Microsoft Defender for Identity topics https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/bd-p/AzureAdvancedThreatProtection Microsoft Defender for Identity topics Fri, 22 Oct 2021 09:16:09 GMT AzureAdvancedThreatProtection 2021-10-22T09:16:09Z Defender for identity sensor installation error: DISM Image Servicing Utility has stopped working https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-installation-error-dism-image/m-p/2872837#M2554 <P>I'm currently implementing defender for identity in a domain controller running windows server 2012 64bit. The server has the latest monthly update rollup. Installed .Net framework is 4.8.</P><P>&nbsp;</P><P>The sensor wizard throws an error<SPAN>&nbsp;</SPAN>"DISM Image Servicing Utility has stopped working"<SPAN>&nbsp;</SPAN>when it reaches .Net framework installation. From Microsoft docs, the sensor checks if the server has at least .Net framework 4.7 is installed if not, the wizard will install the framework. From the error details, the sensor wizard shows that there is a fault in<SPAN>&nbsp;</SPAN>dismprov.dll<SPAN>&nbsp;</SPAN>file. What i did is that, i copied dismprov.dll from a normal computer then registered it in the server using<SPAN>&nbsp;</SPAN>"regsvr32 dismprov.dll" command as a admin, but still the problem persists.</P><P>&nbsp;</P><P>What is the root cause of this and how can i resolve it.</P> Fri, 22 Oct 2021 06:54:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-installation-error-dism-image/m-p/2872837#M2554 Bernard_Mwanza 2021-10-22T06:54:18Z How to uninstall Azure ATP sensor manually https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-to-uninstall-azure-atp-sensor-manually/m-p/2841803#M2545 <P>Hello,</P><P>We have encountered latency issues on our DCs and we have uninstalled Azure ATP sensor.<BR />But the problem did not come from there.<BR />Now we want to reinstall Azure ATP Sensor.<BR />But it's impossible.</P><P>While installing, we got an error saying Azure ATP Sensor is already installed. :</P><P>&nbsp;</P><P><EM>Error DeploymentManager ShowErrorMessage Microsoft Defender for Identity Sensor 2.0.0.0 is already installed</EM></P><P>&nbsp;</P><P>When, we try to uninstall the old Azure ATP sensor we got an error.</P><P>&nbsp;</P><P><EM>Error DeploymentManager ShowErrorMessage Product is not installed</EM><BR /><EM>Exit code: 0x643</EM></P><P>&nbsp;</P><P>How can I uninstall Azure ATp Sensor manually?<BR /><BR />My servers are Windows Server 2016 core.<BR /><BR />Thanks for your help</P> Wed, 13 Oct 2021 12:59:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-to-uninstall-azure-atp-sensor-manually/m-p/2841803#M2545 Adaurg 2021-10-13T12:59:35Z Change the name of gMSA https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/change-the-name-of-gmsa/m-p/2837649#M2541 <P>Hi&nbsp;</P><P>&nbsp;<BR />There was some conflict with in the name of gMSA between us and our our ATP team configured ,,&nbsp;</P><P>They are asking us to change the name of our gMSA ,, So what is the better solution to change the name of gMSA ...</P><P>&nbsp;</P><P>Is it by right click on our gMSA and select rename.&nbsp;Or is there PowerShell command ?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks in advance for your help</P> Tue, 12 Oct 2021 11:53:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/change-the-name-of-gmsa/m-p/2837649#M2541 mohammed_mano 2021-10-12T11:53:14Z Alert configuration https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/alert-configuration/m-p/2823866#M2538 <P>Is there a way or URL that list all capable alerts for the system.? Our auditors are looking for that information. Anyone could please point me in correct direction?</P> Thu, 07 Oct 2021 18:25:17 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/alert-configuration/m-p/2823866#M2538 Ksuarez 2021-10-07T18:25:17Z Azure Advanced Threat Protection Sensor Service https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-advanced-threat-protection-sensor-service/m-p/2821601#M2536 <P>Hi&nbsp;</P><P>&nbsp;</P><P>I made&nbsp;Azure Advanced Threat Protection Sensor Service logon with option of <STRONG><EM>"This Account "</EM></STRONG></P><P>&nbsp;</P><P>now i want to restore it to option of logon as option of "<STRONG><EM>Local System account "&nbsp;</EM>&nbsp;</STRONG></P><P>&nbsp;</P><P><STRONG>Can you pls your help&nbsp;</STRONG></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Oct 2021 10:09:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-advanced-threat-protection-sensor-service/m-p/2821601#M2536 mohammed_mano 2021-10-07T10:09:20Z Low information alert, Remote code execution attempt https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/low-information-alert-remote-code-execution-attempt/m-p/2801839#M2528 <P>Greetings, I have a customer that is running Defender for Identity and this alert keeps showing up in their Azure Sentinel instance.</P><P>I thought it might have been a problem with information being lost on the way from Defender for Identity-&gt;Cloud App Security-&gt; Sentinel, but from the Defender for Identity portal it is just as inexpressive.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="stianhoydal_0-1633073406805.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314143i5487B5D928C69E12/image-size/medium?v=v2&amp;px=400" role="button" title="stianhoydal_0-1633073406805.png" alt="stianhoydal_0-1633073406805.png" /></span></P><P>Is there a way to get more information sent with the alert?</P> Fri, 01 Oct 2021 07:30:51 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/low-information-alert-remote-code-execution-attempt/m-p/2801839#M2528 stianhoydal 2021-10-01T07:30:51Z MDI - AD FS Sensor Errors https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-ad-fs-sensor-errors/m-p/2790594#M2522 <P>Seeing the following error every few minutes on AD FS sensors (newer install) and then found it on all existing DC sensors. Followed the "Configure object auditing" documentation as carefully as possible. We're using a standard AD user account as service account. There is group policy set for security log access and this service account is added with "0x1" read access (AccessAllowed (List Directory)). We've also added this account to the Builtin/Event Log Readers group and restarted the DC and AD FS servers, but we're still seeing this error. Also tried uninstalling and reinstalling the sensor. Are we missing another location where security log permissions are set?</P><LI-CODE lang="json">2021-09-27 21:05:59.1767 Error WindowsEventLogReader RunPeriodic actionAsync failed Microsoft.Tri.Infrastructure.ExtendedException: [unauthorizedAccessLogNames=Security] ---&gt; System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode) at EventLogHandle System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, string path, string query, EventLogHandle bookmark, IntPtr context, IntPtr callback, int flags) at void System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing() at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers()+(KeyValuePair&lt;string, EventLogWatcher&gt; logNameToEventLogWatcher) =&gt; { } --- End of inner exception stack trace --- at void Microsoft.Tri.Sensor.WindowsEventLogReader.EnableEventLogWatchers() at Func&lt;Task&gt; Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+() =&gt; { } at async Task Microsoft.Tri.Infrastructure.Module.RunTaskAsync(Func&lt;Task&gt; actionAsync, string name, SimpleTimeMetric timeMetric) at async void Microsoft.Tri.Infrastructure.Module.RegisterPeriodicTask(IMetricManager metricManager, Action action, PeriodicTaskConfiguration configuration)+(?) =&gt; { } at async Task Microsoft.Tri.Infrastructure.TaskExtension.RunPeriodic(Action action, PeriodicTaskConfiguration configuration, CancellationToken cancellationToken)+(?) =&gt; { }</LI-CODE><P>&nbsp;</P><P>We're also seeing the login fail for the service account on the WID on the AD FS sensors. Can someone explain how to set the proper permissions on the WID? The service account has a login, public role assigned, mapped to AdfsConfiguration and AdfsConfigurationV4, default schema of dbo, Grant permission to connect to db engine, login enabled, explicit permissions granted are Select and Connect (both with dbo grantor).</P><LI-CODE lang="json">2021-09-28 05:14:12.1864 Error SqlInternalConnectionTds QueryAdfsServerDnsNamesAsync failed to get ADFS servers dns names [adfsConfigurationDatabaseConnectionString=Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsConfigurationV4;Integrated Security=True] System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'DOMAIN\serviceaccount'. at new System.Data.SqlClient.SqlInternalConnectionTds(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, object providerInfo, string newPassword, SecureString newSecurePassword, bool redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, string accessToken, bool applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager) at DbConnectionInternal System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) at DbConnectionInternal System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) at DbConnectionInternal System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at DbConnectionInternal System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at bool System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, uint waitForMultipleObjectsTimeout, bool allowCreate, bool onlyOneCheckConnection, DbConnectionOptions userOptions, out DbConnectionInternal connection) at void System.Data.ProviderBase.DbConnectionPool.WaitForPendingOpen() at async Task&lt;IEnumerable&lt;TResult&gt;&gt; Microsoft.Tri.Infrastructure.SqlClient.QueryAsync&lt;TResult&gt;(string query, CancellationToken cancellationToken) at async Task&lt;HashSet&lt;DnsName&gt;&gt; Microsoft.Tri.Sensor.DirectoryServicesResolver+&lt;&gt;c__DisplayClass126_0.&lt;SynchronizeAdfsServerDnsNamesAsync&gt;g__QueryAdfsServerDnsNamesAsync|1(?)+QueryAdfsServerDnsNamesAsync(?) ClientConnectionId:0577f6a3-837d-419f-8508-2c7fd6dce706 Error Number:18456,State:1,Class:14</LI-CODE><P>&nbsp;</P><P>Thanks for any assistance!</P><P>Derek</P> Tue, 28 Sep 2021 05:32:27 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-ad-fs-sensor-errors/m-p/2790594#M2522 dcoffrin 2021-09-28T05:32:27Z PetitPotam - Defender For Identity Alert IDs https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/petitpotam-defender-for-identity-alert-ids/m-p/2788441#M2519 <P>This blog indicates PetitPotam is now detected by Defender For Identity. But what is the corresponding Alert ID?&nbsp;</P><P><A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/petitpotam-microsoft-defender-for-identity-has-it-covered/ba-p/2656271" target="_blank">https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/petitpotam-microsoft-defender-for-identity-has-it-covered/ba-p/2656271</A></P><P>&nbsp;</P><P>The Alert IDs have not been updated since October 2020:</P><P><A href="#" target="_blank">https://docs.microsoft.com/en-us/defender-for-identity/suspicious-activity-guide?tabs=cloud-app-security#security-alert-name-mapping-and-unique-external-ids</A></P> Mon, 27 Sep 2021 14:18:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/petitpotam-defender-for-identity-alert-ids/m-p/2788441#M2519 RogerB1500 2021-09-27T14:18:12Z Integrate AADDS with Microsoft Defender for Identity https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/integrate-aadds-with-microsoft-defender-for-identity/m-p/2776950#M2515 <P>I saw an old post about this, but I'm hoping something has changed.&nbsp; Is it possible yet to integrate Azure Active Directory Domain Services with&nbsp;Microsoft Defender for Identity?</P><P>&nbsp;</P><P>We have the sensors installed on our local Active Directory domain controllers.&nbsp; We will likely configure AADDS and start moving resources away from local AD to AADDS and want to maintain the same level of security monitoring.</P><P>&nbsp;</P><P>Thoughts?</P><P>&nbsp;</P><P>Thanks.</P> Thu, 23 Sep 2021 03:59:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/integrate-aadds-with-microsoft-defender-for-identity/m-p/2776950#M2515 JinsengH 2021-09-23T03:59:20Z VPN Integration with Network Policy Server (NPS) RADIUS Accounting? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/vpn-integration-with-network-policy-server-nps-radius-accounting/m-p/2773592#M2509 <P>Hello,</P><P>&nbsp;</P><P>Looking to integrate our 3rd party VPN solution with MSFT Defender for Identity.</P><P>&nbsp;</P><P>The solution is using Microsoft's Network Policy Server (NPS) for authentication, and there are options inside NPS's Connection Request Policies for forward RADIUS accounting logs.</P><P>&nbsp;</P><P>I have this configured and enabled the VPN RADIUS Accounting settings in MSFT Defender for Identity but I am not getting anything or "Accessed VPN locations".</P><P>&nbsp;</P><P>I read on here about making sure the&nbsp;&lt;User-Name data_type="1"&gt;&lt;/User-Name&gt; field forwarded by NPS matches the user UPN. In my case it was realm\user and using regex I changed this to <A href="https://gorovian.000webhostapp.com/?exam=mailto:user@domain.com" target="_blank">user@domain.com</A>&nbsp;which matches the AD UPN attribute.</P><P>&nbsp;</P><P>However I am not getting any data.</P><P>&nbsp;</P><OL><LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/always-on-vpn-integration/m-p/2071568" target="_blank">https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/always-on-vpn-integration/m-p/2071568</A></LI><LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-and-vpn-integration-vpn-login-with-upn/m-p/1346577" target="_blank">https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-and-vpn-integration-vpn-login-with-upn/m-p/1346577</A></LI></OL><P>&nbsp;</P><P>Here is the event when NPS is configured to dump to log file.</P><P>&nbsp;</P><LI-CODE lang="applescript">&lt;Event&gt;&lt;Timestamp data_type="4"&gt;09/22/2021 06:28:30.133&lt;/Timestamp&gt;&lt;Computer-Name data_type="1"&gt;XXXXX&lt;/Computer-Name&gt;&lt;Event-Source data_type="1"&gt;IAS&lt;/Event-Source&gt;&lt;NAS-Identifier data_type="1"&gt;XXXXX&lt;/NAS-Identifier&gt;&lt;Calling-Station-Id data_type="1"&gt;XXXXX&lt;/Calling-Station-Id&gt;&lt;Client-IP-Address data_type="3"&gt;172.16.XXX.XXX&lt;/Client-IP-Address&gt;&lt;Client-Vendor data_type="0"&gt;0&lt;/Client-Vendor&gt;&lt;Client-Friendly-Name data_type="1"&gt;XXXXX&lt;/Client-Friendly-Name&gt;&lt;Proxy-Policy-Name data_type="1"&gt;XXXXX&lt;/Proxy-Policy-Name&gt;&lt;Provider-Type data_type="0"&gt;1&lt;/Provider-Type&gt;&lt;User-Name data_type="1"&gt;user@domain.com&lt;/User-Name&gt;&lt;SAM-Account-Name data_type="1"&gt;XXXXX&lt;/SAM-Account-Name&gt;&lt;NP-Policy-Name data_type="1"&gt;NetMotion&lt;/NP-Policy-Name&gt;&lt;Class data_type="1"&gt;311 1 172.16.XXX.XXX 08/30/2021 07:33:12 1463&lt;/Class&gt;&lt;Authentication-Type data_type="0"&gt;8&lt;/Authentication-Type&gt;&lt;Fully-Qualifed-User-Name data_type="1"&gt;XXXXX&lt;/Fully-Qualifed-User-Name&gt;&lt;EAP-Friendly-Name data_type="1"&gt;Microsoft: Secured password (EAP-MSCHAP v2)&lt;/EAP-Friendly-Name&gt;&lt;Packet-Type data_type="0"&gt;1&lt;/Packet-Type&gt;&lt;Reason-Code data_type="0"&gt;0&lt;/Reason-Code&gt;&lt;/Event&gt;</LI-CODE> Wed, 22 Sep 2021 13:46:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/vpn-integration-with-network-policy-server-nps-radius-accounting/m-p/2773592#M2509 Mirza Dedic 2021-09-22T13:46:14Z Reconnaissance using Directory Services queries https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/reconnaissance-using-directory-services-queries/m-p/2758943#M2504 <P>Hi,</P><P>I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.</P><P>So whenever it's a admin account it triggers the&nbsp; Reconnaissance using Directory Services queries alert on ATA(<SPAN>Microsoft&nbsp;</SPAN>Advanced Threat Analytics).</P><P>For the investigation I tried to use <A href="#" target="_blank" rel="noopener">ATA guide&nbsp;</A>&nbsp;but not sure how to investigate the below?</P><OL><LI>Are such queries supposed to be made from the source computer in question?</LI></OL><P>What can be the legitimate cases for SAM-R queries ?</P><P>&nbsp;</P><P>Note : This is not related to Lenovo issue with SAMR or&nbsp;WaAppAgent.exe</P><P>&nbsp;</P><P>Thanks,</P> Fri, 17 Sep 2021 04:35:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/reconnaissance-using-directory-services-queries/m-p/2758943#M2504 ARJ_Cyb 2021-09-17T04:35:46Z MDI Security Posture https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-security-posture/m-p/2753969#M2503 <P>Under Security Posture in MCAS - LAPS.&nbsp; It reports correctly that I do NOT have LAPs.&nbsp; However, why is does it not have a hyperlink to view the machines whom do NOT have the agent?<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mdilapserror.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310638iE2513A8B556C0F8C/image-size/large?v=v2&amp;px=999" role="button" title="mdilapserror.PNG" alt="mdilapserror.PNG" /></span></P> Wed, 15 Sep 2021 18:32:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-security-posture/m-p/2753969#M2503 crane041314 2021-09-15T18:32:35Z Alerts for uptake of Azure Virtual Desktop etc https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/alerts-for-uptake-of-azure-virtual-desktop-etc/m-p/2752313#M2502 <P>Hi all,</P><P>&nbsp;</P><P>Just wondering what to do to get MDI to apply some basic intelligence to account alerts. We (and many customers) have been deploying services like Azure Virtual Desktop over recent months. These are used for ad-hoc access to legacy on-prem services. As a result MDI/MCAS turns into a stream of risky logon spam.&nbsp;</P><P>&nbsp;</P><P>All the AVD virtual machines are hybrid joined and compliant.&nbsp;</P><P>&nbsp;</P><P>I can't exclude/trust the source IP as it is dozens of Azure data centre outbound IP locations and shared amongst random tenants.</P><P>&nbsp;</P><P>I was wondering about setting the AVD azure vnet as a trusted location, I don't like to do this as a user or intruder just needs to happen to use the same subnet on their internal network and treats it as trusted. This would be for MCAS and I'm not sure that would have any impact on MDI risky sign-ins.</P><P>&nbsp;</P><P>I can't see a way to tell MDI that access from virtual desktop is fairly trusted, the access being intermittent and ad-hoc seems to be preventing it from learning that these are 'internal systems'. With Windows 365 and continued uptake of AVD I can see this getting much worse to the point where genuine sign-in risk just gets lost in the sea of virtual desktop spam.</P><P>&nbsp;</P><P>Guidance and experience appreciated.</P><P>&nbsp;</P><P>Pete</P> Wed, 15 Sep 2021 11:02:16 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/alerts-for-uptake-of-azure-virtual-desktop-etc/m-p/2752313#M2502 Peter Holland 2021-09-15T11:02:16Z Test-AdServiceAccount getting result false https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/test-adserviceaccount-getting-result-false/m-p/2741194#M2490 <P>&nbsp;</P><P>Test-AdServiceAccount -Identity gmsa_account<BR />False</P><P><BR />WARNING: Test failed for Managed Service Account gmsa_account. If standalone Managed Service Account, the account is linked to another computer object in the<BR />Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all th<BR />e Kerberos encryption types required for the gMSA. See the MSA operational log for more information.</P><P>&nbsp;</P><P>I'm getting above error and ATP service is not getting start.</P><P>&nbsp;</P><P>Any suggestion?