deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

html tables

Browse Source
This commit is contained in:
Iaan 2016-05-03 13:43:41 +10:00
parent 625e26734d
commit 74d58c3a3c
1 changed files with 216 additions and 337 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

553
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -188,344 +188,223 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
<table> <table>
<tbody style="vertical-align:top;"> <tbody style="vertical-align:top;">
<tr> <tr>
<th>Event ID</th> <th>Event ID</th>
<th>Message</th> <th>Message</th>
<th>Description</th> <th>Description</th>
<th>Action</th> <th>Action</th>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>1</td>
<td>Windows Advanced Threat Protection service started (Version <td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
```variable```).</td> <td>Occurs during system start up, shut down, and during onbboarding.</td>
<td>Occurs during system start up, shut down, and during <td>Normal operating notification; no action required.</td>
onbboarding.</td> </tr>
<td>Normal operating notification; no action required.</td> <tr>
</tr> <td>2</td>
<tr> <td>Windows Advanced Threat Protection service shutdown.</td>
<td>2</td> <td>Occurs when the endpoint is shut down or offboarded.</td>
<td>Windows Advanced Threat Protection service shutdown.</td> <td>Normal operating notification; no action required.</td>
<td>Occurs when the endpoint is shut down or offboarded.</td> </tr>
<td>Normal operating notification; no action required.</td> <tr>
</tr> <td>3</td>
<tr> <td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
<td>3</td> <td>Service did not start.</td>
<td>Windows Advanced Threat Protection service failed to start. <td>Review other messages to determine possible cause and troubleshooting steps.</td>
Failure code: ```variable```</td> </tr>
<td>Service did not start.</td> <tr>
<td>Review other messages to determine possible cause and <td>4</td>
troubleshooting steps.</td> <td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
</tr> <td>variable = URL of the Windows Defender ATP processing servers.<br>
<tr> This URL will match that seen in the Firewall or network activity.</td>
<td>4</td> <td>Normal operating notification; no action required.</td>
<td>Windows Advanced Threat Protection service contacted the </tr>
server at ```variable```.</td> <tr>
<td>variable = URL of the Windows Defender ATP processing <td>5</td>
servers.<br> <td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
This URL will match that seen in the Firewall or network <td>variable = URL of the Windows Defender ATP processing servers.<br>
activity.</td> The service could not contact the external processing servers at that URL.</td>
<td>Normal operating notification; no action required.</td> <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
</tr> </tr>
<tr> <tr>
<td>5</td> <td>6</td>
<td>Windows Advanced Threat Protection service failed to <td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
connect to the server at ```variable```.</td> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>variable = URL of the Windows Defender ATP processing <td>Onboarding must be run before starting the service.<br>
servers.<br> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
The service could not contact the external processing servers See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
at that URL.</td> </tr>
<td>Check the connection to the URL. See [Configure proxy and <tr>
Internet <td>7</td>
connectivity](#configure-proxy-and-Internet-connectivity).</td> <td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
</tr> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<tr> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<td>6</td> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
<td>Windows Advanced Threat Protection service is not onboarded </tr>
and no onboarding parameters were found.</td> <tr>
<td>The endpoint did not onboard correctly and will not be <td>8</td>
reporting to the portal.</td> <td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
<td>Onboarding must be run before starting the service.<br> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
Check that the onboarding settings and scripts were deployed <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
properly. Try to redeploy the configuration packages.<br> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP </tr>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td> <tr>
</tr> <td>9</td>
<tr> <td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
<td>7</td> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Windows Advanced Threat Protection service failed to read <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
the onboarding parameters. Failure code: ```variable```</td> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
<td>The endpoint did not onboard correctly and will not be </tr>
reporting to the portal.</td> <tr>
<td>Check that the onboarding settings and scripts were <td>10</td>
deployed properly. Try to redeploy the configuration <td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
packages.<br> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
See [Configure Windows Defender ATP <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr> </tr>
<tr> <tr>
<td>8</td> <td>11</td>
<td>Windows Advanced Threat Protection service failed to clean <td>Windows Advanced Threat Protection service completed.</td>
its configuration. Failure code: ```variable```</td> <td>The endpoint onboarded correctly.</td>
<td>The endpoint did not onboard correctly and will not be <td>Normal operating notification; no action required.<br>
reporting to the portal.</td> It may take several hours for the endpoint to appear in the portal.</td>
