User Profile
EliOfek
MicrosoftJoined 8 years ago
User Widgets
Recent Discussions
Re: MDI AD CS sensor not switching from removed DC
You don't need to reinstall, you can select a different DC using the portal when editing sensor settings in the sensors list. You can also reinstall, during deployment the deployment tool contacts the DC locator to select a DC, so it should select a working one, but I think it's faster to just change it in the portal, also if you have a preference on which DC you want it to work with.24Views1like1CommentRe: Alert Not Found
Any chance you have several tenants ? if so make sure you are logged in to the correct tenant. If not, I suggest to open a support case where support can check what happened to this alert. It requires much more details thus not suitable to discuss over this thread.71Views1like0CommentsRe: Low success rate of active name resolution NetBIOS (failed rates 80%) andRdpTls (failed rate 90%).
First of all, once you have NTLMRpc and DNS working, at least from detection aspect you should be fine. Now, to clear warnings, you can ask support for a report on which IPs are failing from those sensors, this will give you a clue as to what is blocked, but there is no way for Microsoft to remotely know what is blocking the coms, it could be a network firewall or the target machien FW itself...105Views0likes1CommentRe: Spurious health alerts with sensor 2.241.18721.18894
This is indeed a new health alert added in the last version. If you feel that it is false, meaning you don't have LSO enabled for sure, Open a support case. I advise to attach the output of this powershell command to the case notes: (Get-CimInstance -Namespace root\standardcimv2 -Query "SELECT * FROM MSFT_NetAdapterAdvancedPropertySettingData WHERE InstanceID LIKE '%YOUR_ADAPTER_ID%' AND DisplayName LIKE 'Large Send Offload%'") | Where-Object { $_.DisplayValue -eq 'Enabled' } | ForEach-Object { $true } | Select-Object -First 1 or run this WMI query any other way like wmic: wmic /namespace:\\root\standardcimv2 path MSFT_NetAdapterAdvancedPropertySettingData where "InstanceID like '%YOUR_ADAPTER_ID%' and DisplayName like 'Large Send Offload%'" get DisplayValue Make sure to replace your adapter id, you can get it with something like this: Get-CimInstance -Namespace root\standardcimv2 -ClassName MSFT_NetAdapter | Select-Object Name, InstanceID The sensor logic that reports the health alert uses something very close to that to decide if there is an issue. One more note when checking for LSO, keep in mind to check both ipv4 and ipv6.200Views0likes1CommentRe: ATP Sensor will not install on Windows 2016
Temp workaround: if you have already installed a sensor in the past, you can use the old package to deploy new machines, it will be auto upgraded to this version (without being blocked) within a few minutes post the install as the auto upgrade works differently and won't hit the error bug. The root issue should be addressed in a ticket anyway, as eventually we want you to have the greatest and latest and now it seems you will still be one version behind.62Views0likes0CommentsRe: ATP Sensor will not install on Windows 2016
The issue I previously mentioned was already resolved as far as I know for everyone else. Please open a support ticket for this one. you might be hitting a different issue that is just "similar" to the one I mentioned. Feel free to send me the ticket # in a private message when you have one, I will do my best to put a rush on it.56Views0likes0CommentsRe: ATP Sensor will not install on Windows 2016
There is no point in multiple tries... Can you go to https://security.microsoft.com/securitysettings/identities?tabid=about and tell me what is Sensor version you see there? It should be 2.240.18612.44306. If it's not, no point in even trying, it means there are still issues.136Views0likes3CommentsRe: ATP Sensor will not install on Windows 2016
You can only download the version that the portal supports at the time. The issue was fixed, refreshing the portal and downloading a new package now should resolve the issue. (The issue was in one of the US clusters and now fixed). Apologies for the inconvenience and thank you for this feedback that brought this to our attention so we can fix it faster.118Views0likes0CommentsRe: Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
This usually happens when NNR is blocked or partially blocked (ports not accessible or device is behind NAT). I suggest to open a support ticket and the support team will know how to guide you and check what hte problem is and what needs to be done to fix it.514Views1like0CommentsRe: MDI for Certificate Services
I suggest to read these posts for starters to know "what to expect" from this feature: https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/microsoft-defender-for-identity-expands-its-coverage-with-new-ad-cs-sensor/3894215 https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/securing-ad-cs-microsoft-defender-for-identitys-sensor-unveiled/398026590Views0likes0CommentsRe: Getting error "Arithmetic operation resulted in an overflow" in existing Environment for new DC
The errors in the screenshot are not expected to cause a service restart, you can ignore them specifically as long as they are not happening constantly. Check if the Sensor service process replaces process id number every few minutes, if it does, it means it's in a slow restart loop. the log needs to be inspected for an error that actually crashed it.101Views0likes0CommentsRe: Getting error "Global is denied" on second DC
The code is failing while we try to read the instances of the counters under "Network Interface" category. Try to run perfmon.exe and see if you can read the instances of this category there. If it works there it's most likely some hardening made on the machine in the registry. if it fails there as well, it could also be a counters corruption that might require a counters rebuild.252Views0likes0CommentsRe: Defender for identity updated itself, now it wont start
This will require the deployer logs. the answer on what broke this time should be there. I think that it's better at this point to contact support to help you do a "manual cleanup" to make sure you reinstall without any leftovers that might block you.453Views0likes0CommentsRe: Defender for identity updated itself, now it wont start
Is the updater binary in place as defined in its service definition ? We need to find out what is holding the sensor updater from starting. Uninstall/reinstall failed where reinstall failed or just that the service couldn't start? Maybe check the performance counters like with the previous case? maybe it's related.463Views0likes2Comments
Recent Blog Articles
No content to show