</P> Fri, 10 Sep 2021 19:45:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/test-adserviceaccount-getting-result-false/m-p/2741194#M2490 pugazhendhi 2021-09-10T19:45:14Z ATP service not starting https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-service-not-starting/m-p/2740502#M2488 <P>ATP "AATPSensor" service alone not starting.</P><P>&nbsp;</P><P>2021-09-03 13:18:58.7947 Error DirectoryServicesClient+&lt;CreateLdapConnectionAsync&gt;d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=DC1.chennai.LOCAL]<BR />at async Task&lt;LdapConnection&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)<BR />at async Task&lt;bool&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)<BR />2021-09-03 13:18:58.8103 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers<BR />at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)<BR />at object lambda_method(Closure, object[])<BR />at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()<BR />at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(params Type[] moduleTypes)<BR />at new Microsoft.Tri.Sensor.SensorModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-09-03 13:19:22.2965 Error DirectoryServicesClient+&lt;CreateLdapConnectionAsync&gt;d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=DC1.chennai.LOCAL]<BR />at async Task&lt;LdapConnection&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)<BR />at async Task&lt;bool&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)</P><P>&nbsp;</P><P>Any suggestion?</P> Mon, 13 Sep 2021 22:33:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-service-not-starting/m-p/2740502#M2488 pugazhendhi 2021-09-13T22:33:44Z Defender for Identity sensor install failing - error code 0x80070643 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-install-failing-error-code/m-p/2735650#M2481 <P>I have 2 Active Directory, it's running Windows server 2019 (1809), no proxy, no core. i try to install the Defender for Identity sensor on a DC, setup wizard is running until a point. Then setup fails with 0x80070643 and do a rollback.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DatTran_0-1631180794865.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309205iE2377784F8F9F402/image-size/medium?v=v2&amp;px=400" role="button" title="DatTran_0-1631180794865.png" alt="DatTran_0-1631180794865.png" /></span></P><P>&nbsp;</P><P>MsiPackage.log file:</P><P>&nbsp;</P><P>=== Verbose logging started: 08/09/2021 23:27:58 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\Temp\{B8D83596-2A70-4F3C-8FB8-792FB318C6C2}\.be\Azure ATP Sensor Setup.exe ===<BR />MSI (c) (60:50) [23:27:58:654]: Resetting cached policy values<BR />MSI (c) (60:50) [23:27:58:654]: Machine policy value 'Debug' is 0<BR />MSI (c) (60:50) [23:27:58:654]: ******* RunEngine:<BR />******* Product: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi<BR />******* Action:<BR />******* CommandLine: **********<BR />MSI (c) (60:50) [23:27:58:670]: Client-side and UI is none or basic: Running entire install on the server.<BR />MSI (c) (60:50) [23:27:58:670]: Grabbed execution mutex.<BR />MSI (c) (60:50) [23:27:58:701]: Cloaking enabled.<BR />MSI (c) (60:50) [23:27:58:701]: Attempting to enable all disabled privileges before calling Install on Server<BR />MSI (c) (60:50) [23:27:58:707]: Incrementing counter to disable shutdown. Counter after increment: 0<BR />MSI (s) (94:40) [23:27:58:707]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi<BR />MSI (s) (94:40) [23:27:58:707]: Grabbed execution mutex.<BR />MSI (s) (94:00) [23:27:58:707]: Resetting cached policy values<BR />MSI (s) (94:00) [23:27:58:707]: Machine policy value 'Debug' is 0<BR />MSI (s) (94:00) [23:27:58:707]: ******* RunEngine:<BR />******* Product: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi<BR />******* Action:<BR />******* CommandLine: **********<BR />MSI (s) (94:00) [23:27:58:707]: Machine policy value 'DisableUserInstalls' is 0<BR />MSI (s) (94:00) [23:27:58:707]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:723]: SRSetRestorePoint skipped for this transaction.<BR />MSI (s) (94:00) [23:27:58:723]: File will have security applied from OpCode.<BR />MSI (s) (94:00) [23:27:58:739]: SOFTWARE RESTRICTION POLICY: Verifying package --&gt; 'C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy<BR />MSI (s) (94:00) [23:27:58:739]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature<BR />MSI (s) (94:00) [23:27:58:823]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level.<BR />MSI (s) (94:00) [23:27:58:823]: MSCOREE not loaded loading copy from system32<BR />MSI (s) (94:00) [23:27:58:823]: End dialog not enabled<BR />MSI (s) (94:00) [23:27:58:823]: Original package ==&gt; C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi<BR />MSI (s) (94:00) [23:27:58:823]: Package we're running from ==&gt; C:\Windows\Installer\901521.msi<BR />MSI (s) (94:00) [23:27:58:823]: APPCOMPAT: Compatibility mode property overrides found.<BR />MSI (s) (94:00) [23:27:58:823]: APPCOMPAT: looking for appcompat database entry with ProductCode '{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}'.<BR />MSI (s) (94:00) [23:27:58:823]: APPCOMPAT: no matching ProductCode found in database.<BR />MSI (s) (94:00) [23:27:58:823]: Machine policy value 'TransformsSecure' is 1<BR />MSI (s) (94:00) [23:27:58:823]: Note: 1: 2262 2: File 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:823]: Note: 1: 2205 2: 3: MsiFileHash<BR />MSI (s) (94:00) [23:27:58:823]: Machine policy value 'DisablePatch' is 0<BR />MSI (s) (94:00) [23:27:58:823]: Machine policy value 'AllowLockdownPatch' is 0<BR />MSI (s) (94:00) [23:27:58:823]: Machine policy value 'DisableLUAPatching' is 0<BR />MSI (s) (94:00) [23:27:58:823]: Machine policy value 'DisableFlyWeightPatching' is 0<BR />MSI (s) (94:00) [23:27:58:823]: APPCOMPAT: looking for appcompat database entry with ProductCode '{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}'.<BR />MSI (s) (94:00) [23:27:58:839]: APPCOMPAT: no matching ProductCode found in database.<BR />MSI (s) (94:00) [23:27:58:839]: Transforms are not secure.<BR />MSI (s) (94:00) [23:27:58:839]: Note: 1: 2205 2: 3: Control<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\ADMINI~1.GRE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210908232740_000_MsiPackage.log'.<BR />MSI (s) (94:00) [23:27:58:839]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Azure ATP Sensor Setup\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Azure ATP Sensor Setup CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=12640<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{6F8A7B28-5262-426D-A9E7-47443E6A6B39}'.<BR />MSI (s) (94:00) [23:27:58:839]: Product Code passed to Engine.Initialize: ''<BR />MSI (s) (94:00) [23:27:58:839]: Product Code from property table before transforms: '{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}'<BR />MSI (s) (94:00) [23:27:58:839]: Product Code from property table after transforms: '{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}'<BR />MSI (s) (94:00) [23:27:58:839]: Product not registered: beginning first-time install<BR />MSI (s) (94:00) [23:27:58:839]: Product {61E851B5-79C3-44C6-9FCD-1AD4A73553F4} is not managed.<BR />MSI (s) (94:00) [23:27:58:839]: MSI_LUA: Credential prompt not required, user is an admin<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.<BR />MSI (s) (94:00) [23:27:58:839]: Entering CMsiConfigurationManager::SetLastUsedSource.<BR />MSI (s) (94:00) [23:27:58:839]: User policy value 'SearchOrder' is 'nmu'<BR />MSI (s) (94:00) [23:27:58:839]: Adding new sources is allowed.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:839]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi'<BR />MSI (s) (94:00) [23:27:58:839]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi'<BR />MSI (s) (94:00) [23:27:58:839]: Note: 1: 2205 2: 3: Error<BR />MSI (s) (94:00) [23:27:58:839]: Note: 1: 2262 2: AdminProperties 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:839]: Machine policy value 'DisableMsi' is 1<BR />MSI (s) (94:00) [23:27:58:839]: Machine policy value 'AlwaysInstallElevated' is 0<BR />MSI (s) (94:00) [23:27:58:839]: User policy value 'AlwaysInstallElevated' is 0<BR />MSI (s) (94:00) [23:27:58:839]: Product installation will be elevated because user is admin and product is being installed per-machine.<BR />MSI (s) (94:00) [23:27:58:839]: Running product '{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}' with elevated privileges: Product is assigned.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Azure ATP Sensor Setup\'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Azure ATP Sensor Setup'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '12640'.<BR />MSI (s) (94:00) [23:27:58:839]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '6c5de35935e7d644830a241ae0bf7f8c'.<BR />MSI (s) (94:00) [23:27:58:839]: RESTART MANAGER: Session opened.<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:839]: TRANSFORMS property is now:<BR />MSI (s) (94:00) [23:27:58:839]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\Favorites<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Network Shortcuts<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\Documents<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Printer Shortcuts<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Recent<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\SendTo<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Templates<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\ProgramData<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Local<BR />MSI (s) (94:00) [23:27:58:839]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\Pictures<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Start Menu<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Users\administrator.xxx\Desktop<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates<BR />MSI (s) (94:00) [23:27:58:855]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts<BR />MSI (s) (94:00) [23:27:58:855]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16<BR />MSI (s) (94:00) [23:27:58:855]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.<BR />MSI (s) (94:00) [23:27:58:855]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Administrator'.<BR />MSI (s) (94:00) [23:27:58:855]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding COMPANYNAME property. Its value is 'N/A'.<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\901521.msi'.<BR />MSI (s) (94:00) [23:27:58:855]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi'.<BR />MSI (s) (94:00) [23:27:58:855]: Machine policy value 'MsiDisableEmbeddedUI' is 0<BR />MSI (s) (94:00) [23:27:58:855]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI<BR />MSI (s) (94:00) [23:27:58:855]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: PatchPackage<BR />MSI (s) (94:00) [23:27:58:870]: Machine policy value 'DisableRollback' is 0<BR />MSI (s) (94:00) [23:27:58:870]: User policy value 'DisableRollback' is 0<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.<BR />=== Logging started: 08/09/2021 23:27:58 ===<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:870]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: INSTALL<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action start 23:27:58: INSTALL.<BR />MSI (s) (94:00) [23:27:58:870]: Running ExecuteSequence<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: FindRelatedProducts<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action start 23:27:58: FindRelatedProducts.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: LaunchConditions<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: FindRelatedProducts. Return value 1.<BR />Action start 23:27:58: LaunchConditions.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: ValidateProductID<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: LaunchConditions. Return value 1.<BR />Action start 23:27:58: ValidateProductID.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: CostInitialize<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: ValidateProductID. Return value 1.<BR />MSI (s) (94:00) [23:27:58:870]: Machine policy value 'MaxPatchCacheSize' is 10<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: Patch<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: PatchPackage<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: MsiPatchHeaders<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: __MsiPatchFileList<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: PatchPackage<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: Patch<BR />Action start 23:27:58: CostInitialize.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: FileCost<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: CostInitialize. Return value 1.<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: MsiAssembly<BR />Action start 23:27:58: FileCost.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: CostFinalize<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: FileCost. Return value 1.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: Patch<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: Condition<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.<BR />MSI (s) (94:00) [23:27:58:870]: Target path resolution complete. Dumping Directory table...<BR />MSI (s) (94:00) [23:27:58:870]: Note: target paths subject to change (via custom actions or browsing)<BR />MSI (s) (94:00) [23:27:58:870]: Dir (target): Key: TARGETDIR , Object: C:\<BR />MSI (s) (94:00) [23:27:58:870]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.<BR />Action start 23:27:58: CostFinalize.<BR />MSI (s) (94:00) [23:27:58:870]: Doing action: MigrateFeatureStates<BR />MSI (s) (94:00) [23:27:58:870]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: CostFinalize. Return value 1.<BR />Action start 23:27:58: MigrateFeatureStates.<BR />MSI (s) (94:00) [23:27:58:886]: Doing action: InstallValidate<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: MigrateFeatureStates. Return value 0.<BR />MSI (s) (94:00) [23:27:58:886]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '6c5de35935e7d644830a241ae0bf7f8c'.<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Dialog<BR />MSI (s) (94:00) [23:27:58:886]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local<BR />MSI (s) (94:00) [23:27:58:886]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Registry<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: BindImage<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: ProgId<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: PublishComponent<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: SelfReg<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Extension<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Font<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Shortcut<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Class<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Icon<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: TypeLib<BR />Action start 23:27:58: InstallValidate.<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: MsiAssembly<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?<BR />MSI (s) (94:00) [23:27:58:886]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Registry<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: BindImage<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: ProgId<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: PublishComponent<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: SelfReg<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Extension<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Font<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Shortcut<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Class<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: Icon<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: TypeLib<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2727 2:<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: FilesInUse<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2727 2:<BR />MSI (s) (94:00) [23:27:58:886]: Doing action: InstallInitialize<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: InstallValidate. Return value 1.<BR />MSI (s) (94:00) [23:27:58:886]: Machine policy value 'AlwaysInstallElevated' is 0<BR />MSI (s) (94:00) [23:27:58:886]: User policy value 'AlwaysInstallElevated' is 0<BR />MSI (s) (94:00) [23:27:58:886]: BeginTransaction: Locking Server<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:886]: SRSetRestorePoint skipped for this transaction.<BR />MSI (s) (94:00) [23:27:58:886]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038<BR />MSI (s) (94:00) [23:27:58:886]: Server not locked: locking for product {61E851B5-79C3-44C6-9FCD-1AD4A73553F4}<BR />Action start 23:27:58: InstallInitialize.<BR />MSI (s) (94:00) [23:27:58:902]: Doing action: InstallCustomAction<BR />MSI (s) (94:00) [23:27:58:902]: Note: 1: 2205 2: 3: ActionText<BR />Action ended 23:27:58: InstallInitialize. Return value 1.<BR />MSI (s) (94:40) [23:27:58:908]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI15CD.tmp, Entrypoint: Install<BR />MSI (s) (94:6C) [23:27:58:908]: Generating random cookie.<BR />MSI (s) (94:6C) [23:27:58:908]: Created Custom Action Server with PID 12504 (0x30D8).<BR />MSI (s) (94:90) [23:27:58:924]: Running as a service.<BR />MSI (s) (94:E8) [23:27:58:939]: Hello, I'm your 64bit Impersonated custom action server.<BR />Action start 23:27:58: InstallCustomAction.<BR />SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI15CD.tmp-\<BR />SFXCA: Binding to CLR version v4.0.30319<BR />Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install<BR />2021-09-08 16:28:00.2746 Debug CustomActions RunActionGroup InstallActionGroup started<BR />2021-09-08 16:28:00.2902 Debug InstallActionGroup Apply started<BR />2021-09-08 16:28:00.2902 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False]<BR />2021-09-08 16:28:00.2902 Debug CreateDirectoryDeploymentAction Apply finished<BR />2021-09-08 16:28:00.2902 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False]<BR />2021-09-08 16:28:05.0977 Debug DownloadMinorDeploymentPackageBytesAction Apply finished<BR />2021-09-08 16:28:05.0977 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False]<BR />2021-09-08 16:28:05.9688 Debug UnpackDeploymentPackageBytesAction Apply finished<BR />2021-09-08 16:28:05.9688 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False]<BR />2021-09-08 16:28:05.9844 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=ETAPZ0LIXJS3Ig8prJ1PFA== _arguments=W99/xxf9VqhqIKYVgAACqA==]<BR />2021-09-08 16:28:07.6428 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False]<BR />2021-09-08 16:28:07.6428 Debug InstallActionGroup Revert started<BR />2021-09-08 16:28:07.6428 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3]<BR />2021-09-08 16:28:07.6585 Debug UnpackDeploymentPackageBytesAction Revert started<BR />2021-09-08 16:28:07.6897 Debug UnpackDeploymentPackageBytesAction Revert finished<BR />2021-09-08 16:28:07.6897 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3]<BR />2021-09-08 16:28:07.7054 Debug DownloadMinorDeploymentPackageBytesAction Revert started<BR />2021-09-08 16:28:07.7054 Debug DownloadMinorDeploymentPackageBytesAction Revert finished<BR />2021-09-08 16:28:07.7054 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3]<BR />2021-09-08 16:28:07.7054 Debug CreateDirectoryDeploymentAction Revert started<BR />2021-09-08 16:28:07.7054 Debug CreateDirectoryDeploymentAction Revert finished<BR />2021-09-08 16:28:07.7054 Debug InstallActionGroup Revert finished<BR />2021-09-08 16:28:07.7431 Error DeploymentAction Failed to apply InstallActionGroup<BR />Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]<BR />at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)<BR />at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)<BR />at ActionResult Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)<BR />2021-09-08 16:28:07.7431 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure]<BR />CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)<BR />MSI (s) (94:00) [23:28:07:821]: Note: 1: 2265 2: 3: -2147287035<BR />MSI (s) (94:00) [23:28:07:821]: Machine policy value 'DisableRollback' is 0<BR />MSI (s) (94:00) [23:28:07:821]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2<BR />Action ended 23:28:07: InstallCustomAction. Return value 3.