deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixed build warning

Browse Source
This commit is contained in:
ManikaDhiman 2020-05-21 15:10:36 -07:00
parent 0d5a15af71
commit f1c3863c07
2 changed files with 93 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
View File

@ -1,7 +1,7 @@
--- ---
title: Take response actions on a machine in Microsoft Defender ATP title: Take response actions on a device in Microsoft Defender ATP
description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution.
keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
ms.prod: w10 ms.prod: w10
@ -17,16 +17,16 @@ ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
--- ---
# Take response actions on a machine # Take response actions on a device
**Applies to:** **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include: Response actions run along the top of a specific device page and include:
- Manage tags - Manage tags
- Initiate Automated Investigation - Initiate Automated Investigation
@ -34,56 +34,56 @@ Response actions run along the top of a specific machine page and include:
- Collect investigation package - Collect investigation package
- Run antivirus scan - Run antivirus scan
- Restrict app execution - Restrict app execution
- Isolate machine - Isolate device
- Consult a threat expert - Consult a threat expert
- Action center - Action center
![Image of response actions](images/response-actions.png) ![Image of response actions](images/response-actions.png)
You can find machine pages from any of the following views: You can find device pages from any of the following views:
- **Security operations dashboard** - Select a machine name from the Machines at risk card. - **Security operations dashboard** - Select a device name from the Devices at risk card.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - **Alerts queue** - Select the device name beside the device icon from the alerts queue.
- **Machines list** - Select the heading of the machine name from the machines list. - **Devices list** - Select the heading of the device name from the devices list.
- **Search box** - Select Machine from the drop-down menu and enter the machine name. - **Search box** - Select Device from the drop-down menu and enter the device name.
>[!IMPORTANT] >[!IMPORTANT]
> - These response actions are only available for machines on Windows 10, version 1703 or later. > - These response actions are only available for devices on Windows 10, version 1703 or later.
> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities. > - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities.
## Manage tags ## Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see [Create and manage machine tags](machine-tags.md). For more information on device tagging, see [Create and manage device tags](machine-tags.md).
## Initiate Automated Investigation ## Initiate Automated Investigation
You can start a new general purpose automated investigation on the machine if needed. While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
## Initiate Live Response Session ## Initiate Live Response Session
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time. Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see [Investigate entities on machines using live response](live-response.md) For more information on live response, see [Investigate entities on devices using live response](live-response.md)
## Collect investigation package from machines ## Collect investigation package from devices
As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine To download the package (Zip file) and investigate the events that occurred on a device
1. Select **Collect investigation package** from the row of response actions at the top of the machine page. 1. Select **Collect investigation package** from the row of response actions at the top of the device page.
2. Specify in the text box why you want to perform this action. Select **Confirm**. 2. Specify in the text box why you want to perform this action. Select **Confirm**.
3. The zip file will download 3. The zip file will download
Alternate way: Alternate way:
1. Select **Action center** from the response actions section of the machine page. 1. Select **Action center** from the response actions section of the device page.
![Image of action center button](images/action-center-package-collection.png) ![Image of action center button](images/action-center-package-collection.png)
@ -95,12 +95,12 @@ The package contains the following folders:
| Folder | Description | | Folder | Description |
|:---|:---------| |:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the device. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log | |Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. | | Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. |
| Services| Contains a .CSV file which lists services and their states. | | Services| Contains a .CSV file which lists services and their states. |
| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. | | Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. |
@ -110,85 +110,85 @@ The package contains the following folders:
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
## Run Windows Defender Antivirus scan on machines ## Run Windows Defender Antivirus scan on devices
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
>[!IMPORTANT] >[!IMPORTANT]
>- This action is available for machines on Windows 10, version 1709 or later. >- This action is available for devices on Windows 10, version 1709 or later.
>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png) ![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png)
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
## Restrict app execution ## Restrict app execution
In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
>[!IMPORTANT] >[!IMPORTANT]
> - This action is available for machines on Windows 10, version 1709 or later. > - This action is available for devices on Windows 10, version 1709 or later.
> - This feature is available if your organization uses Windows Defender Antivirus. > - This feature is available if your organization uses Windows Defender Antivirus.
> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.
>[!NOTE] >[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time. The button on the machine page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution. >Youll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
Once you have selected **Restrict app execution** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
![Image of app restriction notification](images/restrict-app-execution.png) ![Image of app restriction notification](images/restrict-app-execution.png)
**Notification on machine user**:</br> **Notification on device user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
![Image of app restriction](images/atp-app-restriction.png) ![Image of app restriction](images/atp-app-restriction.png)
## Isolate machines from the network ## Isolate devices from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.
>[!IMPORTANT] >[!IMPORTANT]
>- Full isolation is available for machines on Windows 10, version 1703. >- Full isolation is available for devices on Windows 10, version 1703.
>- Selective isolation is available for machines on Windows 10, version 1709 or later. >- Selective isolation is available for devices on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine. This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
>[!NOTE] >[!NOTE]
>Youll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine. >Youll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device.
Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
![Image of isolate machine](images/isolate-machine.png) ![Image of isolate device](images/isolate-machine.png)
>[!NOTE] >[!NOTE]
>The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. >The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
**Notification on machine user**:</br> **Notification on device user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png) ![Image of no network connection](images/atp-notification-isolate.png)
## Consult a threat expert ## Consult a threat expert
You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center ## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details: The **Action center** provides information on actions that were taken on a device or file. Youll be able to view the following details:
- Investigation package collection - Investigation package collection
- Antivirus scan - Antivirus scan
- App restriction - App restriction
- Machine isolation - Device isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.

