOriginalSource = C:\temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleOriginalSourceFolder = C:\temp\Azure ATP Sensor Setup\
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleProviderKey = {47d0bc49-a03e-408c-bc8d-251917ef0d75}
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\ADM_JD~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20230919144435_000_MsiPackage_rollback.log
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleSourceProcessFolder = C:\temp\Azure ATP Sensor Setup\
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleSourceProcessPath = C:\temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleTag =
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleUILevel = 4
[07B8:0A9C][2023-09-19T14:46:35]i410: Variable: WixBundleVersion = 2.213.17071.5302
[07B8:0A9C][2023-09-19T14:46:36]i007: Exit code: 0x0, restarting: No

 

the only thing we see is the event in the system event log:

The Azure Advanced Threat Protection Sensor service terminated unexpectedly

The majority of the logs described here are missing

Troubleshooting the sensor using logs - Microsoft Defender for Identity | Microsoft Learn

the only ones we see are:

Name : Azure Advanced Threat Protection Sensor_20230920102142.log

Name : Azure Advanced Threat Protection Sensor_20230920102208.log

Name : Azure Advanced Threat Protection Sensor_20230920102208_000_MsiPackage.log

Name : Azure Advanced Threat Protection Sensor_20230920102427.log

Name : Azure Advanced Threat Protection Sensor_20230920102427_000_MsiPackage.log

Name : Microsoft.Tri.Sensor.Deployment.Deployer_20230920082231.log

Name : Microsoft.Tri.Sensor.Deployment.Deployer_20230920082542.log

 

1,881 Views
0 Likes
10 Replies
Reply
10 Replies
Eli Ofek

‎Sep 20 2023 05:05 AM

‎Sep 20 2023 05:05 AM

Re: The Sensor fails to start

The issue should appear in Microsoft.Tri.Sensor.Deployment.Deployer_20230920082542.log.
Share the data from it.
0 Likes
Reply
TherealKillerbe

‎Sep 20 2023 07:27 AM

‎Sep 20 2023 07:27 AM

Re: The Sensor fails to start

2023-09-20 13:52:34.3007 Info Program Main Deployer started [arguments=iEgYX6Z1ahtUzF/mpsUN9Q==]
2023-09-20 13:52:34.4569 Debug InstallActionGroup Apply started
2023-09-20 13:52:34.4569 Debug CreateCertificateAction Apply started [suppressFailure=False]
2023-09-20 13:52:38.8944 Debug CreateCertificateAction Apply finished
2023-09-20 13:52:38.8944 Debug CreateSensorAction Apply started [suppressFailure=False]
2023-09-20 13:52:39.4413 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ (Get-Command Get-AdfsProperties).Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand

adfssrv state=null user=Contoso\Administrator]
2023-09-20 13:52:39.8442 Debug CreateSensorAction Apply finished
2023-09-20 13:52:39.8442 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0630 Debug TestCertificateAndProxyAction Apply finished
2023-09-20 13:52:40.0630 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug SaveSensorMandatoryConfigurationAction Apply finished
2023-09-20 13:52:40.0942 Debug CreateServicesActionGroup Apply started
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.0942 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.0942 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1098 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1098 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug CreateServiceAction Apply finished
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1255 Debug SetServiceDescriptionAction Apply finished
2023-09-20 13:52:40.1255 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug ConfigureServiceAction Apply finished
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1411 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-20 13:52:40.1411 Debug CreateServicesActionGroup Apply finished
2023-09-20 13:52:40.1411 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug ConfigureVirtualServiceAccountAction Apply finished
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug RegisterCrashDumpsAction Apply finished
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug EnableTls12Action Apply finished
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2023-09-20 13:52:40.1723 Debug CopyServiceLogsOnRevertAction Apply finished
2023-09-20 13:52:40.1723 Debug StartServiceAction Apply started [suppressFailure=False]
2023-09-20 13:52:46.2365 Debug StartServiceAction Apply finished
2023-09-20 13:52:46.2365 Debug InstallActionGroup Apply finished
2023-09-20 13:52:46.2365 Info Program Main Deployer finished
0 Likes
Reply
best response confirmed by TherealKillerbe (Brass Contributor)
Eli Ofek

‎Sep 20 2023 08:21 AM

‎Sep 20 2023 08:21 AM

Solution

Re: The Sensor fails to start

What happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.

Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.

Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.
0 Likes
Reply
TherealKillerbe

‎Sep 21 2023 12:26 AM

‎Sep 21 2023 12:26 AM

Re: The Sensor fails to start

I saw that one in the LOGs as well, but the ADFS role was not installed on the server.
The only other role which is installed on the server is an OCSP, which is probably causing the curl pit..
The Sensor already uses a private proxy, wherefore we implemented the Reg_Binary proxy settings in the registry. I will have to discuss this with the stakeholders. Thanks for the response!
0 Likes
Reply
Eli Ofek

‎Sep 21 2023 12:33 AM

‎Sep 21 2023 12:33 AM

Re: The Sensor fails to start

OCSP causes adfssrv to run?
I strongly recommend the built in sensor proxy, it's more secured compared to the registry option, as it limits access to only the sensor processes and not an entire windows profile.
0 Likes
Reply
TherealKillerbe

‎Sep 21 2023 06:38 AM

‎Sep 21 2023 06:38 AM

Re: The Sensor fails to start

I did the installation first with adding the Proxyserver command, but then it fails to comminicate.
wherefore i eventually followed the 3rd option which did work.
https://learn.microsoft.com/en-us/defender-for-identity/configure-proxy.
Also have to come back on the OCSP part, that was not installed on the sensor server. So this is a plain windows, with no roles installed. It does have the Powershell ADDS RSAT tools installed in order to install the GMSA on the server, but no roles were configured.
0 Likes
Reply
Eli Ofek

‎Sep 21 2023 07:08 AM

‎Sep 21 2023 07:08 AM

Re: The Sensor fails to start

Can you run on this machine:
sc query adfssrv
And paste the results ?