<BR />MSI (s) (94:00) [23:28:07:821]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2<BR />MSI (s) (94:00) [23:28:07:821]: No System Restore sequence number for this installation.<BR />MSI (s) (94:00) [23:28:07:821]: Unlocking Server<BR />Action ended 23:28:07: INSTALL. Return value 3.<BR />Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}<BR />Property(S): TARGETDIR = C:\<BR />Property(S): ALLUSERS = 1<BR />Property(S): Manufacturer = Microsoft Corporation<BR />Property(S): ProductCode = {61E851B5-79C3-44C6-9FCD-1AD4A73553F4}<BR />Property(S): ProductLanguage = 1033<BR />Property(S): ProductName = Azure Advanced Threat Protection Sensor<BR />Property(S): ProductVersion = 2.0.0.0<BR />Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED<BR />Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION<BR />Property(S): MsiLogFileLocation = C:\Users\ADMINI~1.GRE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210908232740_000_MsiPackage.log<BR />Property(S): PackageCode = {6F8A7B28-5262-426D-A9E7-47443E6A6B39}<BR />Property(S): ProductState = -1<BR />Property(S): PackagecodeChanging = 1<BR />Property(S): ARPSYSTEMCOMPONENT = 1<BR />Property(S): MSIFASTINSTALL = 7<BR />Property(S): ACCESSKEY = **********<BR />Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor<BR />Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Azure ATP Sensor Setup\<BR />Property(S): REBOOT = ReallySuppress<BR />Property(S): CURRENTDIRECTORY = C:\Azure ATP Sensor Setup<BR />Property(S): CLIENTUILEVEL = 3<BR />Property(S): MSICLIENTUSESEXTERNALUI = 1<BR />Property(S): CLIENTPROCESSID = 12640<BR />Property(S): MsiSystemRebootPending = 1<BR />Property(S): VersionDatabase = 500<BR />Property(S): VersionMsi = 5.00<BR />Property(S): VersionNT = 603<BR />Property(S): VersionNT64 = 603<BR />Property(S): WindowsBuild = 9600<BR />Property(S): ServicePackLevel = 0<BR />Property(S): ServicePackLevelMinor = 0<BR />Property(S): MsiNTProductType = 2<BR />Property(S): MsiNTSuiteDataCenter = 1<BR />Property(S): WindowsFolder = C:\Windows\<BR />Property(S): WindowsVolume = C:\<BR />Property(S): System64Folder = C:\Windows\system32\<BR />Property(S): SystemFolder = C:\Windows\SysWOW64\<BR />Property(S): RemoteAdminTS = 1<BR />Property(S): TempFolder = C:\Users\ADMINI~1.GRE\AppData\Local\Temp\<BR />Property(S): ProgramFilesFolder = C:\Program Files (x86)\<BR />Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\<BR />Property(S): ProgramFiles64Folder = C:\Program Files\<BR />Property(S): CommonFiles64Folder = C:\Program Files\Common Files\<BR />Property(S): AppDataFolder = C:\Users\administrator.xxx\AppData\Roaming\<BR />Property(S): FavoritesFolder = C:\Users\administrator.xxx\Favorites\<BR />Property(S): NetHoodFolder = C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Network Shortcuts\<BR />Property(S): PersonalFolder = C:\Users\administrator.xxx\Documents\<BR />Property(S): PrintHoodFolder = C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\<BR />Property(S): RecentFolder = C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\Recent\<BR />Property(S): SendToFolder = C:\Users\administrator.xxx\AppData\Roaming\Microsoft\Windows\SendTo\<BR />Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\<BR />Property(S): CommonAppDataFolder = C:\ProgramData\<BR />Property(S): LocalAppDataFolder = C:\Users\administrator.xxx\AppData\Local\<BR />Property(S): MyPicturesFolder = C:\Users\administrator.xxx\Pictures\<BR />Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\<BR />Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\<BR />Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\<BR />Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\<BR />Property(S): DesktopFolder = C:\Users\Public\Desktop\<BR />Property(S): FontsFolder = C:\Windows\Fonts\<BR />Property(S): GPTSupport = 1<BR />Property(S): OLEAdvtSupport = 1<BR />Property(S): ShellAdvtSupport = 1<BR />Property(S): MsiAMD64 = 6<BR />Property(S): Msix64 = 6<BR />Property(S): Intel = 6<BR />Property(S): PhysicalMemory = 12288<BR />Property(S): VirtualMemory = 7407<BR />Property(S): AdminUser = 1<BR />Property(S): MsiTrueAdminUser = 1<BR />Property(S): LogonUser = administrator<BR />Property(S): UserSID = S-1-5-21-895235092-2957102850-851312084-500<BR />Property(S): UserLanguageID = 1033<BR />Property(S): ComputerName = IDC<BR />Property(S): SystemLanguageID = 1033<BR />Property(S): ScreenX = 1024<BR />Property(S): ScreenY = 768<BR />Property(S): CaptionHeight = 23<BR />Property(S): BorderTop = 1<BR />Property(S): BorderSide = 1<BR />Property(S): TextHeight = 16<BR />Property(S): TextInternalLeading = 3<BR />Property(S): ColorBits = 32<BR />Property(S): TTCSupport = 1<BR />Property(S): Time = 23:28:07<BR />Property(S): Date = 9/8/2021<BR />Property(S): MsiNetAssemblySupport = 4.7.3190.0<BR />Property(S): MsiWin32AssemblySupport = 6.3.17763.1<BR />Property(S): RedirectedDllSupport = 2<BR />Property(S): MsiRunningElevated = 1<BR />Property(S): Privileged = 1<BR />Property(S): USERNAME = Administrator<BR />Property(S): COMPANYNAME = N/A<BR />Property(S): DATABASE = C:\Windows\Installer\901521.msi<BR />Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi<BR />Property(S): UILevel = 2<BR />Property(S): MsiUISourceResOnly = 1<BR />Property(S): ACTION = INSTALL<BR />Property(S): ROOTDRIVE = C:\<BR />Property(S): CostingComplete = 1<BR />Property(S): OutOfDiskSpace = 0<BR />Property(S): OutOfNoRbDiskSpace = 0<BR />Property(S): PrimaryVolumeSpaceAvailable = 0<BR />Property(S): PrimaryVolumeSpaceRequired = 0<BR />Property(S): PrimaryVolumeSpaceRemaining = 0<BR />Property(S): INSTALLLEVEL = 1<BR />MSI (s) (94:00) [23:28:07:843]: Note: 1: 1708<BR />MSI (s) (94:00) [23:28:07:843]: Note: 1: 2205 2: 3: Error<BR />MSI (s) (94:00) [23:28:07:843]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708<BR />MSI (s) (94:00) [23:28:07:843]: Note: 1: 2205 2: 3: Error<BR />MSI (s) (94:00) [23:28:07:843]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709<BR />MSI (s) (94:00) [23:28:07:843]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.</P><P>MSI (s) (94:00) [23:28:07:843]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.</P><P>MSI (s) (94:00) [23:28:07:843]: Deferring clean up of packages/files, if any exist<BR />MSI (s) (94:00) [23:28:07:843]: MainEngineThread is returning 1603<BR />MSI (s) (94:40) [23:28:07:859]: RESTART MANAGER: Session closed.<BR />MSI (s) (94:40) [23:28:07:859]: No System Restore sequence number for this installation.<BR />=== Logging stopped: 08/09/2021 23:28:07 ===<BR />MSI (s) (94:40) [23:28:07:859]: User policy value 'DisableRollback' is 0<BR />MSI (s) (94:40) [23:28:07:859]: Machine policy value 'DisableRollback' is 0<BR />MSI (s) (94:40) [23:28:07:859]: Incrementing counter to disable shutdown. Counter after increment: 0<BR />MSI (s) (94:40) [23:28:07:859]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2<BR />MSI (s) (94:40) [23:28:07:859]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2<BR />MSI (s) (94:40) [23:28:07:859]: Decrementing counter to disable shutdown. If counter &gt;= 0, shutdown will be denied. Counter after decrement: -1<BR />MSI (s) (94:40) [23:28:07:859]: Destroying RemoteAPI object.<BR />MSI (s) (94:6C) [23:28:07:859]: Custom Action Manager thread ending.<BR />MSI (c) (60:50) [23:28:07:859]: Decrementing counter to disable shutdown. If counter &gt;= 0, shutdown will be denied. Counter after decrement: -1<BR />MSI (c) (60:50) [23:28:07:859]: MainEngineThread is returning 1603<BR />=== Verbose logging stopped: 08/09/2021 23:28:07 ===</P><P>&nbsp;</P><P>The orther log file:</P><P>&nbsp;</P><P>[3258:2D00][2021-09-08T23:27:40]i001: Burn v3.11.2.4516, Windows v10.0 (Build 17763: Service Pack 0), path: C:\Windows\Temp\{42F423E1-CDD4-4552-92DF-000BA6FC3852}\.cr\Azure ATP Sensor Setup.exe<BR />[3258:2D00][2021-09-08T23:27:40]i000: Initializing hidden variable 'AccessKey'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Initializing hidden variable 'ProxyConfiguration'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Initializing hidden variable 'ProxyUserPassword'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'<BR />[3258:2D00][2021-09-08T23:27:40]i009: Command Line: '"-burn.clean.room=C:\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=740 -burn.filehandle.self=744'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Azure ATP Sensor Setup\'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\ADMINI~1.GRE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210908232740.log'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'<BR />[3258:2D00][2021-09-08T23:27:40]i000: Loading managed bootstrapper application.<BR />[3258:2D00][2021-09-08T23:27:40]i000: Creating BA thread to run asynchronously.<BR />[3258:2D54][2021-09-08T23:27:40]i000: 2021-09-08 16:27:40.8905 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetExportedTypes failed [\[]assembly=PInvoke.User32, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a exception.Message=Could not load file or assembly 'PInvoke.Windows.Core, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.0065 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.0912 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.0912 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D00][2021-09-08T23:27:41]i100: Detect begin, 5 packages<BR />[3258:2D00][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.1224 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]<BR />[3258:2D00][2021-09-08T23:27:41]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'<BR />[3258:2D00][2021-09-08T23:27:41]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0<BR />[3258:2D00][2021-09-08T23:27:41]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'<BR />[3258:2D00][2021-09-08T23:27:41]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0<BR />[3258:2D00][2021-09-08T23:27:41]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461814'<BR />[3258:2D00][2021-09-08T23:27:41]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'<BR />[3258:2D00][2021-09-08T23:27:41]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'<BR />[3258:2D00][2021-09-08T23:27:41]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.<BR />[3258:2D00][2021-09-08T23:27:41]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.<BR />[3258:2D00][2021-09-08T23:27:41]i052: Condition 'NetFrameworkRegistryValue &gt;= 460798' evaluates to true.<BR />[3258:2D00][2021-09-08T23:27:41]i052: Condition 'NetFrameworkRegistryValue &gt;= 460798' evaluates to true.<BR />[3258:2D00][2021-09-08T23:27:41]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None<BR />[3258:2D00][2021-09-08T23:27:41]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None<BR />[3258:2D00][2021-09-08T23:27:41]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None<BR />[3258:2D00][2021-09-08T23:27:41]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None<BR />[3258:2D00][2021-09-08T23:27:41]i101: Detected package: MsiPackage, state: Absent, cached: None<BR />[3258:2D00][2021-09-08T23:27:41]i199: Detect complete, result: 0x0<BR />[3258:2D54][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.1224 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]<BR />[3258:2D54][2021-09-08T23:27:41]i000: 2021-09-08 16:27:41.1915 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.3969 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetExportedTypes failed [\[]assembly=PInvoke.User32, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a exception.Message=Could not load file or assembly 'PInvoke.Windows.Core, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.4034 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetExportedTypes failed [\[]assembly=Microsoft.Owin, Version=4.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 exception.Message=Could not load file or assembly 'Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.4191 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.5037 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.5037 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:56]i000: 2021-09-08 16:27:56.5194 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.CommonCommunication.ClientCertificateAuthenticationOptions, Microsoft.Tri.CommonCommunication, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.CommonCommunication.ClientCertificateAuthenticationOptions, Microsoft.Tri.CommonCommunication, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Microsoft.Owin.Security.Cookies, Version=4.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.2903 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetExportedTypes failed [\[]assembly=PInvoke.User32, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a exception.Message=Could not load file or assembly 'PInvoke.Windows.Core, Version=0.5.0.0, Culture=neutral, PublicKeyToken=9e300f9f87f04a7a' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.2923 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetExportedTypes failed [\[]assembly=Microsoft.Owin, Version=4.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 exception.Message=Could not load file or assembly 'Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.3083 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Cloud.Common.ServiceModuleManager, Microsoft.Tri.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.3843 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Infrastructure.ModuleManager, Microsoft.Tri.Infrastructure, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.3903 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.Sensor.Common.CommonSensorModuleManager, Microsoft.Tri.Sensor.Common, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Autofac, Version=4.9.2.0, Culture=neutral, PublicKeyToken=17863af14b0044da' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.3943 Warn JsonSerializerSettingsExtension+JsonSerializationBinder UpdateCurrentDomainAssemblyTypes GetSerializableMembers failed [\[]AssemblyQualifiedName=Microsoft.Tri.CommonCommunication.ClientCertificateAuthenticationOptions, Microsoft.Tri.CommonCommunication, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null AssemblyQualifiedName=Microsoft.Tri.CommonCommunication.ClientCertificateAuthenticationOptions, Microsoft.Tri.CommonCommunication, Version=2.160.14446.3872, Culture=neutral, PublicKeyToken=null exception.Message=Could not load file or assembly 'Microsoft.Owin.Security.Cookies, Version=4.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: 2021-09-08 16:27:57.7374 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]<BR />[3258:2D54][2021-09-08T23:27:57]i000: Setting string variable 'IsConfigured' to value 'True'<BR />[3258:2D54][2021-09-08T23:27:57]i000: Setting hidden variable 'AccessKey'<BR />[3258:2D54][2021-09-08T23:27:57]i000: Setting hidden variable 'ProxyConfiguration'<BR />[3258:2D54][2021-09-08T23:27:57]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'<BR />[3258:2D00][2021-09-08T23:27:57]i200: Plan begin, 5 packages, action: Install<BR />[3258:2D00][2021-09-08T23:27:57]i052: Condition 'VersionNT64 = v6.1' evaluates to false.<BR />[3258:2D00][2021-09-08T23:27:57]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package<BR />[3258:2D00][2021-09-08T23:27:57]i052: Condition 'VersionNT64 = v6.2' evaluates to false.<BR />[3258:2D00][2021-09-08T23:27:57]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package<BR />[3258:2D00][2021-09-08T23:27:57]i052: Condition 'ServerLevelsServerCoreRegistryValue &lt;&gt; 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.<BR />[3258:2D00][2021-09-08T23:27:57]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer<BR />[3258:2D00][2021-09-08T23:27:57]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue &lt;&gt; 1' evaluates to false.<BR />[3258:2D00][2021-09-08T23:27:57]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore<BR />[3258:2D00][2021-09-08T23:27:57]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\ADMINI~1.GRE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210908232740_000_MsiPackage_rollback.log'<BR />[3258:2D00][2021-09-08T23:27:57]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\ADMINI~1.GRE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210908232740_000_MsiPackage.log'<BR />[3258:2D00][2021-09-08T23:27:57]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[3258:2D00][2021-09-08T23:27:57]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[3258:2D00][2021-09-08T23:27:57]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[3258:2D00][2021-09-08T23:27:57]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[3258:2D00][2021-09-08T23:27:57]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register<BR />[3258:2D00][2021-09-08T23:27:57]i299: Plan complete, result: 0x0<BR />[3258:2D00][2021-09-08T23:27:57]i300: Apply begin<BR />[3258:2D00][2021-09-08T23:27:57]i010: Launching elevated engine process.<BR />[3258:2D00][2021-09-08T23:27:58]i011: Launched elevated engine process.<BR />[3258:2D00][2021-09-08T23:27:58]i012: Connected to elevated engine.<BR />[3160:3648][2021-09-08T23:27:58]i358: Pausing automatic updates.<BR />[3160:3648][2021-09-08T23:27:58]i359: Paused automatic updates.<BR />[3160:3648][2021-09-08T23:27:58]i360: Creating a system restore point.<BR />[3160:3648][2021-09-08T23:27:58]i362: System restore disabled, system restore point not created.<BR />[3160:3648][2021-09-08T23:27:58]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}, options: 0x7, disable resume: No<BR />[3160:3648][2021-09-08T23:27:58]i000: Caching bundle from: 'C:\Windows\Temp\{B8D83596-2A70-4F3C-8FB8-792FB318C6C2}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}\Azure ATP Sensor Setup.exe'<BR />[3160:3648][2021-09-08T23:27:58]i320: Registering bundle dependency provider: {6c5fe9be-763e-4977-92d5-88c9c3b823c5}, version: 2.0.0.0<BR />[3160:3648][2021-09-08T23:27:58]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}, resume: Active, restart initiated: No, disable resume: No<BR />[3160:36E4][2021-09-08T23:27:58]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi.<BR />[3160:3648][2021-09-08T23:27:58]i323: Registering package dependency provider: {61E851B5-79C3-44C6-9FCD-1AD4A73553F4}, version: 2.0.0.0, package: MsiPackage<BR />[3160:3648][2021-09-08T23:27:58]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\Azure ATP Sensor Setup\"'<BR />[3160:3648][2021-09-08T23:28:07]e000: Error 0x80070643: Failed to install MSI package.<BR />[3160:3648][2021-09-08T23:28:07]e000: Error 0x80070643: Failed to execute MSI package.<BR />[3258:2D00][2021-09-08T23:28:07]e000: Error 0x80070643: Failed to configure per-machine MSI package.<BR />[3258:2D00][2021-09-08T23:28:07]i000: 2021-09-08 16:28:07.8591 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]<BR />[3258:2D00][2021-09-08T23:28:07]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None<BR />[3258:2D00][2021-09-08T23:28:07]e000: Error 0x80070643: Failed to execute MSI package.