Product feedback for Defender for Identity
Hi all, We would love for you to share your thoughts, feedback, and experiences using Defender for Identity. You can share them on Gartner Peer Insights by using https://www.gartner.com/reviews/user-and-entity-behavior-analytics/form/?mid=431&pid=133287&vid=159. Your review will help us get the word out and continue to improve our solution. If you're asked to create an account, please be aware that this is to ensure the legitimacy of the review, and Microsoft will not be given any information on the folks who've submitted reviews, positive or otherwise. Defender for Identity doesn't have any reviews at the moment, so I'd love to see us populate this using the input from this community. I'm always impressed with the feedback we get through these channels. And if you have any questions or comments, let me know!
ATP and group managed service account not working on RODC
We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used. There are a few read only domain controllers that can't seem to read the password, even though the servers are in the group that can read the GMSA user password. The GMSA account is set with permissions for 'log in as service'. Any suggestions on what to look for? Errors from the sensor log: 2020-09-14 22:02:11.7896 Debug DirectoryServicesClient SetState Creating 2020-09-14 22:02:11.8346 Info ImpersonationManager CreateImpersonatorAsync started [UserName=<MSA-ACCOUNT> IsGroupManagedServiceAccount=True] 2020-09-14 22:02:11.8846 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=<MSA-ACCOUNT> IsSuccess=False] 2020-09-14 22:02:11.8846 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=servername.domain.corp Domain=domain.corp UserName=<MSA-ACCOUUNT> ] 2020-09-14 22:02:12.0846 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=<serverwhereATPfailing.domain.corp] at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2020-09-14 22:02:12.0946 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Unable to install azure ATP sensor on DCs. Could not load file or assembly 'Ben.Demystifier, V
[08A4:25DC][2020-02-15T14:32:46]i001: Burn v3.11.0.1701, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\AAWESH~2\AppData\Local\Temp\{4DF4837A-FAC5-45E1-8CF7-65C865EC14F1}\.cr\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'AccessKey' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyConfiguration' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyUserPassword' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui' [08A4:25DC][2020-02-15T14:32:46]i009: Command Line: '"-burn.clean.room=C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=544 -burn.filehandle.self=632' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Windows\ccmcache\10\' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation' [08A4:25DC][2020-02-15T14:32:47]i000: Loading managed bootstrapper application. [08A4:25DC][2020-02-15T14:32:47]i000: Creating BA thread to run asynchronously. [08A4:25DC][2020-02-15T14:32:47]i100: Detect begin, 5 packages [08A4:25DC][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4352 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]] [08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2' [08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0 [08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1' [08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0 [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049' [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1' [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1' [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: MsiPackage, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i199: Detect complete, result: 0x0 [08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4508 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]] [08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.5289 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]] [08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8095 Error DeploymentModel ValidateCreateSensorAsync System.IO.FileNotFoundException: Could not load file or assembly 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a' or one of its dependencies. The system cannot find the file specified. File name: 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a' at Microsoft.Tri.Infrastructure.SanitizationExtension.Sanitize(Exception exception) at Microsoft.Tri.Common.CommunicationWebClient.<SendWithRetryAsync>d__9`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Common.CommunicationWebClient.<SendAsync>d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Sensor.Common.WorkspaceApplicationSensorApiDeploymentProxy.<SendAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.<ValidateCreateSensorAsync>d__52.MoveNext() WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]]. failed connecting to service. The issue can be caused by a transparent proxy configuration [\[]WorkspaceApplicationSensorApiEndpoint=Unspecified/amdocssensorapi.atp.azure.com:443[\]] [08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8105 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=FailedConnectivity[\]] [08A4:3284][2020-02-15T14:33:53]i000: 2020-02-15 09:03:53.4862 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]] [08A4:25DC][2020-02-15T14:33:53]i500: Shutting down, exit code: 0x642 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2008R2Exists = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2012Exists = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui [08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkRegistryValue = 528049 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: RebootPending = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerCoreRegistryValue = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleAction = 5 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleElevated = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleLog = C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleManufacturer = Microsoft Corporation [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSource = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSourceFolder = C:\Windows\ccmcache\10\ [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleProviderKey = {ae513c9a-d60f-4ba4-9bd2-6d5ccae1c9d3} [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessFolder = C:\Windows\ccmcache\10\ [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessPath = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleTag = [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleUILevel = 4 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleVersion = 2.0.0.0 [08A4:25DC][2020-02-15T14:33:53]i007: Exit code: 0x642, restarting: No
