deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

anchor xrefs, image update, final proof of troublshooting

Browse Source
This commit is contained in:
Iaan 2016-05-11 18:50:26 +10:00
parent e42d0f5539
commit 06394da8fc
3 changed files with 56 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -20,7 +20,7 @@ author: iaanw
You can use a System Center Configuration Manager (SCCM) package, a Group Policy (GP) configuration package, or an automated script to configure endpoints.
## Configure with System Center Configuration Manager (SCCM)
## Configure with System Center Configuration Manager
1. Open the SCCM configuration package .zip file (*WindowsATPOnboardingPackage_ConfigurationManager.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@ -66,7 +66,8 @@ Using the GP configuration package ensures your endpoints will be correctly conf
For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
## Configure endpoints manually with registry changes
## Configure endpoints individually with an automated script
<a name="manual"></a>
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.

BIN
windows/keep-secure/images/windef-utc-console-start.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.7 KiB

After

Width:  |  Height:  |  Size: 7.7 KiB

111
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -18,68 +18,66 @@ author: iaanw
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You might need to troubleshoot the Windows Defender Advanced Threat Protection boarding process if you encounter issues.
This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
## Endpoints are not reporting to the service correctly
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or a connectivity problem.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
Go through the following verification topics to address this issue:
- [Ensure that the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
- [Ensure that the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
- [Ensure that telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
- [Ensure that the Windows Defender ATP endpoint has internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
### Ensure that the endpoint is onboarded successfully
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded on the endpoint.
### Ensure the endpoint is onboarded successfully
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
**Check the onboarding state in Registry**:
1. Click **Start**.
1. Click **Start**, type **Run**, and press **Enter**
2. Type **Run**.
2. From the **Run** dialog box, type **regedit** and press **Enter**.
3. From the **Run** dialog box, type **regedit** and press **Enter**.
4. In the **Registry Editor** navigate to the Status key under:
4. In the **Registry Editor** navigate to the Status key under
```
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
```
5. Check that the **OnboardingState** value is set to **1**.
5. Check the **OnboardingState** value is set to **1**.
![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
If the **OnboardingState** value is not set to **1**, follow the instructions on **Identifying and addressing onboarding issues**.
If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
**Identifying and addressing onboarding errors**:
**Use Event Viewer to identify and adress onboarding errors**:
1. Click **Start**.
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Type **Event Viewer**.
2. In the **Event Viewer (Local)** pane, expand the **Applications and Services Logs** section, and then browse to the **Microsoft\Windows\SENSE** directory.
3. In **Event Viewer**, browse to the **Application and Services Logs\Microsoft\Windows\SENSE** directory.
> **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
4. Click the **Operational** log.
3. Select **Operational** to load the log.
5. In the **Action** pane, click **Filter Current log**.
4. In the **Action** pane, click **Filter Current log**.
6. Select **Critical**, **Warning**, and **Error**, then click **OK**.
5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
![Image of Event Viewer log filter](images/filter-log.png)
7. Review the remaining events which can indicate issues and troubleshoot them based on the corresponding solutions from the following table:
6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | Ensure that the Windows Defender ATP endpoint has internet access.
6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | Run the onboarding script again.
7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | Ensure that the Windows Defender ATP endpoint has internet access, then run the onboarding script again.
15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | Ensure that the Windows Defender ATP endpoint has internet access.
5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then [run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
### Ensure the Windows Defender ATP service is enabled
@ -91,11 +89,11 @@ You can use the SC command line program for checking and managing the startup ty
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```text
sc qc sense
@ -111,11 +109,11 @@ If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```text
sc config sense start=auto
@ -131,11 +129,11 @@ If the service **START_TYPE** is not set to **AUTO_START**, then you'll need to
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```text
sc query sense
@ -151,11 +149,11 @@ If the service **STATE** is not set to **RUNNING**, then you'll need to start it
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```text
sc start sense
@ -171,22 +169,19 @@ If the service **STATE** is not set to **RUNNING**, then you'll need to start it
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't.)
#### Ensure the service is set to automatically start
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
**Use the command line to check the Windows 10 telemetry and diganostics service startup type**:
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```doscon
sc qc diagtrack
@ -204,17 +199,17 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```doscon
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```doscon
sc qc diagtrack
@ -249,19 +244,19 @@ If the startup type is not set to **Automatic**, you'll need to change it so the
4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
#### Ensure the service is running
### Ensure the service is running
**Use the command line to check the Windows 10 telemetry and diganostics service is running**:
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. **Click **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```doscon
sc query diagtrack
@ -278,17 +273,17 @@ If the service **STATE** is not set to **RUNNING**, then you'll need to start it
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
a. **Click **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
2. Enter the following command, and press **Enter**:
```doscon
sc start diagtrack
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```doscon
sc query diagtrack
@ -321,18 +316,18 @@ If the service is not running, you'll need to start it.
3. Right-click on the entry and click **Start**, as shown in the following image.
![Select Start to start the service](images/windefatp-utc-console-start.png)
![Select Start to start the service](images/windef-utc-console-start.png)
### Ensure that the Windows Defender ATP endpoint has internet connection
### Ensure the endpoint has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to be able to report telemetry and communicate with the Windows Defender ATP service.
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
If the verification fails and your environment is using a proxy to connect to the internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.