<BR />[3160:3648][2021-09-08T23:28:07]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent<BR />[3258:2D00][2021-09-08T23:28:07]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None<BR />[3160:3648][2021-09-08T23:28:07]i329: Removed package dependency provider: {61E851B5-79C3-44C6-9FCD-1AD4A73553F4}, package: MsiPackage<BR />[3160:3648][2021-09-08T23:28:07]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{61E851B5-79C3-44C6-9FCD-1AD4A73553F4}v2.0.0.0\<BR />[3160:3648][2021-09-08T23:28:07]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}, resume: None, restart: None, disable resume: No<BR />[3160:3648][2021-09-08T23:28:07]i330: Removed bundle dependency provider: {6c5fe9be-763e-4977-92d5-88c9c3b823c5}<BR />[3160:3648][2021-09-08T23:28:07]i352: Removing cached bundle: {6c5fe9be-763e-4977-92d5-88c9c3b823c5}, from path: C:\ProgramData\Package Cache\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}\<BR />[3160:3648][2021-09-08T23:28:07]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6c5fe9be-763e-4977-92d5-88c9c3b823c5}, resume: None, restart initiated: No, disable resume: No<BR />[3258:2D00][2021-09-08T23:28:07]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No0902878278</P><P>&nbsp;</P><P>Can you help me this case?</P> Thu, 09 Sep 2021 09:49:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-install-failing-error-code/m-p/2735650#M2481 DatTran 2021-09-09T09:49:53Z MDI to MCAS timed delay https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-to-mcas-timed-delay/m-p/2729731#M2477 <P>MDI is picking up changes in my domain rather quickly as I expect.&nbsp; Why does it take MCAS so long to obtain this info? I am seeing missed alerts never coming or on a massive delay. I didnt think it was a literal 12 hour delay for each alert from MDI&gt;MCAS.&nbsp; Is there anything I can look at with troubleshooting?</P> Tue, 07 Sep 2021 18:00:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-to-mcas-timed-delay/m-p/2729731#M2477 michaelcrane 2021-09-07T18:00:44Z Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-tri-infrastructure-extendedexception/m-p/2723853#M2476 <P>Hello Team,</P><P>I am trying to install the senor on my Local on premises DC and I get below error. The Sensor status keeps changing from "Starting-Stopped". I dont have any trust in my environment. The Azure ATP service fails to start too.&nbsp;Error DirectoryServicesClient+&lt;CreateLdapConnectionAsync&gt;d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=ADC.Domain]<BR />at async Task&lt;LdapConnection&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)<BR />at async Task&lt;bool&gt; Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing)<BR />2021-09-06 07:32:53.0885 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers<BR />at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)</P> Mon, 06 Sep 2021 08:17:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-tri-infrastructure-extendedexception/m-p/2723853#M2476 prats005 2021-09-06T08:17:57Z Do Microsoft Defender for Identity SIEM logs conform to CEF format? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/do-microsoft-defender-for-identity-siem-logs-conform-to-cef/m-p/2710769#M2472 <P><A href="#" target="_self">Microsoft Defender for Identity SIEM log reference</A>&nbsp;page says<STRONG> "Alerts and events are in the CEF format."</STRONG></P><P>&nbsp;</P><P>CEF spec Version 25 (I used one from that page:&nbsp;<A href="#" target="_blank" rel="noopener">https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/38809/arcsight-common-event-format-cef-implementation-standard</A>) states that <STRONG>"The CEF:Version portion of the message is a mandatory header."</STRONG></P><P>&nbsp;</P><P>Examples for <A href="#" target="_self">Microsoft Defender for Identity SIEM logs</A>, however, seems to diverge from that.</P><P>&nbsp;</P><P>For instance, example for "Account enumeration reconnaissance":</P><P class="lia-indent-padding-left-30px">02-21-2018 16:19:35 Auth.Warning 192.168.0.220 1 2018-02-21T14:19:27.540731+00:00 CENTER CEF 6076 AccountEnumerationSecurityAlert<STRONG> 0|Microsoft|</STRONG>Azure ATP|2.22.4228.22540|AccountEnumerationSecurityAlert|Reconnaissance using account enumeration|5|start=2018-02-21T14:19:02.6045416Z app=Kerberos shost=CLIENT1 suser=LMaldonado msg=Suspicious account enumeration activity using the Kerberos protocol, originating from CLIENT1, was observed and successfully guessed Lamon Maldonado (Software Engineer). externalId=2003 cs1Label=url cs1=<A href="#" target="_blank" rel="noopener">https://contoso-corp.atp.azure.com/securityAlert/eb6a35da-ff7f-4ab5-a1b5-a07529a89e6d</A> cs2Label=trigger cs2=new</P><P><BR />As can be seen above, (ignoring syslog header and "") CEF message starts with "0|Microsoft|" where 0 is presumably Version, but "CEF:" part is omitted.</P><P>&nbsp;</P><P><STRONG>The question is:&nbsp;&nbsp;do Microsoft Defender for Identity SIEM logs actually conform to CEF format?</STRONG></P><P>&nbsp;</P><P>Also, I've found that examples on the other page -&nbsp;<A href="#" target="_self">ATA SIEM log reference</A>&nbsp;- contain "CEF:0" part.</P><P>&nbsp;</P><P>Thank you!</P> Thu, 02 Sep 2021 09:55:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/do-microsoft-defender-for-identity-siem-logs-conform-to-cef/m-p/2710769#M2472 alexturkin 2021-09-02T09:55:08Z can you check for sensitive users or groups using logic apps? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/can-you-check-for-sensitive-users-or-groups-using-logic-apps/m-p/2700490#M2467 <P>Defender for Identity allows you to assign sensitive users and groups in the settings section.</P><P>Can you use Logic Apps to query this information?</P><P>eg. use the graph api to query if a given user is sensitive.</P><P>Thanks.</P> Mon, 30 Aug 2021 22:17:04 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/can-you-check-for-sensitive-users-or-groups-using-logic-apps/m-p/2700490#M2467 bobsyouruncle 2021-08-30T22:17:04Z Sensor failing to install on all DCs https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensor-failing-to-install-on-all-dcs/m-p/2689577#M2463 <P>Has anyone seen any of these errors?&nbsp; Trying to install the sensor, but it is failing on both VMWare and HyperV DC.&nbsp; .NET 4.8 is installed and it doesn't matter if NPCap is installed or not.&nbsp; Traffic appears to be getting through the firewall.</P> <P>&nbsp;</P> <P>2021-08-26 18:53:48.8640 Error EventLogException Deployer failed [arguments=IwODjlqAqQaXxJYpF4fBCw==]<BR />System.Diagnostics.Eventing.Reader.EventLogInvalidDataException: The data is invalid<BR />at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)<BR />at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)<BR />at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()<BR />at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)<BR />at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)<BR />at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)</P> <P>&nbsp;</P> <P>[0F20:18C0][2021-08-26T11:53:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.<BR />[0F20:18C0][2021-08-26T11:53:50]i000: 2021-08-26 18:53:50.1290 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]</P> <P>&nbsp;</P> <P>MSI (s) (54:8C) [11:53:49:943]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.</P> Thu, 26 Aug 2021 19:43:36 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensor-failing-to-install-on-all-dcs/m-p/2689577#M2463 LisaMelone 2021-08-26T19:43:36Z defender for identity sensor install https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-install/m-p/2680392#M2453 <P>In defender for Identity, do we need to install the agent on every Domain controller?&nbsp; Is this for redundancy?&nbsp; Documentation really does not say</P> Tue, 24 Aug 2021 18:28:32 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-sensor-install/m-p/2680392#M2453 seano2295 2021-08-24T18:28:32Z Microsoft Defender for Identity https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity/m-p/2673115#M2451 <P>Dears,</P><P>&nbsp;I need to know what is the best practice steps for Microsoft Defender for Identity?</P> Sun, 22 Aug 2021 13:51:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity/m-p/2673115#M2451 HeshamNouh 2021-08-22T13:51:09Z Sensitive entities https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensitive-entities/m-p/2650869#M2447 <P>Hi all</P><P>&nbsp;</P><P>I have been trying to trigger an event to determine whether the sensor is creating the alert I expect to see. To do this I added about 5 random accounts to my Domain Admins group (yes, this is test environment). I'm not seeing any alerts. I would expect this event to trigger the "Suspicious additions to sensitive groups" alert, but I get nothing.</P><P>&nbsp;</P><P>I've configured auditing per the guidance from Microsoft and I can see the Audit Event ID 4728 being generated in the Security log.</P><P>&nbsp;</P><P>Any thoughts on this? I am seeing other alerts, so I know the sensors are working generally.</P><P>&nbsp;</P><P>Thanks</P><P>Tony</P> Mon, 16 Aug 2021 03:54:51 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensitive-entities/m-p/2650869#M2447 murrato1 2021-08-16T03:54:51Z Lack of Events from DCs - Prevent Rules https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/lack-of-events-from-dcs-prevent-rules/m-p/2599592#M2439 <P><SPAN>A recent deployment of Sentinel has me scratching my head around Windows events originating from on-prem Domain Controllers protected with Microsoft Defender for Identity.&nbsp; We plugged in the Sentinel Data Connector to the MDI instance, and I would have hoped to have seen events get streamed over from MDI.&nbsp; This is required for a number of analytic rules, not to mention visibility within Sentinel for our Managed Security team (of which does not have visibility in to the client’s MDI instance).&nbsp; Is this not the case?&nbsp; Is there a way to get these events streamed over from MDI short of installing the Log Analytics Agent on top of the MDI sensor on the on-prem DC’s?</SPAN></P> Mon, 02 Aug 2021 20:15:55 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/lack-of-events-from-dcs-prevent-rules/m-p/2599592#M2439 Dean Gross 2021-08-02T20:15:55Z DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/directoryservicesclient-createldapconnectionasync-failed-to/m-p/2595068#M2431 <P>I created a gMSA on one of the DC's because the ADFS server could not communicate to the DC's themselves and I figured a service account wasn't cutting it. Now I am getting an error saying,<EM> "</EM><SPAN><EM>Directory services user credentials are incorrect"&nbsp; - "Credentials for the directory services user ######## are incorrect. Your MDI sensor(s) cannot connect to ######### and ######### without these credentials.</EM> <EM>The directory services user is required to perform LDAP queries against the domain controllers.</EM></SPAN></P><P><SPAN>Any ideas of where to start. I will also open a ticket. It just seems like ADFS has not been able to connect to the DC's even with the new gMSA.&nbsp;</SPAN></P> Thu, 29 Jul 2021 14:07:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/directoryservicesclient-createldapconnectionasync-failed-to/m-p/2595068#M2431 jwilliams1490 2021-07-29T14:07:18Z Effect of Disabling SMB from Advance Threat Analytic https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/effect-of-disabling-smb-from-advance-threat-analytic/m-p/2593240#M2427 <P>I want to disable SMB1 and need to know if it would affect the efficiency or operations of the ATA. I need a guide</P> Tue, 27 Jul 2021 21:24:24 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/effect-of-disabling-smb-from-advance-threat-analytic/m-p/2593240#M2427 Adike790 2021-07-27T21:24:24Z Microsoft Defender for Identity and Npcap https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-and-npcap/m-p/2584151#M2426 <P>Hi everyone,</P> <P>Note that starting from MDI version 2.156, we are including the 1.0 OEM version of the Npcap executable in the Sensor deployment package file.</P> <P><A href="#" target="_blank">What's new in Microsoft Defender for Identity | Microsoft Docs</A></P> <P>So all you have to do is download the new package and extract the file from the ZIP archive.</P> <P>&nbsp;</P> <P>The Microsoft Defender for Identity team is currently recommending that all customers deploy the Npcap driver before deploying the sensor on a domain controller or AD FS server. This will ensure that Npcap driver will be used instead of the WinPcap driver.</P> <P>&nbsp;</P> <P>For more information on MDI and NPCAP, please refer to our <A href="#" target="_self">FAQ</A></P> <P>&nbsp;</P> Sun, 25 Jul 2021 08:06:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-and-npcap/m-p/2584151#M2426 Or Tsemah 2021-07-25T08:06:00Z Npcap Driver Installation https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/npcap-driver-installation/m-p/2572266#M2421 <P>Planning on the first-time deployment of the latest version of Windows Defender for Identity (2.155) as of this writing.&nbsp;</P><P>&nbsp;</P><P>I see the Prerequisites list having to download the Npcap version 1.0 driver, however the npcap website has Npcap 1.50 available and I'm unable to locate the 1.0 version for download.&nbsp; Is Npcap 1.50 supported?</P> Wed, 21 Jul 2021 19:41:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/npcap-driver-installation/m-p/2572266#M2421 AzureGuineaPig 2021-07-21T19:41:39Z Security principal reconnaissance (LDAP) alert https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/security-principal-reconnaissance-ldap-alert/m-p/2568162#M2416 <P>I received this alert 2 hours after the alert was first seen . Why did it take two hours to send an alert ?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Skipster3111_0-1626822618412.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297205i429CF476901E3B66/image-size/medium?v=v2&amp;px=400" role="button" title="Skipster3111_0-1626822618412.png" alt="Skipster3111_0-1626822618412.png" /></span></P><P>&nbsp;</P> Tue, 20 Jul 2021 23:10:50 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/security-principal-reconnaissance-ldap-alert/m-p/2568162#M2416 Skipster311-1 2021-07-20T23:10:50Z Using gMSA accounts in a multiforest environment with one way trusts https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/using-gmsa-accounts-in-a-multiforest-environment-with-one-way/m-p/2557390#M2414 <P>We have an environment set up with a Red Forest and 5 separate forests.&nbsp; Each has a one way outgoing trust to the red forest.&nbsp; i have set up a gMSA account for the sensor for each forest with all DCs in that forest being able to retrieve that forest's gMSA password.&nbsp; but i am receiving many errors across the environment about cross forest DCs not being able to retrieve gMSA passwords from their adjacent forests.&nbsp; How would i resolve this?&nbsp; Do i need every forest to have a two way trust to the Red forest and use the red forest gMSA for all sensors?&nbsp; i am missing something and dont know what it is.&nbsp;</P> Fri, 16 Jul 2021 19:33:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/using-gmsa-accounts-in-a-multiforest-environment-with-one-way/m-p/2557390#M2414 RussellReid 2021-07-16T19:33:13Z azure dns https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-dns/m-p/2540332#M2411 <P><LI-USER uid="1045153"></LI-USER>&nbsp;@Sakariye2333</P> Mon, 12 Jul 2021 21:10:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-dns/m-p/2540332#M2411 lajacelowga-samsung 2021-07-12T21:10:20Z Scheduled Reports https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/scheduled-reports/m-p/2538827#M2410 <P>Ever since the 7/8/21, our scheduled daily email that contain the link to download the reports have been erroring out with the message below:</P><P>&nbsp;</P><DIV class="row column"><STRONG>400</STRONG><SPAN>&nbsp;</SPAN>Bad Request</DIV><DIV class="row subject"><P class="text-subject">Sorry, we can't display the page you are looking for.</P><P>Invalid data found in the request received by the server.</P><P>A malformed redirect destination was detected.</P><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="haphanman_1-1626104312807.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295048iA9D103A4A63682DA/image-size/medium?v=v2&amp;px=400" role="button" title="haphanman_1-1626104312807.png" alt="haphanman_1-1626104312807.png" /></span><P>&nbsp;</P><P>I even went to recreated the scheduled report with no success.&nbsp;&nbsp;</P><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="haphanman_0-1626104291527.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295047iC3F7928FD3218C57/image-size/medium?v=v2&amp;px=400" role="button" title="haphanman_0-1626104291527.png" alt="haphanman_0-1626104291527.png" /></span><P>&nbsp;</P></DIV> Mon, 12 Jul 2021 15:39:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/scheduled-reports/m-p/2538827#M2410 haphanman 2021-07-12T15:39:13Z Suspected Golden Ticket usage (nonexistent account) from Mac Machines ( monterey beta) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/suspected-golden-ticket-usage-nonexistent-account-from-mac/m-p/2526367#M2409 <P>recently we started seeing "<STRONG>Suspected Golden Ticket usage (nonexistent account)</STRONG>" alerts from Mac machines which running on&nbsp;<STRONG>monterey beta</STRONG> version.&nbsp;</P><P>&nbsp;</P><P>Based on our investigation this getting triggered when user tries to authenticate using enterprise connect on&nbsp;<STRONG>monterey OS. </STRONG>username SOMEDOMAIN.COM\WELLKNOWN/ANONYMOUS@SOMEDOMAIN.COM</P><P>&nbsp;</P><P>Anyone else experiencing this.?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 08 Jul 2021 02:05:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/suspected-golden-ticket-usage-nonexistent-account-from-mac/m-p/2526367#M2409 ksathcse 2021-07-08T02:05:05Z Product feedback for Defender for Identity https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/product-feedback-for-defender-for-identity/m-p/2502515#M2405 <DIV class="lia-message-subject-wrapper lia-component-subject lia-component-message-view-widget-subject-with-options"><SPAN>Hi all,&nbsp;</SPAN><SPAN>We would&nbsp;love for&nbsp;you&nbsp;to share your thoughts, feedback, and experiences using Defender for Identity.</SPAN><SPAN>&nbsp;</SPAN></DIV> <DIV id="bodyDisplay" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>&nbsp;</P> <P data-unlink="true">You can share them on Gartner Peer Insights by using<SPAN>&nbsp;</SPAN><A href="#" target="_self" rel="nofollow noreferrer">this link</A>.&nbsp;<SPAN>Your review will help us get the word out and continue to improve our solution. If you're asked to create an account, please be aware that this is to ensure the legitimacy of the review, and Microsoft will not be given any information on the folks who've submitted reviews, positive or otherwise.&nbsp;</SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN>Defender for Identity doesn't have any reviews at the moment, so I'd love to see us populate this using the input from this community. I'm always impressed with the feedback we get through these channels. </SPAN></P> <P>&nbsp;</P> <P><SPAN>And if you have any questions or comments, let me know!</SPAN></P> </DIV> </DIV> Mon, 05 Jul 2021 14:50:36 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/product-feedback-for-defender-for-identity/m-p/2502515#M2405 Ricky Simpson 2021-07-05T14:50:36Z NNR When Coming through "NAT" https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/nnr-when-coming-through-quot-nat-quot/m-p/2486629#M2401 <P>Just wanted to see if there is any real solution or ideas on handling NNR when a workstation/client is behind a NAT.