What error did you get when trying to use the command line switch proxy option?
0 Likes
Reply
TherealKillerbe

‎Sep 22 2023 02:29 AM

‎Sep 22 2023 02:29 AM

Re: The Sensor fails to start

C:\Windows\system32>sc query adfssrv
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

0 Likes
Reply
TherealKillerbe

‎Sep 22 2023 02:45 AM - edited ‎Sep 24 2023 11:56 PM

‎Sep 22 2023 02:45 AM - edited ‎Sep 24 2023 11:56 PM

Re: The Sensor fails to start

i Ran the following command Azure ATP Sensor Setup.exe ProxyURL="http://10.0.100.4:8080"

2023-09-22 09:36:22.3192 Info Program Main Deployer started [arguments=UupWdR8YVoHtaVBj0WBPKQ==]
2023-09-22 09:36:22.4129 Debug InstallActionGroup Apply started
2023-09-22 09:36:22.4129 Debug CreateCertificateAction Apply started [suppressFailure=False]
2023-09-22 09:36:26.4754 Debug CreateCertificateAction Apply finished
2023-09-22 09:36:26.4754 Debug CreateSensorAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.1004 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:2
+ (Get-Command Get-AdfsProperties).Source
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand

adfssrv state=null user=Contoso\administrator]
2023-09-22 09:36:27.6629 Debug CreateSensorAction Apply finished
2023-09-22 09:36:27.6629 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.8661 Debug TestCertificateAndProxyAction Apply finished
2023-09-22 09:36:27.8661 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.8973 Debug SaveSensorMandatoryConfigurationAction Apply finished
2023-09-22 09:36:27.8973 Debug CreateServicesActionGroup Apply started
2023-09-22 09:36:27.8973 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.8973 Debug CreateServiceAction Apply finished
2023-09-22 09:36:27.8973 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9129 Debug SetServiceDescriptionAction Apply finished
2023-09-22 09:36:27.9129 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9285 Debug ConfigureServiceAction Apply finished
2023-09-22 09:36:27.9285 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9285 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-22 09:36:27.9285 Debug CreateServiceAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9285 Debug CreateServiceAction Apply finished
2023-09-22 09:36:27.9285 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9285 Debug SetServiceDescriptionAction Apply finished
2023-09-22 09:36:27.9285 Debug ConfigureServiceAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9442 Debug ConfigureServiceAction Apply finished
2023-09-22 09:36:27.9442 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9442 Debug SetServicePreshutdownTimeoutAction Apply finished
2023-09-22 09:36:27.9442 Debug CreateServicesActionGroup Apply finished
2023-09-22 09:36:27.9442 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9754 Debug ConfigureVirtualServiceAccountAction Apply finished
2023-09-22 09:36:27.9754 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9754 Debug RegisterCrashDumpsAction Apply finished
2023-09-22 09:36:27.9754 Debug EnableTls12Action Apply started [suppressFailure=False]
2023-09-22 09:36:27.9754 Debug EnableTls12Action Apply finished
2023-09-22 09:36:27.9754 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
2023-09-22 09:36:27.9754 Debug CopyServiceLogsOnRevertAction Apply finished
2023-09-22 09:36:27.9754 Debug StartServiceAction Apply started [suppressFailure=False]
2023-09-22 09:36:34.8232 Debug StartServiceAction Apply finished
2023-09-22 09:36:34.8232 Debug InstallActionGroup Apply finished
2023-09-22 09:36:34.8232 Info Program Main Deployer finished
0 Likes
Reply
TherealKillerbe

‎Sep 26 2023 06:05 AM

‎Sep 26 2023 06:05 AM

Re: The Sensor fails to start

deployed the sensors on the DC directly using the Proxyurl switch.
Services started as expected.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by TherealKillerbe (Brass Contributor)
Eli Ofek

‎Sep 20 2023 08:21 AM

‎Sep 20 2023 08:21 AM

Solution

Re: The Sensor fails to start

What happened is that the deployment found the adfssrv service running on the machine, thus assuming it has the ADFS role, instead of what I think you expected to be "Standalone sensor" role to remotely monitor the DC via port mirroring and event forwarding.
For some reason, even though adfssrv is there, the ADFS Cmdlets that we use to learn data on ADFS are not.
If you want a standalone sensor, the machine should not run any other role. it should be a plain windows server.

Note that standalones are generally a poor choice. less than 2% of sensors WW are standalone.
You get much less detections, and it is much harder to setup correctly.

Why not use a limited authenticated internet proxy so the machine does not have direcet access to the internet.
The sensor supports "private proxy" which means you give it the proxy details during deployment, and only the sensor processes can use this proxy, and no other process.
Also, the proxy can limit access only to MDI's endpoints in azure.

View solution in original post

0 Likes
Reply