84
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -1,6 +1,6 @@
--- ---
title: Troubleshoot Microsoft Defender ATP onboarding issues title: Troubleshoot Microsoft Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of machines or to the Microsoft Defender ATP service. description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service.
keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
@ -26,36 +26,36 @@ ms.topic: troubleshooting
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
## Troubleshoot issues with onboarding tools ## Troubleshoot issues with onboarding tools
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
### Troubleshoot onboarding when deploying with Group Policy ### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager ### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
When onboarding machines using the following versions of Configuration Manager: When onboarding devices using the following versions of Configuration Manager:
- Microsoft Endpoint Configuration Manager - Microsoft Endpoint Configuration Manager
- System Center 2012 Configuration Manager - System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager - System Center 2012 R2 Configuration Manager
Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines. If the deployment fails, you can check the output of the script on the devices.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding when deploying with a script ### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the machine**: **Check the result of the script on the device**:
1. Click **Start**, type **Event Viewer**, and press **Enter**. 1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**. 2. Go to **Windows Logs** > **Application**.
@ -70,7 +70,7 @@ Event ID | Error Type | Resolution steps
:---|:---|:--- :---|:---|:---
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.<br>Verify that the script has been run as an administrator. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.<br>Verify that the script has been run as an administrator.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
@ -80,7 +80,7 @@ Event ID | Error Type | Resolution steps
### Troubleshoot onboarding issues using Microsoft Intune ### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding: Use the following tables to understand the possible causes of issues while onboarding:
@ -95,9 +95,9 @@ If none of the event logs and troubleshooting steps work, download the Local scr
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:--- :---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). 0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key. | | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key.
| | | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
|| | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported. || | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional.
@ -108,9 +108,9 @@ The following table provides information on issues with non-compliance and how y
Case | Symptoms | Possible cause and troubleshooting steps Case | Symptoms | Possible cause and troubleshooting steps
:---|:---|:--- :---|:---|:---
1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete. 1 | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours. 2 | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. 3 | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
<br> <br>
<strong>Mobile Device Management (MDM) event logs</strong> <strong>Mobile Device Management (MDM) event logs</strong>
@ -125,16 +125,16 @@ ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:--- :---|:---|:---|:---
1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). 1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the machine ## Troubleshoot onboarding issues on the device
If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) - [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) - [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) - [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
### View agent onboarding errors in the machine event log ### View agent onboarding errors in the device event log
1. Click **Start**, type **Event Viewer**, and press **Enter**. 1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -155,31 +155,31 @@ If the deployment tools used does not indicate an error in the onboarding proces
Event ID | Message | Resolution steps Event ID | Message | Resolution steps
:---|:---|:--- :---|:---|:---
5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). 5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). 6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md).
7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. 7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again.
9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the event happened during offboarding, contact support. 9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the event happened during offboarding, contact support.
10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the problem persists, contact support. 10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the problem persists, contact support.
15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). 15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. 17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support.
25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. 25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. 27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. 29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again.
30 | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support. 30 | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support.
32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. 32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. 55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. 63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. 64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. 68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. 69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
<br> <br>
There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
<span id="ensure-the-diagnostics-service-is-enabled" /> <span id="ensure-the-diagnostics-service-is-enabled" />
### Ensure the diagnostic data service is enabled ### Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
@ -187,7 +187,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to check the Windows 10 diagnostic data service startup type**: **Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the machine: 1. Open an elevated command-line prompt on the device:
a. Click **Start**, type **cmd**, and press **Enter**. a. Click **Start**, type **cmd**, and press **Enter**.
@ -208,7 +208,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to set the Windows 10 diagnostic data service to automatically start:** **Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the machine: 1. Open an elevated command-line prompt on the device:
a. Click **Start**, type **cmd**, and press **Enter**. a. Click **Start**, type **cmd**, and press **Enter**.
@ -234,7 +234,7 @@ First, you should check that the service is set to start automatically when Wind
sc start diagtrack sc start diagtrack
``` ```
### Ensure the machine has an Internet connection ### Ensure the device has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@ -249,7 +249,7 @@ If the verification fails and your environment is using a proxy to connect to th
**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
**Solution**: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. **Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
@ -291,15 +291,15 @@ You might also need to check the following:
![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png)
- Check to see that machines are reflected in the **Machines list** in the portal. - Check to see that devices are reflected in the **Devices list** in the portal.
## Confirming onboarding of newly built machines ## Confirming onboarding of newly built devices
There may be instances when onboarding is deployed on a newly built machine but not completed. There may be instances when onboarding is deployed on a newly built device but not completed.
The steps below provide guidance for the following scenario: The steps below provide guidance for the following scenario:
- Onboarding package is deployed to newly built machines - Onboarding package is deployed to newly built devices
- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed - Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
- Machine is turned off or restarted before the end user performs a first logon - Device is turned off or restarted before the end user performs a first logon
- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
>[!NOTE] >[!NOTE]
@ -406,6 +406,6 @@ The steps below provide guidance for the following scenario:
## Related topics ## Related topics
- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) - [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md)
- [Onboard machines](onboard-configure.md) - [Onboard devices](onboard-configure.md)
- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)