<BR /><BR />Workstations are remote but able to access Domain Controllers through a "proxy" and do not have an IP address on the local network, so none of the four Network Name Resolution methods will work. There is no way for direct outbound communication to reach workstations and no IP address to Hostname to resolve with DNS.<BR /><BR /></P> Fri, 25 Jun 2021 18:43:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/nnr-when-coming-through-quot-nat-quot/m-p/2486629#M2401 archedmeerkat 2021-06-25T18:43:35Z MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-lab-question-issue-with-directory-service-enumeration-gmsa/m-p/2475504#M2396 <P>Hi,</P><P>&nbsp;</P><P>I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.</P><P>In <A href="#" target="_blank" rel="noopener">Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs</A> I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.</P><P>I am now working my way through the lab playbooks (<A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enumeration-via-net-from-victimpc</A>) and noticed that I get an&nbsp;</P><P>&nbsp;</P><LI-CODE lang="powershell">System Error 5 has occurred ... Access Denied</LI-CODE><P>&nbsp;</P><P>error when running the&nbsp;</P><P>&nbsp;</P><LI-CODE lang="powershell">net user /domain</LI-CODE><P>&nbsp;</P><P>command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.</P><P>&nbsp;</P><P>It looks to me that everything is setup how it should and a non-domain admin is unable to run&nbsp;</P><P>&nbsp;</P><LI-CODE lang="powershell">net user /domain</LI-CODE><P>&nbsp;</P><P>on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?</P><P>&nbsp;</P><P>Thanks,</P><P>Andre</P><P>&nbsp;</P> Wed, 23 Jun 2021 14:42:07 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-lab-question-issue-with-directory-service-enumeration-gmsa/m-p/2475504#M2396 amueller-tf 2021-06-23T14:42:07Z Disconnected devices https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/disconnected-devices/m-p/2475413#M2394 <P><SPAN>&nbsp;My client is telling me that 2 of their DCs seem to have a recurring problem. When they look at the open health issues, they always seems to pop up a communications issue after about 8 to 12 hours. These 2 controllers are the primary controllers for our plant in Mexico and Thailand, so they aren’t going to sleep. When they remote into the server, the issue resolves. Any idea on what would cause this behavior</SPAN></P> Wed, 23 Jun 2021 14:27:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/disconnected-devices/m-p/2475413#M2394 Dean Gross 2021-06-23T14:27:05Z List of events https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/list-of-events/m-p/2468458#M2390 <P>Hi all&nbsp;</P><P>&nbsp;</P><P>is somewhere list of event we need to audit on DC, for 100% ATA functionality ?</P><P>Like Audit user logon logoff etc....</P> Tue, 22 Jun 2021 07:44:07 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/list-of-events/m-p/2468458#M2390 Marek Belan 2021-06-22T07:44:07Z Start having visibility for Service accounts with Microsoft Defender For Identity https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/start-having-visibility-for-service-accounts-with-microsoft/m-p/2465291#M2389 <P>Check out this blog by&nbsp;<SPAN><LI-USER uid="383364" login="DebugPrivilege"></LI-USER> about having visibility for Service accounts with Microsoft Defender For Identity</SPAN></P> <P><SPAN><A title="Having Visibility In Service Accounts With Defender For Identity" href="#" target="_blank" rel="noopener">https://m365internals.com/2021/03/27/start-having-visibility-in-service-accounts-with-defender-for-identity/</A>&nbsp;</SPAN></P> Sun, 20 Jun 2021 14:05:27 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/start-having-visibility-for-service-accounts-with-microsoft/m-p/2465291#M2389 Or Tsemah 2021-06-20T14:05:27Z ¿What should I add in this "DNSHostName" parameter? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/what-should-i-add-in-this-quot-dnshostname-quot-parameter/m-p/2461111#M2387 <P>Hello everyone, this information has really exploded in my head because I don't understand how no one can be clear enough to explain what is going on here: <STRONG>DNSHostName</STRONG>.</P><P>I have an implementation with sensor on dedicated server, running port mirroring through hyperV. I did the test with an account and password and it worked I would say 60%, since in the alerts it indicated that the sensor had limited information capture, something like that. Then for good practices and security it was recommended to use gMSA.<BR />The issue is that I have already created about 5 different accounts and always the same message from the portal:</P><P>&nbsp;</P><P><STRONG>Directory service user credentials are incorrect</STRONG></P><P>&nbsp;</P><P>The command I used:<BR />New-ADServiceAccount -<STRONG>Name</STRONG> &lt;assign_gMSA_name&gt; -<STRONG>DNSHostName</STRONG> &lt;?????????&gt; -<STRONG>PrincipalsAllowedToRetrieveManagedPassword</STRONG> &lt;security_group_name&gt;.</P><P><STRONG>Name</STRONG>: For example 'MDI-GMSA'.</P><P><BR /><STRONG>DNSHostname</STRONG>: Try the FQDN of some DC, then with the FQDN of the server with dedicated sensor and a random name, for example 'GMSA'.<BR /><STRONG>PrincipalsAllowedToRetrieveManagedPassword</STRONG>: I have a security group with all DCs.</P><P>Please help me to understand what is my problem and explain me exactly what should I add here '<STRONG>DNSHostname</STRONG>'.</P><P>&nbsp;</P><P>I appreciate if you can help me, thank you.</P> Fri, 18 Jun 2021 00:12:04 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/what-should-i-add-in-this-quot-dnshostname-quot-parameter/m-p/2461111#M2387 Christopher Campos 2021-06-18T00:12:04Z Why does a DC still tries to use an old gMSA that is no longer is configured in the portal? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/why-does-a-dc-still-tries-to-use-an-old-gmsa-that-is-no-longer/m-p/2452133#M2383 <P>Why does a DC still tries to use an old gMSA that is no longer is configured in the portal?</P><P>I initially use account GMSA2 and configure it the portal, a Sensor was installed..now I have added GMSA1 to the portal and remove GMSA2 from the portal.</P><P>It appears the DCs are using GMSA1 now and connected fine to the portal but they do still gives the error about GMSA2.&nbsp; It has been a few weeks passed and still the DC keeps coming up with error "An attempt to fetch the password of a group managed service account failed" for GMSA2.</P><P>Is GMSA2 cached or something? How do I stop this error from occuring?</P> Wed, 16 Jun 2021 05:20:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/why-does-a-dc-still-tries-to-use-an-old-gmsa-that-is-no-longer/m-p/2452133#M2383 aaaaaaaanonymous 2021-06-16T05:20:10Z MDI Sensor updates https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-updates/m-p/2419722#M2379 <P>Hi All,<BR />I had a couple of questions regarding the Updates of MDI sensors,</P><UL><LI>In our environment, we have not enabled DC and ADFS server restart option<BR />also not enabled any of the sensors Automatic restart and Delayed update.<BR />we have some sensor with older versions, received alerts regarding the same.<BR />but even then our sensor Status in Dashboard is showing all Up to date.</LI><LI>If we enable the Automatic restart and Delayed update for the specific<BR />sensor(Without enabling the DC/ADFS server restart Button),<BR />will it restart the whole DC/ADFS server during updates(Major/Minor)<BR />or only the sensor service in that server will get restarted and updated.</LI></UL><P>Thanks in Advance</P> Sun, 06 Jun 2021 11:00:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-updates/m-p/2419722#M2379 Mazhar1675 2021-06-06T11:00:01Z sensore question https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensore-question/m-p/2412786#M2377 Hi guy's<BR />Our domain have 5 domain controllers in a singel forest accross multipel sites and our AD is already synced with Azure and we have also for sometime Cloud AP security in place.<BR />Now we want to setup Identity Defender.<BR />Our DC's alle execpt one RODC are virtualized. Do we have to install the sensore on all of DC's? and can we do it on the VM domain controllers? if we have to install the sensore on all DC's can we use the same install file and code on them?<BR />Thanks Thu, 03 Jun 2021 15:12:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/sensore-question/m-p/2412786#M2377 mrshahin 2021-06-03T15:12:41Z Monitoring AAD Connect https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/monitoring-aad-connect/m-p/2398357#M2373 <P>Does MDI have any special functionality for monitoring AAD Connect servers?</P><P>Should MDI be installed on AAD Connect Servers? if not, why not?</P> Sat, 29 May 2021 17:53:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/monitoring-aad-connect/m-p/2398357#M2373 Dean Gross 2021-05-29T17:53:31Z MDI installation error https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-installation-error/m-p/2391812#M2368 <P>Hi guys,</P> <P>I was trying to install MDI Sensor on Windows server 2019 Domain controller with version 1809. As a per-requsite, i have done.</P> <P>1. check the network of server with *.atp.portal.com</P> <P>2. created a gMSA.</P> <P>3. created Directory service account with gMSA in Microsoft Defender for Identity cloud.</P> <P>&nbsp;</P> <P>But when I try to install Sensor i get this error. I am new for this request for your help.</P> <DIV id="tinyMceEditorPrashant Dhewaju_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDI.jpg" style="width: 548px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/284542i94F9DDFB232149F4/image-size/large?v=v2&amp;px=999" role="button" title="MDI.jpg" alt="MDI.jpg" /></span></P> <P>&nbsp;</P> <P>Thank you :)</img></P> <P>&nbsp;</P> Fri, 28 May 2021 04:13:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-installation-error/m-p/2391812#M2368 Prashant Dhewaju 2021-05-28T04:13:45Z Export of exclusion settings https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/export-of-exclusion-settings/m-p/2372411#M2362 <P><SPAN>Hello everybody</SPAN></P><P><SPAN>Is there a way do export the MDI Exclusions on a regular basis (for example PowerShell)? I would like to export the exclusions to document them. Several persons can make exclusions and because of the traceability we would like to export the exclusions to json, csv or whatever. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Thank you.</SPAN></P> Thu, 20 May 2021 15:53:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/export-of-exclusion-settings/m-p/2372411#M2362 fankydotorg 2021-05-20T15:53:12Z MCAS Activity log: "back and forth" entries on changed properties https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mcas-activity-log-quot-back-and-forth-quot-entries-on-changed/m-p/2372247#M2360 <P>Hi everyone,</P><P>&nbsp;</P><P>In&nbsp;MCAS Activity log we have many "back and forth" entries regarding the property "<SPAN>Computer Operating System" &amp; "AccountSupportedEncryptionTypes" changed from N/A to a value and 3 minutes later the property changed&nbsp;</SPAN>back from a value to N/A.</P><P>&nbsp;</P><P><U>Examples</U>:</P><P><SPAN>5/15/21 3:20 AM</SPAN></P><P><SPAN>property</SPAN><SPAN>:&nbsp;</SPAN><SPAN>Computer Operating System</SPAN><SPAN>&nbsp;</SPAN><SPAN>device&nbsp;<STRONG>AWxxxxx001</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>from property&nbsp;<STRONG>Windows Server 2019 Datacenter, 10.0 (17763)</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>to property&nbsp;<STRONG>N/A</STRONG></SPAN></P><P><SPAN>5/15/21 3:23 AM</SPAN></P><P><SPAN>property:&nbsp;Computer Operating System&nbsp;device&nbsp;<STRONG>AWxxxxx001</STRONG>&nbsp;from property&nbsp;<STRONG>N/A</STRONG>&nbsp;to property&nbsp;<STRONG>Windows Server 2019 Datacenter, 10.0 (17763)</STRONG></SPAN></P><P>&nbsp;</P><P><SPAN>5/15/21 3:20 AM</SPAN></P><P><SPAN>Set property</SPAN><SPAN>:&nbsp;</SPAN><SPAN>AccountSupportedEncryptionTypes</SPAN><SPAN>&nbsp;</SPAN><SPAN>device&nbsp;<STRONG>AWxxxxx001</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>from property&nbsp;<STRONG>Rc4,Aes128,Aes256</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>to property&nbsp;<STRONG>N/A</STRONG></SPAN></P><P><SPAN>5/15/21 3:23 AM</SPAN></P><P><SPAN>Set property</SPAN><SPAN>:&nbsp;</SPAN><SPAN>AccountSupportedEncryptionTypes</SPAN><SPAN>&nbsp;</SPAN><SPAN>device&nbsp;<STRONG>AWxxxxx001</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>from property&nbsp;<STRONG>N/A</STRONG></SPAN><SPAN>&nbsp;</SPAN><SPAN>to property&nbsp;<STRONG>Rc4,Aes128,Aes256</STRONG></SPAN></P><P><SPAN>5/15/21 3:24 AM</SPAN></P><P><SPAN>Set property:&nbsp;AccountSupportedEncryptionTypes&nbsp;device&nbsp;<STRONG>AWxxxxx001</STRONG>&nbsp;from property&nbsp;<STRONG>Rc4,Aes128,Aes256</STRONG>&nbsp;to property&nbsp;<STRONG>N/A</STRONG></SPAN></P><P><BR />I suppose these property changes are detected by MDI on the AD computer attribute object.</P><P>&nbsp;</P><P>We have many similar cases, in this example the device is a Domain Controller, created one year ago.<BR />We do not touch the attributes msDS-SupportedEncryptionTypes,&nbsp;operatingSystem or&nbsp;operatingSystemVersion in AD.</P><P>&nbsp;</P><P>Any idea who detected these property changes (MDI?) and why?</P><P><BR />Best regards,<BR />Danny<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDI_MCAS_Activity_log_set_property_back_and_forth.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/282183i79E54D0EBD70B0F0/image-size/large?v=v2&amp;px=999" role="button" title="MDI_MCAS_Activity_log_set_property_back_and_forth.jpg" alt="MDI_MCAS_Activity_log_set_property_back_and_forth.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDI_MCAS_Activity_log_set_property_back_and_forth_2.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/282185iAC8F028C88EAE5E9/image-size/large?v=v2&amp;px=999" role="button" title="MDI_MCAS_Activity_log_set_property_back_and_forth_2.jpg" alt="MDI_MCAS_Activity_log_set_property_back_and_forth_2.jpg" /></span></P> Thu, 20 May 2021 15:19:16 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mcas-activity-log-quot-back-and-forth-quot-entries-on-changed/m-p/2372247#M2360 DanPan 2021-05-20T15:19:16Z MCAS - Duplicate entries in Activity log https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mcas-duplicate-entries-in-activity-log/m-p/2372014#M2358 <P>Hi everyone,</P><P>&nbsp;</P><P>In Cloud App Security - Activity log we have many duplicated entries.</P><P>I suppose these entries are coming from MDI.</P><P>Are we the only ones facing this problem and how can we fix it ?</P><P>&nbsp;</P><P>Kind regards,</P><P>Danny</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDI_MCAS_activity_log_duplicate_entries.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/282176i3876122807FDCEE1/image-size/large?v=v2&amp;px=999" role="button" title="MDI_MCAS_activity_log_duplicate_entries.jpg" alt="MDI_MCAS_activity_log_duplicate_entries.jpg" /></span></P><P>&nbsp;</P> Thu, 20 May 2021 14:08:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mcas-duplicate-entries-in-activity-log/m-p/2372014#M2358 DanPan 2021-05-20T14:08:02Z Microsoft Defender for Identity native alert page in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-native-alert-page-in-microsoft/m-p/2354301#M2352 <P>Hi everyone,</P> <P>&nbsp;</P> <P>We posted a new blog around Defender for Identity alerting now being generally available in Microsoft 365 Defender. We posted this to the Microsoft 365 Defender blog space, so I wanted to bring attention to it here too.</P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-identity-native-alert-page-in-microsoft/ba-p/2348443" target="_blank">Microsoft Defender for Identity native alert page in Microsoft 365 Defender - Microsoft Tech Community</A></P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>Ricky</P> Fri, 14 May 2021 09:51:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-native-alert-page-in-microsoft/m-p/2354301#M2352 Ricky Simpson 2021-05-14T09:51:00Z Bulk add devices in MDI exclusion lists https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/bulk-add-devices-in-mdi-exclusion-lists/m-p/2354092#M2351 <P>Hello everyone,</P><P>We are looking for a way to add our internal security scanners (several hundreds) to MDI exclusion lists. (For example <EM>Account Enumeration Reconnaissance</EM>)</P><P>&nbsp;</P><P>Several problems came up:</P><UL><LI><P>The interface does not seem to support bulk adding, which is not only a problem to add hundreds of devices in one policy, but also when it comes to add this list to several MDI policies.</P></LI><LI><P>One given device seems to match several objects (up to 5 duplicates entities).<BR />When trying to add a device in one policy exclusion list (which would take some time to copy-paste one by one), I would actually have to add 1 to 5 entities so that device is properly whitelisted.</P></LI></UL><P>&nbsp;</P><P>What would you recommend to fix/workaround those problems?<BR />The best solution I can imagine would be to be able to create groups of devices (imported from a CSV file), that we could then attach to the exclusion lists of needed policies.</P> Fri, 14 May 2021 08:50:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/bulk-add-devices-in-mdi-exclusion-lists/m-p/2354092#M2351 gfelter 2021-05-14T08:50:45Z Defender ATP doesnt remove old service account when switched te new account https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-atp-doesnt-remove-old-service-account-when-switched-te/m-p/2343351#M2343 <P>Good day all,</P><P>&nbsp;</P><P>Last week i wanted to setup a gmsa account instead of a user account for ATP Defender for identity service.<BR />I had a test account which i later changed to the new one.&nbsp;<BR />The new gMSA account works fine now.&nbsp;<BR />But the thing is:</P><P>I have removed the old testgmsa account but the old account somehow are still being reported that the credentials are not correct. The issues keeps popping up in our portal.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="defenderatp.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279724i2BC3FE7855833A26/image-size/large?v=v2&amp;px=999" role="button" title="defenderatp.jpg" alt="defenderatp.jpg" /></span><BR />Does anyone have seen this behaviour? And is there a fix for this?</P> Tue, 11 May 2021 06:39:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-atp-doesnt-remove-old-service-account-when-switched-te/m-p/2343351#M2343 manuelll1310 2021-05-11T06:39:35Z Microsoft Defender for Identity and cloud based security https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-and-cloud-based-security/m-p/2341713#M2340 <P>Hi everyone,</P> <P>&nbsp;</P> <P>I'm Ricky and I'm the Product Marketing Manager for Microsoft Defender for Identity. I was looking to start a discussion with the outstanding community we are fortunate to have here around a topic I've been tracking.&nbsp;</P> <P>&nbsp;</P> <P>I was looking for input around cloud based security and the merits it provides, and how this stacks up against your views of how you've maybe tackled security updates in the past. Defender for Identity's capabilities are excellent because we offer cloud based protection in an age of advanced threats being able to propagate throughout an environment very quickly.