<td>Check that the onboarding settings and scripts were </tr>
deployed properly. Try to redeploy the configuration <tr>
packages.<br> <td>12</td>
See [Configure Windows Defender ATP <td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td> <td>Service was unable to apply configuration from the processing servers.</td>
</tr> <td>This is a server error and should resolve after a short period.</td>
<tr> </tr>
<td>9</td> <tr>
<td>Windows Advanced Threat Protection service failed to change <td>13</td>
its start type. Failure code: ```variable```</td> <td>Service machine ID calculated: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be <td>Normal operating process.</td>
reporting to the portal.</td> <td>Normal operating notification; no action required.</td>
<td>Check that the onboarding settings and scripts were </tr>
deployed properly. Try to redeploy the configuration <tr>
packages.<br> <td>14</td>
See [Configure Windows Defender ATP <td>Service cannot calculate machine ID. Failure code: ```variable```</td>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td> <td>Internal error.</td>
</tr> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<tr> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
<td>10</td> </tr>
<td>Windows Advanced Threat Protection service failed to <tr>
persist the onboarding information. Failure code: <td>15</td>
```variable```</td> <td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be <td>variable = URL of the Windows Defender ATP processing servers.<br>
reporting to the portal.</td> The service could not contact the external processing servers at that URL.</td>
<td>Check that the onboarding settings and scripts were <td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
deployed properly. Try to redeploy the configuration </tr>
packages.<br> <tr>
See [Configure Windows Defender ATP <td>17</td>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td> <td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
</tr> <td>An error occurred with the Windows telemetry service.</td>
<tr> <td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
<td>11</td> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<td>Windows Advanced Threat Protection service completed.</td> See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
<td>The endpoint onboarded correctly.</td> </tr>
<td>Normal operating notification; no action required.<br> <tr>
It may take several hours for the endpoint to appear in the <td>18</td>
portal.</td> <td>OOBE (Windows Welcome) is completed.</td>
</tr> <td>Service will only start after any Windows updates have finished installing.</td>
<tr> <td>Normal operating notification; no action required.</td>
<td>12</td> </tr>
<td>Windows Advanced Threat Protection failed to apply the <tr>
default configuration.</td> <td>19</td>
<td>Service was unable to apply configuration from the <td>OOBE (Windows Welcome) has not yet completed.</td>
processing servers.</td> <td>Service will only start after any Windows updates have finished installing.</td>
<td>This is a server error and should resolve after a short <td>Normal operating notification; no action required.<br>
period.</td> If this error persists after a system restart, ensure all Windows updates have full installed.</td>
</tr> </tr>
<tr> <tr>
<td>13</td> <td>20</td>
<td>Service machine ID calculated: ```variable```</td> <td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
<td>Normal operating process.</td> <td>Internal error.</td>
<td>Normal operating notification; no action required.</td> <td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
</tr> </tr>
<tr> <tr>
<td>14</td> <td>25</td>
<td>Service cannot calculate machine ID. Failure code: <td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
```variable```</td> <td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Internal error.</td> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<td>Check that the onboarding settings and scripts were See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
deployed properly. Try to redeploy the configuration </tr>
packages.<br> <tr>
See [Configure Windows Defender ATP <td>26</td>
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td> <td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
</tr> <td>The endpoint did not onboard correctly.<br>
<tr> It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>15</td> <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<td>Windows Advanced Threat Protection cannot start command See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
channel with URL: ```variable```</td> </tr>
<td>variable = URL of the Windows Defender ATP processing <tr>
servers.<br> <td>27</td>
The service could not contact the external processing servers <td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
at that URL.</td> <td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check the connection to the URL. See [Configure proxy and <td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
Internet See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
connectivity](#configure-proxy-and-Internet-connectivity).</td> Ensure real-time antimalware protection is running properly.</td>
</tr> </tr>
<tr> <tr>
<td>17</td> <td>28</td>
<td>Windows Advanced Threat Protection service failed to change <td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
the Connected User Experiences and Telemetry service location. <td>An error occurred with the Windows telemetry service.</td>
Failure code: ```variable```</td> <td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
<td>An error occurred with the Windows telemetry service.</td> Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
<td>[Ensure the telemetry service is See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br> </tr>
<tr>
<td>29</td>
