Azure ATP Sensor Setup - service not starting - missing dependency
When installingAzure ATP Sensor Setup it just stalls midway and the rolls back the installation. I've looked into the logs and can see its unable to startup the serviceAATPSensorUpdater. I did a dependecy check and the WMI Performance Adapter (wmiApSrv) service is missing, which is adependecy. We got 3 domain controllers, the setup only completed on one (it also got theWMI Performance Adapter (wmiApSrv) service). My question is now, how do I get theWMI Performance Adapter (wmiApSrv) service on the other 2 domain controllers so I can complete the installation? We are running virtual servers with VMware (WS2019)What's new and What's learning period in Microsoft Defender for Identity.
In this blog post, I will explain an advanced settings capability available in the Microsoft Defender for Identity, which will help the security admins in evaluating the product and tweaking the sensitivity level of the alerts. What'sLearning Periodin MDI? What are thelatest enhancementsadded to that feature? https://www.linkedin.com/pulse/whats-new-learning-period-microsoft-defender-identity-elie-karkafy
ATP sensor fails to start since yesterday
Hi there, we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting. Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error. Rebooting the machines will not help. 2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local] 2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsyncfailed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ] We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday. RunningTest-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong? Best regards, Ingo
MDI Sensor Updates options?
Hi, So far we have noticed that MDI Sensor updates can be "automatic" or "delayed". However, for our Production environment, we'd like these updates to be controlled by our team, once they have done their testing in a TEST Environment (i.e. we do not want them to be "automatic" or "delayed"). How do we therefore change the MDI Sensor update to be "manual", or via SCCM or similar? Thank you, SKMDI & gMSA config
Hi, We have followed the MDI Deployment guide from Microsoft: https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity We have also cross referenced this guide: https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/ The MDI Portal shows the gMSA account. The MDI agents are running fine and reporting to the MDI Portal. However, when we look at Services.msc on the Domain Controllers, the MDI agent runs under the security context of "Local Service" and not the gMSA account. Can anyone advise us on whether this is correct? or should we see the gMSA account in Service.msc console? And what other config may be required to make it run under the gMSA account? Thank you SK (screenshot below)Upcoming Webinar Series: ITDR
Update: the recordings of the webinar series ITDR can be found here, please scroll down to "MICROSOFT DEFENDER XDR" The Microsoft POC as a Service (POCaaS) Program is a unique service available to our customers to help evaluate and try out our security offerings, we deliver these on a regular basis to customers around the world. They provide a fully managed test environment where customers can get hands-on experience with some of our core security products. Namely, Microsoft Defender for Identity, Defender for Endpoint, Defender for Cloud Apps, Defender for Office 365, and Sentinel. In addition to the hands on elements of the service one of our subject matter experts delivers a deep dive workshop for the relevant service showcasing its end to end capability and providing full education on the product. With this, we are thrilled to announce a new webinar series where we will take the workshop materials from each of our POCaaS programs, share best practices and provide education on each of the products we cover. What to Expect The webinar series will take the educational content from our POC offerings and condense into multipart 1 hour webinars. We will start with a four-part webinar series withChris Ayresto guide you through ITDR, Identity Threat Detection and Response. Session 1: ITDR Introduction and Prevention Capabilities | April 23, 09:00 AM PST Hear Microsoft's Incident Detection and Response (ITDR) story and understand its critical role in today's dynamic threat landscape. Explore the significance of prevention and adaptive controls. Session 2: Detection | April 24, 09:00 AM PST Discuss the imperative need for robust detection capabilities against advanced identity attacks, whether identities reside on-premises, in hybrid environments, or in the cloud, and discover the comprehensive solutions Microsoft offers to safeguard your entire identity estate effectively. Session 3: Investigation and Hunting | April 30, 09:00 AM PST Learn to empower your SOC with deep visibility into identity entities, context, and telemetry and understand how this capability streamlines efficient investigation and incident triage. Session 4: Response | May 1, 09:00 AM PST Gain insights into native response capabilities seamlessly integrated into the SOC workflow. Learn how to leverage them to effectively respond to identity-related attacks and remediate issues within your environment. We will finish off with a short view on how you can best evaluate the products. Save the Date Reserve your spot for any session or the entire series on the Microsoft Security webinars page: Microsoft Sentinel & Defender XDR Security Public Webinars Don't miss this opportunity to learn directly from our experts and have your questions addressed. We look forward to your participation!