&nbsp;</P> <P>&nbsp;</P> <P>I'm looking to uncover your views on the process of connecting your DCs to the internet (via a highly configured one way proxy of course) to gain all the benefits that Defender for Identity offers. Specifically, I'd be interested to know whether it would be perceived as a bigger or smaller risk of not having Defender for Identity protection, and what you're doing to help protect your on-premises identities as is. If this is the case, how are you correlating this information with other data sources from security products?&nbsp;</P> <P>&nbsp;</P> <P>It would also be great to see any opinions on how updates are perceived. Does the benefits of having cloud based servicing to Defender for Identity provide enough advantages in today's security landscape as opposed to waiting for updates to land on Patch Tuesday, for example?</P> <P>&nbsp;</P> <P>Maybe you're already a Defender for Identity customer and you went through this risk analysis before you implemented the solution - it would be great to get your viewpoint too.&nbsp;</P> <P>&nbsp;</P> <P>There are no right or wrong answers here, and I just want to see a variety of opinions on the subject.&nbsp;</P> <P>&nbsp;</P> <P>Thanks for getting involved. Will be great to see some feedback on this!</P> <P>&nbsp;</P> <P>Ricky</P> Mon, 10 May 2021 16:35:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-and-cloud-based-security/m-p/2341713#M2340 Ricky Simpson 2021-05-10T16:35:08Z Suspected Golden Ticket usage (encryption downgrade) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/suspected-golden-ticket-usage-encryption-downgrade/m-p/2318045#M2333 <P>Hello Team,</P><P>&nbsp;</P><P>Have anyone observed the alert "Suspected Golden Ticket usage (encryption downgrade)"</P><P>&nbsp;</P><P>Description says : 3 accounts&nbsp;used a weaker encryption method (RC4),&nbsp;in the Kerberos service request (TGS_REQ),&nbsp;from<SPAN>&nbsp;XXXServer&nbsp;</SPAN>to access<SPAN>&nbsp;</SPAN>krbtgt (KRBTGT).</P><P>I think that the weaker encryption method RC4 doesnt applies for win2016 servers ,also do we need to check this on the Domain Controller or on the server ?</P><P>Thanks in advance</P> Mon, 03 May 2021 16:42:52 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/suspected-golden-ticket-usage-encryption-downgrade/m-p/2318045#M2333 spartan007 2021-05-03T16:42:52Z ATP DFI CMD for gMSA account creation, https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-dfi-cmd-for-gmsa-account-creation/m-p/2296805#M2330 <P>Hi,</P><P>I would like to create gMSA account for ATP/DFI configuration,</P><P>&nbsp;</P><P>Shall I use the below cmd to create gMSA account.</P><P>&nbsp;</P><P>New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword Group_MSA-atp</P><P>&nbsp;</P><P>gMSA account name:&nbsp;MSA-atp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;(name and samaccount name are same)</P><P>Group name:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Group_MSA-atp&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ( Creating this group to add all writable and RODC domain controllers to retrieve the password).</P><P>&nbsp;</P><P>Or should I go with below cmd:</P><P>&nbsp;</P><P>New-ADServiceAccount -Name MSA-atp –ManagedPasswordIntervalInDays 60 –SamAccountName MSA-atp -PrincipalsAllowedToRetrieveManagedPassword DC01,DC02,DC03.</P><P>&nbsp;</P><P>If I use the above cmd, do I need to add all my 100 DC like this?</P><P>&nbsp;</P> Tue, 27 Apr 2021 09:22:47 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-dfi-cmd-for-gmsa-account-creation/m-p/2296805#M2330 pugazhendhi 2021-04-27T09:22:47Z Lab Help https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/lab-help/m-p/2281606#M2327 <P>Hi. Looking for some help to complete the lab.</P><P>&nbsp;</P><P>Currently I am attempting to login to our AdminPC VM as SamiraA who isn't a local Administrator for the step I'm at, however we are unable to. For some reason users can only login if they are local Administrators on the VMs. All VMs in use are connected to the AD.</P><P>&nbsp;</P><P>I also can't find the&nbsp;<STRONG><SPAN>&nbsp;</SPAN>"Network access: Restrict clients allowed to make remote calls to SAM"&nbsp;</STRONG>policy in the AD. I've been in the menu where I was told it was located but it isn't there.</P><P>&nbsp;</P><P>Any help would be appreciated. Thanks.</P> Thu, 22 Apr 2021 15:19:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/lab-help/m-p/2281606#M2327 AlmightyDeku 2021-04-22T15:19:09Z MDI/ RODC https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-rodc/m-p/2279786#M2325 <P>Hello,</P><P>&nbsp;</P><P>i have a question about RODC, in my environment i have some RODC but the MDI didn't see them on the portal. is that normal ? or do i need to do some configurations on those RODC ?</P><P>&nbsp;</P><P>thanks,</P><P>&nbsp;</P><P>Tegards.</P> Wed, 21 Apr 2021 07:45:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-rodc/m-p/2279786#M2325 Nawel335 2021-04-21T07:45:59Z Dormant entities in sensitive groups https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dormant-entities-in-sensitive-groups/m-p/2274353#M2323 <P>I noticed that MDI contains a report to identify dormant entities in Windows AD. How can we do the same thing for Azure AD?</P> Thu, 15 Apr 2021 12:21:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dormant-entities-in-sensitive-groups/m-p/2274353#M2323 Dean Gross 2021-04-15T12:21:58Z Can't find this policy on my Domain Controller- Hence I am unable to complete this Lab step: https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/can-t-find-this-policy-on-my-domain-controller-hence-i-am-unable/m-p/2253150#M2319 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hungryarchitect_0-1617552269392.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/269406iA6752545960CE0E2/image-size/medium?v=v2&amp;px=400" role="button" title="hungryarchitect_0-1617552269392.png" alt="hungryarchitect_0-1617552269392.png" /></span></P> <P>&nbsp;</P> Sun, 04 Apr 2021 16:05:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/can-t-find-this-policy-on-my-domain-controller-hence-i-am-unable/m-p/2253150#M2319 hungryarchitect 2021-04-04T16:05:10Z Maintenance Mode https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/maintenance-mode/m-p/2253132#M2317 <P>Is there a way to put alerts for Fire (or any other department) in “maintenance mode”? Departments can do this prior to starting RFCs or software maintenance and that way we don’t have to deal with false alerts.</P> Sun, 04 Apr 2021 15:41:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/maintenance-mode/m-p/2253132#M2317 hungryarchitect 2021-04-04T15:41:45Z How do I check location of failed logon due to wrong password? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-do-i-check-location-of-failed-logon-due-to-wrong-password/m-p/2244250#M2314 <P>Hi</P><P>&nbsp;</P><P>In Identity I don't seem to be able to see the location of a failed logon due to wrong password. For example, I have used a test account and inputted a wrong password until it has locked out. However, in Identity all I see is 'Account locked out'. There is no alert for failed logon due to bad password and it does not show me the computer account where the failed authentication occurred.</P><P>&nbsp;</P><P>E.g.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jonathanraddon_0-1617101551471.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/268215i789F5B3ACA4EF7EE/image-size/medium?v=v2&amp;px=400" role="button" title="jonathanraddon_0-1617101551471.png" alt="jonathanraddon_0-1617101551471.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks<BR />Jonny</P> Tue, 30 Mar 2021 10:52:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-do-i-check-location-of-failed-logon-due-to-wrong-password/m-p/2244250#M2314 jonathanraddon 2021-03-30T10:52:56Z LAPS - Splunk account reading ms-Mcs-AdmPwd https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/laps-splunk-account-reading-ms-mcs-admpwd/m-p/2242426#M2313 <P>Hi all,</P><P>&nbsp;</P><P>We have used LAPS for a few years, and recently we started using a logging service called Splunk, and as it turns out, this logging service account is reading the ms-Mcs-AdmPwd attribute in Active Directory and sending it in cleartext.</P><P>&nbsp;</P><P>The account we use that runs on the machines is a member of the "Administrators" but also "Domain Admins" group on the machines via a GPO (the "Restricted groups" setting). However, I've removed the "All extended attributes" ACL on the Domain Admins-group in our domain and I've also used the "Find-AdmPwdExtendedRights" on our two OU:s where we have computer objects with LAPS, and this doesn't show the account (or the "Domain admins"-group) any longer.</P><P>&nbsp;</P><P>What am I missing here? Is there an ACL I'm missing or am I thinking this wrong? Any help or ideas would be appriciated.</P> Mon, 29 Mar 2021 12:38:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/laps-splunk-account-reading-ms-mcs-admpwd/m-p/2242426#M2313 JoniLjungqvist 2021-03-29T12:38:40Z Feature request: Low success rate of active name resolution - More options + insights plz! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/feature-request-low-success-rate-of-active-name-resolution-more/m-p/2235777#M2309 <P>Hi <LI-USER uid="663304" login="ll"></LI-USER>,</P><P>&nbsp;</P><P>I experience the spontaneous emergence of the above-mentioned health problem in several customer networks. These appear without the (conscious) change in the environment taking place.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jens_Mander_0-1616695809189.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/267119i74FC1F79708FB8D5/image-size/medium?v=v2&amp;px=400" role="button" title="Jens_Mander_0-1616695809189.png" alt="Jens_Mander_0-1616695809189.png" /></span></P><P>&nbsp;</P><P>With all the love for the product, I have understood the possible causes listed here, only analyzing these is very time-consuming and challenging. Yes, we opened support calls at Microsoft. Here we have a couple of Wireshark filters suggested to investigate the problems. Now we are not talking about small networks, but about worldwide installations with many DCs, even more servers and tons of clients. I have now burned so much time with packet sniffing, firewall log evaluations and analyzes and would like to see better support in the product itself. E.g., a suitable log level for the sensors (without support tickets). Or clear information in the timeline of the MSDI Health Center!</P><P>&nbsp;</P><P>Please don't get it wrong, I really love MSDI and have been advising / recommending the product range for many years since ATA has been around.&nbsp;<SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Together with my colleagues, I have supplied a large number of customers with the ATP / Defender product line and I am absolutely convinced of the added value and necessity of the products.</SPAN></SPAN></SPAN> Nevertheless, I find that the troubleshooting of NNR is disastrous.</P><P>&nbsp;</P><P>Cheers and tia,</P><P>Jens...</P><P>&nbsp;</P> Thu, 25 Mar 2021 18:18:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/feature-request-low-success-rate-of-active-name-resolution-more/m-p/2235777#M2309 Jens_Mander 2021-03-25T18:18:03Z Tag the AD FS as a sensitive https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/tag-the-ad-fs-as-a-sensitive/m-p/2235131#M2306 <P>Problem: my ADFS servers are not tagged as "sensitive" opposed the announcement made in "Tag the AD FS as a sensitive entity further enhances protection" on&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/microsoft-defender-for-identity-expands-support-to-ad-fs-servers/ba-p/2058511" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/microsoft-defender-for-identity-expands-support-to-ad-fs-servers/ba-p/2058511</A></P><P>Any idea, why <SPAN>the AD FS servers in the Microsoft Defender for Identity portal are not automatically tagged as sensitive?</SPAN></P> Thu, 25 Mar 2021 14:11:23 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/tag-the-ad-fs-as-a-sensitive/m-p/2235131#M2306 AdrianDeller 2021-03-25T14:11:23Z Installing ATP Sensor on DC 2019 gives an 0x800070643 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/installing-atp-sensor-on-dc-2019-gives-an-0x800070643/m-p/2231461#M2290 <P>I have 2 DC Server 2019.</P><P>1 DC installed fine, the other give an error on installation : 0x80070643</P><P>&nbsp;</P><P>np proxy</P><P>no core</P><P>Fully patches.</P><P>&nbsp;</P><P>[1FE0:10F4][2021-03-23T21:27:05]i001: Burn v3.11.2.4516, Windows v10.0 (Build 17763: Service Pack 0), path: C:\WINDOWS\Temp\{D6EA0EAB-9A71-43B8-BEE0-A4349FB8C26A}\.cr\Azure ATP Sensor Setup.exe<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'AccessKey'<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'ProxyConfiguration'<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Initializing hidden variable 'ProxyUserPassword'<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'<BR />[1FE0:10F4][2021-03-23T21:27:05]i009: Command Line: '"-burn.clean.room=C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=704 -burn.filehandle.self=616'<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe'<BR />[1FE0:10F4][2021-03-23T21:27:05]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\'<BR />[1FE0:10F4][2021-03-23T21:27:06]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706.log'<BR />[1FE0:10F4][2021-03-23T21:27:07]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'<BR />[1FE0:10F4][2021-03-23T21:27:07]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'<BR />[1FE0:10F4][2021-03-23T21:27:13]i000: Loading managed bootstrapper application.<BR />[1FE0:10F4][2021-03-23T21:27:17]i000: Creating BA thread to run asynchronously.<BR />[1FE0:10F4][2021-03-23T21:27:24]i100: Detect begin, 5 packages<BR />[1FE0:10F4][2021-03-23T21:27:24]i000: 2021-03-24 01:27:24.8699 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461814'<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'<BR />[1FE0:10F4][2021-03-23T21:27:25]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'<BR />[1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.<BR />[1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.<BR />[1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'NetFrameworkRegistryValue &gt;= 460798' evaluates to true.<BR />[1FE0:10F4][2021-03-23T21:27:25]i052: Condition 'NetFrameworkRegistryValue &gt;= 460798' evaluates to true.<BR />[1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None<BR />[1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None<BR />[1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: Complete<BR />[1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: Complete<BR />[1FE0:10F4][2021-03-23T21:27:25]i101: Detected package: MsiPackage, state: Absent, cached: None<BR />[1FE0:10F4][2021-03-23T21:27:25]i199: Detect complete, result: 0x0<BR />[1FE0:1FF0][2021-03-23T21:27:25]i000: 2021-03-24 01:27:25.3699 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]<BR />[1FE0:1FF0][2021-03-23T21:27:26]i000: 2021-03-24 01:27:26.7917 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]<BR />[1FE0:1FF0][2021-03-23T21:28:21]i000: 2021-03-24 01:28:21.2695 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=SensorInstallationConfiguration[\]]<BR />[1FE0:1FF0][2021-03-23T21:28:21]i000: 2021-03-24 01:28:21.6601 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=EndpointData[\]]<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: 2021-03-24 01:28:25.2767 Warn JsonSerializerSettingsExtension+JsonSerializationBinder GetTypeFromName [\[]typeName=ValidateCreateSensorResponse[\]]<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: 2021-03-24 01:28:25.4127 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: Setting string variable 'IsConfigured' to value 'True'<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: Setting hidden variable 'AccessKey'<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: Setting hidden variable 'ProxyConfiguration'<BR />[1FE0:1FF0][2021-03-23T21:28:25]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'<BR />[1FE0:10F4][2021-03-23T21:28:25]i200: Plan begin, 5 packages, action: Install<BR />[1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'VersionNT64 = v6.1' evaluates to false.<BR />[1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package<BR />[1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'VersionNT64 = v6.2' evaluates to false.<BR />[1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package<BR />[1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'ServerLevelsServerCoreRegistryValue &lt;&gt; 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.<BR />[1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer<BR />[1FE0:10F4][2021-03-23T21:28:25]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue &lt;&gt; 1' evaluates to false.<BR />[1FE0:10F4][2021-03-23T21:28:25]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore<BR />[1FE0:10F4][2021-03-23T21:28:25]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage_rollback.log'<BR />[1FE0:10F4][2021-03-23T21:28:25]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage.log'<BR />[1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None<BR />[1FE0:10F4][2021-03-23T21:28:25]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register<BR />[1FE0:10F4][2021-03-23T21:28:25]i299: Plan complete, result: 0x0<BR />[1FE0:10F4][2021-03-23T21:28:25]i300: Apply begin<BR />[1FE0:10F4][2021-03-23T21:28:25]i010: Launching elevated engine process.<BR />[1FE0:10F4][2021-03-23T21:28:27]i011: Launched elevated engine process.<BR />[1FE0:10F4][2021-03-23T21:28:27]i012: Connected to elevated engine.<BR />[1524:1788][2021-03-23T21:28:27]i358: Pausing automatic updates.<BR />[1524:1788][2021-03-23T21:28:27]i359: Paused automatic updates.<BR />[1524:1788][2021-03-23T21:28:27]i360: Creating a system restore point.<BR />[1524:1788][2021-03-23T21:28:27]i362: System restore disabled, system restore point not created.<BR />[1524:1788][2021-03-23T21:28:27]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, options: 0x7, disable resume: No<BR />[1524:1788][2021-03-23T21:28:27]i000: Caching bundle from: 'C:\WINDOWS\Temp\{6DE9852F-8D93-493F-B36D-48CCE0C42AD0}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}\Azure ATP Sensor Setup.exe'<BR />[1524:1788][2021-03-23T21:28:27]i320: Registering bundle dependency provider: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, version: 2.0.0.0<BR />[1524:1788][2021-03-23T21:28:27]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: Active, restart initiated: No, disable resume: No<BR />[1524:1ABC][2021-03-23T21:28:28]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi.<BR />[1524:1788][2021-03-23T21:28:28]i323: Registering package dependency provider: {C5D46D5F-4BD9-4120-BE93-43672FC3C74F}, version: 2.0.0.0, package: MsiPackage<BR />[1524:1788][2021-03-23T21:28:28]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\"'<BR />[1524:1788][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to install MSI package.<BR />[1524:1788][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to execute MSI package.<BR />[1FE0:10F4][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to configure per-machine MSI package.<BR />[1FE0:10F4][2021-03-23T21:28:54]i000: 2021-03-24 01:28:54.3612 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]<BR />[1FE0:10F4][2021-03-23T21:28:54]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None<BR />[1FE0:10F4][2021-03-23T21:28:54]e000: Error 0x80070643: Failed to execute MSI package.