<td>Windows Advanced Threat Protection service failed to read the offboarding parameters. Failure code: ```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
<tr>
<td>30</td>
<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
<td>31</td>
<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Check for errors with the Windows telemetry service](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
</tr>
<tr>
<td>32</td>
<td>Windows Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: ```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
<tr>
<td>33</td>
<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
</tr>
<tr>
<td>34</td>
<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>35</td>
<td>Windows Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
</tbody>
</table>
Check that the onboarding settings and scripts were deployed
properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>18</td>
<td>OOBE (Windows Welcome) is completed.</td>
<td>Service will only start after any Windows updates have
finished installing.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>19</td>
<td>OOBE (Windows Welcome) has not yet completed.</td>
<td>Service will only start after any Windows updates have
finished installing.</td>
<td>Normal operating notification; no action required.<br>
If this error persists after a system restart, ensure all
Windows updates have full installed.</td>
</tr>
<tr>
<td>20</td>
<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure
code: ```variable```</td>
<td>Internal error.</td>
<td>If this error persists after a system restart, ensure all
Windows updates have full installed.</td>
</tr>
<tr>
<td>25</td>
<td>Windows Advanced Threat Protection service failed to reset
health status in the registry, causing the onboarding process
to fail. Failure code: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be
reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were
deployed properly. Try to redeploy the configuration
packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>26</td>
<td>Windows Advanced Threat Protection service failed to set
the onboarding status in the registry. Failure code:
```variable```</td>
<td>The endpoint did not onboard correctly.<br>
It will report to the portal, however the service may not
appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were
deployed properly. Try to redeploy the configuration
packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>27</td>
<td>Windows Advanced Threat Protection service failed to enable
SENSE aware mode in Windows Defender. Onboarding process
failed. Failure code: ```variable```</td>
<td>Normally, Windows Defender will enter a special passive
state if another real-time antimalware product is running
properly on the endpoint, and the endpoint is reporting to
Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were
deployed properly. Try to redeploy the configuration
packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running
properly.</td>
</tr>
<tr>
<td>28</td>
<td>Windows Advanced Threat Protection Connected User
Experiences and Telemetry service registration failed. Failure
code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is
enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed
properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>29</td>
<td>Windows Advanced Threat Protection service failed to read
the offboarding parameters. Failure code: ```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I
remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
<tr>
<td>30</td>
<td>Windows Advanced Threat Protection service failed to
disable SENSE aware mode in Windows Defender. Failure code:
```variable```</td>
<td>Normally, Windows Defender will enter a special passive
state if another real-time antimalware product is running
properly on the endpoint, and the endpoint is reporting to
Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were
deployed properly. Try to redeploy the configuration
packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running
properly.</td>
</tr>
<tr>
<td>31</td>
<td>Windows Advanced Threat Protection Connected User
Experiences and Telemetry service unregistration failed.
Failure code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Check for errors with the Windows telemetry
service](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
</tr>
<tr>
<td>32</td>
<td>Windows Advanced Threat Protection service failed to
request to stop itself after offboarding process. Failure code:
```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I
remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
<tr>
<td>33</td>
<td>Windows Advanced Threat Protection service failed to
persist SENSE GUID. Failure code: ```variable```</td>
<td>A unique identifier is used to represent each endpoint that
is reporting to the portal.<br>
If the identifier does not persist, the same machine might
appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the
service can update the registry.</td>
</tr>
<tr>
<td>34</td>
<td>Windows Advanced Threat Protection service failed to add
itself as a dependency on the Connected User Experiences and
Telemetry service, causing onboarding process to fail. Failure
code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is
enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed
properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP
endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>35</td>
<td>Windows Advanced Threat Protection service failed to remove
itself as a dependency on the Connected User Experiences and
Telemetry service. Failure code: ```variable```</td>
<td><span style="background-color:yellow;">Naama: Should I
remove this error? Or just leave it as internal?</span></td>
<td>TBD</td>
</tr>
</tbody>
</table>
</body>
## Related topics ## Related topics