<BR />[1524:1788][2021-03-23T21:28:54]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent<BR />[1FE0:10F4][2021-03-23T21:28:54]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None<BR />[1524:1788][2021-03-23T21:28:54]i329: Removed package dependency provider: {C5D46D5F-4BD9-4120-BE93-43672FC3C74F}, package: MsiPackage<BR />[1524:1788][2021-03-23T21:28:54]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{C5D46D5F-4BD9-4120-BE93-43672FC3C74F}v2.0.0.0\<BR />[1524:1788][2021-03-23T21:28:54]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: None, restart: None, disable resume: No<BR />[1524:1788][2021-03-23T21:28:54]i330: Removed bundle dependency provider: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}<BR />[1524:1788][2021-03-23T21:28:54]i352: Removing cached bundle: {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, from path: C:\ProgramData\Package Cache\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}\<BR />[1524:1788][2021-03-23T21:28:54]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}, resume: None, restart initiated: No, disable resume: No<BR />[1FE0:10F4][2021-03-23T21:28:54]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No<BR />[1FE0:1FF0][2021-03-23T21:34:20]i000: 2021-03-24 01:34:20.3723 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=-2147023293 isRestartRequired=False[\]]<BR />[1FE0:10F4][2021-03-23T21:34:20]i500: Shutting down, exit code: 0x80070643<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: AccessKey = *****<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: IsConfigured = True<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: Kb4019990Windows2008R2Exists = 0<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: Kb4019990Windows2012Exists = 0<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: NetFrameworkRegistryValue = 461814<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: RebootPending = 0<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: ServerLevelsServerCoreRegistryValue = 1<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: VersionNT64 = 10.0.0.0<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleAction = 5<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleElevated = 1<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleLog = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706.log<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleLog_MsiPackage = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage.log<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleManufacturer = Microsoft Corporation<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleOriginalSource = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleOriginalSourceFolder = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleProviderKey = {d3ac0943-d26a-4afb-acb0-a5d3b4f7bdc5}<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\JEAN-P~1\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20210323212706_000_MsiPackage_rollback.log<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleSourceProcessFolder = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleSourceProcessPath = C:\Users\Jean-Philippe_Breton\Downloads\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleTag =<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleUILevel = 4<BR />[1FE0:10F4][2021-03-23T21:34:20]i410: Variable: WixBundleVersion = 2.0.0.0<BR />[1FE0:10F4][2021-03-23T21:34:20]i007: Exit code: 0x80070643, restarting: No</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Mar 2021 01:47:47 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/installing-atp-sensor-on-dc-2019-gives-an-0x800070643/m-p/2231461#M2290 Jean-Philippe Breton 2021-03-24T01:47:47Z Guest User Access to an Identity portal https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/guest-user-access-to-an-identity-portal/m-p/2229327#M2287 <P>Hi,</P><P>&nbsp;</P><P>I have two dev tenants and doing some proof of concept work on defender for Identity.</P><P>&nbsp;</P><P>I have a guest user (from tenant 1) in tenant 2, and that user needs to be able to access the identity portal for tenant 2.</P><P>&nbsp;</P><P>So i use the following url -&nbsp;<A href="#" target="_blank">https://portal.atp.azure.com/?tid=&lt;tenent</A>&nbsp;2 id&gt;</P><P>&nbsp;</P><P>I select the guest user account and its states the user haven't the correct permissions.</P><P>&nbsp;</P><P>I have added that user to the newly created AAD group 'Azure ATP &lt;tenant id&gt; user. Plus the user has 'Security Operator' and Azure Sentinel Responder on tenant 2.</P><P>&nbsp;</P><P>Is something else required to allow this guest user access?</P><P>&nbsp;</P><P>Any help would be much appreciated.</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Tim</P> Tue, 23 Mar 2021 09:09:50 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/guest-user-access-to-an-identity-portal/m-p/2229327#M2287 tipper1510 2021-03-23T09:09:50Z Cannot get ADFS ATP Sensor service to start https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/cannot-get-adfs-atp-sensor-service-to-start/m-p/2221111#M2278 <P>I have the sensors installed and working on both of my domain controllers (Server 2016), however, when I install the ADFS sensor on my ADFS server (also 2016) the service refuses to start. I get the following error. I have tried everything I can conceive, including deleting the instance and starting over, trying different accounts/credentials/formats (both the single label domain vs. the .com suffix format) to no avail. The error is as follows:</P><P>&nbsp;</P><P>2021-03-18 20:22:05.6369 Error DomainNetworkCredentialsManager Microsoft.Tri.Infrastructure.ExtendedException: DomainControllerDnsNames is empty or not configured<BR />at void Microsoft.Tri.Sensor.DomainNetworkCredentialsManager.UpdateConfigurations(ConfigurationCollection configurations)<BR />at Func&lt;Task&gt; Microsoft.Tri.Infrastructure.ActionExtension.ToAsyncFunction(Action action)+(TItem _) =&gt; { }<BR />at async Task Microsoft.Tri.Infrastructure.ConfigurationManager.RegisterConfigurationAsync(Func&lt;ConfigurationCollection, Task&gt; onConfigurationsUpdateAsync, Type[] configurationTypes)<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at object lambda_method(Closure, object[])<BR />at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()<BR />at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)<BR />at new Microsoft.Tri.Sensor.SensorModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)</P><P>&nbsp;</P><P>Any help is greatly appreciated!</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Mar 2021 21:03:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/cannot-get-adfs-atp-sensor-service-to-start/m-p/2221111#M2278 amayo21 2021-03-18T21:03:31Z NNR in a UNIX environment https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/nnr-in-a-unix-environment/m-p/2218288#M2273 <P>Hi, we’re having a DC which is getting isolated via its own AD subnet as it only serves our backup procedure rather than providing any other service to the domain. Because of the nature of the AD, there is still an A record for the domain pointing to this server and some non Windows devices getting to it via round robin. These are mainly UNIX devices, because they don’t support the AD site concept. When looking at the NNR options, I do believe that the only supported option in an enterprise environment is DNS. This DC is constantly getting flagged that it is not able to resolve 90% of the hosts, as it can “only” resolve via DNS. Is there a way of handling this problem better or am I wrong with my interpretation of this health alert?</P><P>Thanks</P> Wed, 17 Mar 2021 21:11:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/nnr-in-a-unix-environment/m-p/2218288#M2273 Nonsaho 2021-03-17T21:11:48Z Best Practise around honeytoken accounts? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/best-practise-around-honeytoken-accounts/m-p/2217838#M2272 <P>I'm considering using honeytoken accounts with high privileges (in order to prevent the obvious lure), however how can you prevent abuse as soon as an authentication is made with the account? What's the best practice here?</P><P>Ideally I would like the account to be disabled within seconds on all domain controllers.</P> Wed, 17 Mar 2021 18:01:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/best-practise-around-honeytoken-accounts/m-p/2217838#M2272 brlgen 2021-03-17T18:01:02Z Azure ATP Sensor Setup not launching https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-atp-sensor-setup-not-launching/m-p/2216981#M2264 <P>Server 2019 CORE Domain Controller</P><P>Latest Cumulative Update available</P><P>Azure ATP Sensor Setup.exe version 2.0.0.0</P><P>I checked and the ntdsai.dll file is version 10.0.17763.1 (According to&nbsp;<A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/defender-for-identity/prerequisites</A>&nbsp;this seems to be correct "<SPAN>* Requires&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">KB4487044</A><SPAN>&nbsp;or newer cumulative update. Sensors installed on Server 2019 without this update will be automatically stopped if the file version of the&nbsp;</SPAN><EM>ntdsai.dll</EM><SPAN>&nbsp;file in the system directory is older than&nbsp;</SPAN><EM>10.0.17763.316</EM><SPAN>.")<BR /><BR />Originally I attempted to run with the CLI quiet install, proxyurl, and access key options on the command line but when I saw that nothing got installed, I tried JUST launching the sensor direct so I could see the GUI popup like it does with our 2016 servers, but nothing happened.&nbsp; The screen flashes and then it comes back.&nbsp; As nothing is installed, I don't see anything in the Program Files directories for logging purposes.&nbsp; I even checked my AppData folders and the Event logs but I don't see anything related to the attempted sensor install.</SPAN></P><P>&nbsp;</P><P><SPAN>I then attempted this on a second machine with the same specs and got the same result.</SPAN></P><P>&nbsp;</P><P><SPAN>So I tried to run msiexec to see if I could get some install logging and it said, "This installation package could not be opened.&nbsp; Contact the application vendor to verify that this is a valid Windows Installer package."&nbsp; I guess that's because it's not an msi?&nbsp; I was just grasping at straws at that point.<BR /><BR />I've also downloaded a fresh sensor .exe and .json from the site with the same results (just in case).<BR /><BR />Is there something obvious I'm missing here or should be trying?&nbsp; This didn't seem to happen on our 2016 DC's.</SPAN></P> Wed, 17 Mar 2021 12:46:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-atp-sensor-setup-not-launching/m-p/2216981#M2264 I_tried 2021-03-17T12:46:58Z Error deploying MDI sensor https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/error-deploying-mdi-sensor/m-p/2213912#M2258 <P>Hi All,</P><P>&nbsp;</P><P>First time working with this functionality.</P><P>&nbsp;</P><P>Get the following error when trying to deploy sensor onto a domain controller:</P><P>&nbsp;</P><P>2021-03-16 12:59:53.8664 Debug CreateCertificateAction Revert started<BR />2021-03-16 12:59:53.8664 Debug CreateCertificateAction Revert finished<BR />2021-03-16 12:59:53.8664 Debug InstallActionGroup Revert finished<BR />2021-03-16 12:59:53.9446 Error DnsName Deployer failed [arguments=0qX02CRDgX2zoOt1xmrJLQ==]<BR />Microsoft.Tri.Infrastructure.ExtendedException: Failed to parse DnsName</P><P>&nbsp;</P><P>Any help would be much appreciated...</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tim</P> Tue, 16 Mar 2021 13:17:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/error-deploying-mdi-sensor/m-p/2213912#M2258 tipper1510 2021-03-16T13:17:58Z Some Windows events are not being analyzed https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/some-windows-events-are-not-being-analyzed/m-p/2211230#M2255 <P>We are seeing "Some Windows events are not being analyzed" health alert getting generated and auto-closed in our tenant. Would like to understand what the threshold is for windows events passing a sensor. The Microsoft documentation available here (<A href="#" target="_blank">https://docs.microsoft.com/en-us/defender-for-identity/health-alerts#some-windows-events-are-not-being-analyzed</A>) does not provide a clue. Hoping to get an answer soon!&nbsp;<LI-USER uid="106935"></LI-USER>&nbsp;Any ideas are appreciated!</P> Mon, 15 Mar 2021 15:32:22 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/some-windows-events-are-not-being-analyzed/m-p/2211230#M2255 mesaqee 2021-03-15T15:32:22Z How is Microsoft Defender for Identity licenced if you are purchasing standalone licences? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-is-microsoft-defender-for-identity-licenced-if-you-are/m-p/2205046#M2252 <P>How is this product licenced if I am buying standalone licences at £4.20? We only have E3 so will need to buy the licenses individually and the documentation does not make it clear how it is licensed outside of E5.&nbsp;</P><P>&nbsp;</P><P>Is this per user who is in the AD domain? Or Per Domain Controller?</P><P>&nbsp;</P><P>Does it have to be installed on every Domain Controller in the domain?</P><P>&nbsp;</P><P>The documentation from what I can see does not seem to cover these points</P> Fri, 12 Mar 2021 12:38:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/how-is-microsoft-defender-for-identity-licenced-if-you-are/m-p/2205046#M2252 Adam_Wilkinson195 2021-03-12T12:38:45Z Engine release notes? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/engine-release-notes/m-p/2204661#M2246 <P>Hi,</P><P>I don't know if it's the right space to ask this question.<BR />I wanted to know if possible where I can view the change logs or release notes of the various versions of the Defender engine and also of other main components.<BR />I searched the net but it seems to me that there is no explanatory page, it is present only for definitions.</P><P>&nbsp;</P><P>Thanks to all and best regards.</P><P>&nbsp;</P><P>Fabio</P> Fri, 12 Mar 2021 08:46:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/engine-release-notes/m-p/2204661#M2246 Fabio_Danzetta 2021-03-12T08:46:13Z Honeyotoken accounts https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/honeyotoken-accounts/m-p/2199336#M2236 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm trying to set up the Honeytoken part, for a production environement I need to set up 40 honeytoken accounts.</P><P>&nbsp;</P><P>i was able to configure just 9 honeytoken accounts, the MDI Portal does not allow me to enter more than 9&nbsp; accounts</P><P>&nbsp;</P><P>Can you please tell me what the problem is ? how to solve this problem ?</P><P><SPAN>Is there another possibility to configure the 31 other accounts?</SPAN></P><P>&nbsp;</P><P><SPAN>thanks, </SPAN></P><P><SPAN>Regards.</SPAN></P><P>&nbsp;</P> Wed, 10 Mar 2021 13:37:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/honeyotoken-accounts/m-p/2199336#M2236 Nawel335 2021-03-10T13:37:02Z new feature - report that pulls all sensitive accounts https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/new-feature-report-that-pulls-all-sensitive-accounts/m-p/2196208#M2235 <P>is it possible to add a new report for pulling all sensitive accounts with the reason of tagging as sensitive? I think it may help us to spot some misconfigurations on our on-prem before any lateral movement path will appear.</P> Tue, 09 Mar 2021 15:36:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/new-feature-report-that-pulls-all-sensitive-accounts/m-p/2196208#M2235 SebastianWolosz 2021-03-09T15:36:57Z ATP/DFI The sensor failed to register due to connectivity issue https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-dfi-the-sensor-failed-to-register-due-to-connectivity-issue/m-p/2186561#M2230 <P>I'm getting the error while installing the agent in DC.</P><P>* DC build with server 2012 R2 standard</P><P>* DC running is virtual machine running on VMware.</P><P>* All certificates are in place</P><P>* Port 443 was opened to cloud (*.atp.azure.com)</P><P>* Latest patches update, latest .Net installed (4.7 and above).</P><P>&nbsp;</P><P>at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)<BR />at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.&lt;ValidateCreateSensorAsync&gt;d__52.MoveNext() failed connecting to service. The issue can be caused by a transparent proxy configuration [\[]WorkspaceApplicationSensorApiEndpoint=Unspecified/***sensorapi.atp.azure.com:443[\]]<BR />[1C80:214C][2021-03-04T21:58:12]i000: 2021-03-04 21:58:12.6754 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=FailedConnectivity[\]]<BR />[1C80:214C][2021-03-04T21:58:16]i000: 2021-03-04 21:58:16.8543 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]]<BR />[1C80:08B8][2021-03-04T21:58:16]i500: Shutting down, exit code: 0x642<BR />[1C80:08B8][2021-03-04T21:58:16]i410: Variable: Kb4019990Windows2008R2Exists = 0<BR />[1C80:08B8][2021-03-04T21:58:16]i410: Variable: Kb4019990Windows2012Exists = 0<BR />[1C80:08B8][2021-03-04T21:58:16]i410: Variable: NetFrameworkCommandLineArguments =&nbsp;</P> Fri, 05 Mar 2021 00:40:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/atp-dfi-the-sensor-failed-to-register-due-to-connectivity-issue/m-p/2186561#M2230 pugazhendhi 2021-03-05T00:40:59Z Microsoft Defender ATP : Web Protection https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-atp-web-protection/m-p/2168459#M2222 <P>We have created the Indicators with URLS which should alert us when ever users access respective URL's.</P><P>We could see it in " Observed in organization" section when any user hits the URL but it is&nbsp; not coming in alert section.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PRAYA95_0-1614337403964.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258323i591AA09DF1E06A0E/image-size/medium?v=v2&amp;px=400" role="button" title="PRAYA95_0-1614337403964.png" alt="PRAYA95_0-1614337403964.png" /></span></P><P>&nbsp;</P><P>Note : Followed&nbsp;<A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain</A>&nbsp;for configuring this feature.</P> Fri, 26 Feb 2021 11:03:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-atp-web-protection/m-p/2168459#M2222 PRAYA95 2021-02-26T11:03:35Z Defender for Identity licensing https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-licensing/m-p/2165033#M2215 <P>Hi all, I'm not able to find an answer to this question for our customers: how many Defender for Identity licenses we have to purchase having 500 user accounts on-prem on Active Directory but just 300 user accounts synchronized with the Azure AD tenant.</P><P>We have to count just human user accounts for licensing or also service accounts?</P><P>&nbsp;</P><P>Regards</P> Thu, 25 Feb 2021 09:00:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-licensing/m-p/2165033#M2215 DavideB-IT 2021-02-25T09:00:02Z MDI Sensor vs Standalone Sensor - Updated Guidance https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-vs-standalone-sensor-updated-guidance/m-p/2162889#M2212 <P>It appears that guidance on MDI Sensor vs Standalone Sensor has shifted towards discouraging Standalone sensors altogether. Standalone is now lacking functionality, while all the older materials highlighting its benefits had been removed. (E.g. higher stability/throughput; better security and separation of duties, especially when deployed as a member of a Workgroup etc.)</P><P>&nbsp;</P><P>This begs the question - is Standalone on its way out? And what are the use cases you still believe it is best suited for?</P><P>&nbsp;</P><P>Thank you!</P> Wed, 24 Feb 2021 19:51:26 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-vs-standalone-sensor-updated-guidance/m-p/2162889#M2212 MDIAdminMax 2021-02-24T19:51:26Z List of sensors in MDI https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/list-of-sensors-in-mdi/m-p/2162349#M2210 Is there a programmatic way to query the list of deployed MDI sensors via API? Wed, 24 Feb 2021 12:42:49 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/list-of-sensors-in-mdi/m-p/2162349#M2210 Nonsaho 2021-02-24T12:42:49Z Cloud App Security not showing all user-id's of gMSA's https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/cloud-app-security-not-showing-all-user-id-s-of-gmsa-s/m-p/2153934#M2198 <P>Hi,</P><P>I have a gMSA that is moving users in and out of AD Security Groups. I can see all the details in the MDI console if I search for the Userid or the AD group. I see log entries like:</P><P>gjkoster was added by gMSA-UserAdd</P><P>&nbsp;</P><P>When I open the Cloud App Security Console I see a entry like:</P><P>&nbsp;</P><P>gjkoster was added to group XXXXX by n/a</P><P>&nbsp;</P><P>So in the Cloud App Security console I cannot see who performed the action of add user gjkoster to the specific AD-group. While MDI has the info available. Why is that. If a 'normal' user adds someone, it does show.</P><P>&nbsp;</P><P>Anyone any idea?</P><P>&nbsp;</P><P>Regards,</P><P>Germen.</P> Sun, 21 Feb 2021 21:22:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/cloud-app-security-not-showing-all-user-id-s-of-gmsa-s/m-p/2153934#M2198 gjkoster 2021-02-21T21:22:48Z SIEM / Defender for Identity integration https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/siem-defender-for-identity-integration/m-p/2142293#M2190 <P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Hello Everyone,</SPAN></SPAN></SPAN></P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>I am working on the possibility of integrating SIEM and Defender for Identity alerts.</SPAN></SPAN> <SPAN class="JLqJ4b ChMk0b"><SPAN>I know that there is a possibility to send the alerts from the Defedender cloud to SIEM Splunk, by choosing a single sensor in the configuration that there is in MS documentation, I have some questions: </SPAN></SPAN></SPAN></P><UL><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>I would like to know if there is the possibility of having to configure</SPAN></SPAN> <SPAN class="JLqJ4b ChMk0b"><SPAN>multiple sensors?</SPAN></SPAN> </SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Is a single sensor sufficient to send all alerts whether they are High, Medium or Low?</SPAN></SPAN> </SPAN></LI><LI><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>I would also like to know if there is a possibility to send the alerts of the siem SPLUNK to the Defender portal?</SPAN></SPAN> </SPAN><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN><BR /></SPAN></SPAN></SPAN></LI></UL><P><SPAN class="VIiyi">Thanks for your help.</SPAN></P><P>&nbsp;</P><P><SPAN class="VIiyi">Regards</SPAN></P> Wed, 17 Feb 2021 09:24:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/siem-defender-for-identity-integration/m-p/2142293#M2190 Nawel335 2021-02-17T09:24:00Z DNS query response data https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dns-query-response-data/m-p/2139295#M2189 <P>MDI sends DNS queries into MCAS now, i was wondering if there was a way to see the response provided back (IP address(es) there as well.</P><P>&nbsp;</P><P>Thanks in advance</P> Tue, 16 Feb 2021 14:02:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dns-query-response-data/m-p/2139295#M2189 MarshMadness 2021-02-16T14:02:09Z Microsoft Defender for Identity Deployment error code 0x80070643 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-deployment-error-code-0x80070643/m-p/2135802#M2177 <P>2021-02-11 13:00:08.3038 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-02-11 13:00:56.7383 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-02-11 13:01:45.5310 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-02-11 13:02:33.9485 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-02-11 13:03:22.8064 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)<BR />2021-02-11 13:04:11.3188 Error CommunicationWebClient+&lt;SendWithRetryAsync&gt;d__9`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task&lt;HttpResponseMessage&gt; System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task&lt;HttpResponseMessage&gt; sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=wvUEyDo6UWSV/z8nHVf81w==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context)<BR />at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Sockets.SocketExceptionMessage=ll/Fg5fciCSQFNLUP9GLlg==StackTrace= at void System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)<BR />at void System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)<BR />at WebExceptionStatus System.Net.ServicePoint.ConnectSocketInternal(bool connectFailure, Socket s4, Socket s6, ref Socket socket, ref IPAddress address, ConnectSocketState state, IAsyncResult asyncResult, out Exception exception)InnerException=]]]<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendWithRetryAsync&lt;TResponse&gt;(byte[] requestBytes, int offset, int count)<BR />at async Task&lt;TResponse&gt; Microsoft.Tri.CommonCommunication.CommunicationWebClient.SendAsync&lt;TResponse&gt;(IRequestWithResponse&lt;TResponse&gt; request)<BR />at TResult Microsoft.Tri.Infrastructure.TaskExtension.Await&lt;TResult&gt;(Task&lt;TResult&gt; task)<BR />at new Microsoft.Tri.Sensor.Common.CommonSensorModuleManager()<BR />at new Microsoft.Tri.Sensor.Updater.SensorUpdaterModuleManager()<BR />at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager()<BR />at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()<BR />at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)<BR />at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)</P> Mon, 15 Feb 2021 10:14:25 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/microsoft-defender-for-identity-deployment-error-code-0x80070643/m-p/2135802#M2177 hemdan875 2021-02-15T10:14:25Z Test connection to MDI endpoints through Squid proxy https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/test-connection-to-mdi-endpoints-through-squid-proxy/m-p/2127641#M2172 <P>Hi, before doing MDI sensors installation I want to be sure DCs can reach MDI endpoints <EM><STRONG>through Squid proxy</STRONG></EM> we have in our forest - how can I test that connectivity works 100%? That proxy will be specified as switch of silent installation.<BR /><BR />Thank you in advance.</P> Fri, 12 Feb 2021 11:15:15 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/test-connection-to-mdi-endpoints-through-squid-proxy/m-p/2127641#M2172 BojanZ 2021-02-12T11:15:15Z exclude users from Suspected brute-force attack (Kerberos, NTLM) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/exclude-users-from-suspected-brute-force-attack-kerberos-ntlm/m-p/2119987#M2167 <P><SPAN>Dear community,</SPAN></P><P>&nbsp;</P><P><SPAN>within our environment&nbsp;we use group mailboxes for a lot of teams. the problem is that we get a lot of false positive alerts in Microsoft defender for identity and Cloud app security (monitoring tool). this happens because users can just click close on the prompt and still receive&nbsp;the mails in the mailbox. (the group mailboxes are disabled accounts)</SPAN></P><P>&nbsp;</P><P><SPAN>I have seen that we can exclude computers&nbsp;and IP's but not the users, and the users is what we need.&nbsp;</SPAN></P><P><SPAN>policy name:&nbsp;Suspected brute-force attack (Kerberos, NTLM)</SPAN></P><P>&nbsp;</P><P><SPAN>Does anybody have some idea's or solutions?</SPAN></P><P>&nbsp;</P><P>Kind regards,</P><P>Jeroen Borger</P> Wed, 10 Feb 2021 10:15:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/exclude-users-from-suspected-brute-force-attack-kerberos-ntlm/m-p/2119987#M2167 Jeroen_Borger 2021-02-10T10:15:53Z Do I need to host Azure ATP (Defender for Identity) in my own servers? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/do-i-need-to-host-azure-atp-defender-for-identity-in-my-own/m-p/2114834#M2160 <P>Hi all,</P><P>&nbsp;</P><P>Our organization has planned to move away from Microsoft ATA (Advanced Threat Analytics) to Azure ATP (Defender for Identity).</P><P>&nbsp;</P><P>Right now, we are hosting the Microsoft ATA consoles in cloud instances (AWS, GCP, and on-prem).</P><P>&nbsp;</P><P>If we make the switch to Azure ATP, will we need to retain these servers so we can install Azure ATP on them?</P><P>&nbsp;</P><P>Or is the case that Azure ATP is a SaaS product that is hosted and managed by Microsoft (and we do not have to worry about spinning up and maintaining Windows Servers).</P><P>&nbsp;</P><P>Can someone please provide some clarity?</P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P><P>Best,</P><P>Sal</P> Thu, 04 Feb 2021 23:24:43 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/do-i-need-to-host-azure-atp-defender-for-identity-in-my-own/m-p/2114834#M2160 Sal_Mirza 2021-02-04T23:24:43Z Issues with Network Name Resolution https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/issues-with-network-name-resolution/m-p/2114695#M2157 <P>Following a request to disable RDP for NNR, MS Support states telemetry data for our MDI deployment failure rates for RDP is 45% and 77% NetBIOS. I do not have any health alerts for low name resolution at this point and support did not indicate there was an issue, but they recommend NOT disabling RDP as an option.</P><P>&nbsp;</P><P>This does not make sense as RDP is certainly more restricted in our environment and thus should show more failure.&nbsp; Failures could occur due to devices being off/asleep, not on network/VPN where rules don't allow for specific communication (RDP ex.) In these WFH times, this condition has to be more widespread/commonplace.</P><P>&nbsp;</P><P>A few clarification questions would be helpful to troubleshoot this condition if not closed due to secret sauce concerns:</P><UL><LI>What is the timing (business hours vs all hours) and frequency of these NRR requests&nbsp;</LI><LI>Is there an order of preference for the 3 methods from a system use perspective (not a degree of certainty) or are they all used all the time? If not, randomly?</LI><LI>How impactful is DNS service update config (cycle of 1 hour vs 2 etc.)</LI><LI>Any undocumented plans for changes or alternatives/provisions to NetBIOS, RDP or RPC? Use of MDE or Intune etc.</LI><LI>Does the this process resolve IP to Name or Name to IP or both?</LI></UL><P>Thanks in advance</P> Thu, 04 Feb 2021 21:37:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/issues-with-network-name-resolution/m-p/2114695#M2157 MarshMadness 2021-02-04T21:37:41Z Needs Ports MDI https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/needs-ports-mdi/m-p/2113737#M2153 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm working on Microsoft Defender for Identity topic, i am at the ports opening part. can you please tell me what is the need to open port 444? for updates are there not automatic updates without opening this port?<BR />Thank you</P> Thu, 04 Feb 2021 09:58:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/needs-ports-mdi/m-p/2113737#M2153 Nawel335 2021-02-04T09:58:53Z DNS only NRR Impacts in MDI https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dns-only-nrr-impacts-in-mdi/m-p/2111647#M2145 <P>What is the impact for failed NRR as it pertains to network devices that cannot/will not respond over the 3 primary discovery methods in MDI.&nbsp; We have a number of devices (ex. enterprise firewalls) that will not respond to RPC over NTLM, NetBIOS or RDP.&nbsp; Presuming it then relies on static DNS entries (subject to their accuracy of course) to resolve the name to IP, does this impact the confidence/certainty level in any way and subsequent alerting?</P><P>&nbsp;</P><P>Thanks in advance...</P> Tue, 02 Feb 2021 19:30:11 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/dns-only-nrr-impacts-in-mdi/m-p/2111647#M2145 MarshMadness 2021-02-02T19:30:11Z Is RDP for NNR from MDI Sensors necessary? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/is-rdp-for-nnr-from-mdi-sensors-necessary/m-p/2111371#M2143 <P>I am looking to see how important it is for use of RDP for NNR specific to MDI.&nbsp; After looking at the posts here and MS documentation, it suggests that all 3 (NTLM over RPC, NetBIOS and RDP) methods should be allowed to all endpoints.&nbsp; We do have many systems behind FW's that do not allow this protocol.&nbsp; I also see that there is an option to disable an optional NNR method in Defender for Identity to fit the needs of your environment (support ticket required.)</P><P>&nbsp;</P><P>My question is what is the impact (what am I losing) if I disable the RDP methodology assuming the other 2 are functioning as expected.</P><P>&nbsp;</P><P>Thanks in advance for your consideration.</P> Tue, 02 Feb 2021 16:18:47 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/is-rdp-for-nnr-from-mdi-sensors-necessary/m-p/2111371#M2143 MarshMadness 2021-02-02T16:18:47Z Defender for Identity - Licensing https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-licensing/m-p/2109842#M2139 <P>Hi all,</P><P>We have a customer who has stand-alone DFI licenses. I can't find anywhere how to deploy these to on-prem users. From my perspective this should be done in AAD if I am correct. Is there any information regarding that? Thank you!</P> Mon, 01 Feb 2021 11:43:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/defender-for-identity-licensing/m-p/2109842#M2139 KerimTupkovic 2021-02-01T11:43:06Z query defender for identity logs https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/query-defender-for-identity-logs/m-p/2109803#M2138 <P>hi - how can i query using either sentinel or kql the data witin defender for identity.&nbsp; i want to do some analysis on our service accounts and the data will help with this.&nbsp; thanks</P> Mon, 01 Feb 2021 10:51:52 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/query-defender-for-identity-logs/m-p/2109803#M2138 Sanjit Hayer 2021-02-01T10:51:52Z Azure ATP sensor app refusing to start up on server 2019 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-atp-sensor-app-refusing-to-start-up-on-server-2019/m-p/2109440#M2132 <P>Hi, I have just finished setting up the azure ATP and have downloaded the sensor app onto the server. However, the service is trying to start up but terminates unexpectedly. I get an error 7031.</P><P>&nbsp;</P><P>the entry on the log says:</P><P>&nbsp;</P><P>The Azure Advanced Threat Protection Sensor service terminated unexpectedly.<SPAN class="Apple-converted-space">&nbsp; </SPAN>It has done this 9916 time(s).<SPAN class="Apple-converted-space">&nbsp; </SPAN>The following corrective action will be taken in 5000 milliseconds: Restart the service.</P> Sun, 31 Jan 2021 20:04:55 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/azure-atp-sensor-app-refusing-to-start-up-on-server-2019/m-p/2109440#M2132 scuttbeaumontcouk 2021-01-31T20:04:55Z Low success rate of active name resolution https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/low-success-rate-of-active-name-resolution/m-p/2097609#M2117 <P>New install of Azure ATP Sensor on Domain Controller getting warning "Low success rate of active name resolution".</P><P>&nbsp;</P><P>Corp-DC1, failed more than 90% of the time when doing active resolution using NetBIOS,&nbsp;NetworkNameResolverMethodRdpTlsName, RPC over NTLM and reverse DNS. It might affect detections capabilities and increase amount of FPs.</P><P>Recommendations</P><P>Check that the sensor can reach the DNS server and that Reverse Lookup Zones are enabled.<BR />Check that Port 137 is open for inbound communication from MDI sensors, on all computers in the environment.<BR />Check that Port 135 is open for inbound communication from MDI sensors, on all computers in the environment.<BR />Check all network configuration (firewalls), as these could prevent communication to the relevant ports.</P><P>&nbsp;</P><P>Need assistance interpreting or getting more information about this error. Domain controller is Server 2019 serving several sites/subnets. All other services work fine, we see no error messages in DNS Server or DNS client.</P><P>&nbsp;</P> Tue, 26 Jan 2021 11:30:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/low-success-rate-of-active-name-resolution/m-p/2097609#M2117 RNalivaika 2021-01-26T11:30:39Z Directory Services Credentials https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/directory-services-credentials/m-p/2093816#M2114 <P>Hi,&nbsp;</P><P>Can I configure DCs and ADFS with separate GMSA accounts?</P> Mon, 25 Jan 2021 13:03:15 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/directory-services-credentials/m-p/2093816#M2114 Igsaan Mollagee 2021-01-25T13:03:15Z Any honeytoken program thoughts to share? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/any-honeytoken-program-thoughts-to-share/m-p/2089810#M2108 <P>I am looking to utilize the MDI honeytoken feature and looking for any suggestions.</P><P>&nbsp;</P><P>In terms of enticement or effort to minimize suspicion, here are my initial thoughts but am certainly open to any input.</P><UL><LI>How many</LI><LI>Type (person, computer, service, resource)</LI><LI>Permissions</LI><LI>Location</LI><LI>Create date</LI><LI>Logon count/last logon (automation opportunity)</LI><LI>Group membership</LI><LI>Title/description</LI><LI>Mail enabled?</LI></UL><P>Thanks in advance for your considerations!</P> Sat, 23 Jan 2021 15:26:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/any-honeytoken-program-thoughts-to-share/m-p/2089810#M2108 MarshMadness 2021-01-23T15:26:00Z What is the difference between MCAS and MDI while both provides suspicious activity details? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/what-is-the-difference-between-mcas-and-mdi-while-both-provides/m-p/2089702#M2107 <P>Hello,</P><P>&nbsp;</P><P>Microsoft Documentation provides following definitions for MDI and MCAS:</P><P>&nbsp;</P><P><STRONG>MDI:</STRONG>&nbsp;<SPAN>The Defender for Identity portal provides a quick view of all suspicious activities in chronological order. It enables you to drill into details of any activity and perform actions based on those activities. The Defender for Identity portal also displays alerts and notifications to highlight problems seen by Defender for Identity or new activities that are deemed suspicious.</SPAN></P><P>&nbsp;</P><P><STRONG>MCAS:&nbsp;</STRONG>&nbsp;It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. It<SPAN>&nbsp;provides simple deployment, centralized management, and innovative automation capabilities.</SPAN></P><P>&nbsp;</P><P>Could you please clarify the difference between MCAS and MDI while both provides suspicious activity details?</P><P>&nbsp;</P><P>Thanks,</P> Sat, 23 Jan 2021 14:03:24 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/what-is-the-difference-between-mcas-and-mdi-while-both-provides/m-p/2089702#M2107 Dave8465 2021-01-23T14:03:24Z MDI Sensor Auto Updates https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-auto-updates/m-p/2089664#M2106 <P>What (if any) is the relationship of the "<SPAN>Domain controller and ADFS server restart during updates" to the "Automatic Restart" toggle switch in the updates section of MDI?</SPAN></P><P><SPAN>Is the DC restart about major updates that&nbsp;<STRONG><EM>could</EM> </STRONG>require a reboot of the DC and the auto restart relative to restarting just the agent/service OR is this simply the ability to granularly set if a reboot can/will happen per DC if the DC restart is toggled on?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks in advance for any light shed...</SPAN></P> Sat, 23 Jan 2021 13:46:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-identity/mdi-sensor-auto-updates/m-p/2089664#M2106 MarshMadness 2021-01-23T13:46:13Z