deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates based on naama's feedback

Browse Source
This commit is contained in:
Joey Caparas 2016-07-28 20:13:36 +10:00
parent ed9e92eef5
commit fcb6fe8a8b
1 changed files with 73 additions and 322 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

395
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -23,13 +23,13 @@ This page provides detailed steps to troubleshoot onboarding issues that might o
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
## Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indication if the deployment has succeeded or not.
Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
## Troubleshoot onboarding issues using System Center Configuration Manager
## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding endpoints using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
@ -113,41 +113,14 @@ ID | Severity | Event description | Troubleshooting steps
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
## Troubleshoot onboarding issues on the endpoint
Go through the following verification topics to address this issue:
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender ELAM driver is enabled)
- [Ensure the Windows Defender ATP service is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
## Ensure the endpoint is onboarded successfully
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
**Check the onboarding state in Registry**:
1. Click **Start**, type **Run**, and press **Enter**.
2. From the **Run** dialog box, type **regedit** and press **Enter**.
3. In the **Registry Editor** navigate to the Status key under:
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
```
4. Check the **OnboardingState** value is set to **1**.
![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
**Use Event Viewer to identify and address onboarding errors**:
### View agent onboarding errors in the endpoint event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -174,6 +147,73 @@ Event ID | Message | Resolution steps
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
### Ensure the telemetry and diagnostics service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```
4. Start the service.
a. In the command prompt, type the following command and press **Enter**:
```
sc start diagtrack
```
### Ensure the endpoint has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
## Ensure the Windows Defender ELAM driver is enabled
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
@ -263,297 +303,8 @@ public static class Elam{
$driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys"
[Elam]::InstallWdBoot($driverPath)
```
### Ensure the Windows Defender ATP service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
You can use the SC command line program for checking and managing the startup type and running state of the service.
**Check the Windows Defender ATP service startup type from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc sense
```
If the the service is running, then the result should look like the following screenshot:
![Result of the sq query sense command](images/sc-query-sense-autostart.png)
If the service `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Change the Windows Defender ATP service startup type from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config sense start=auto
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
```text
sc qc sense
```
**Check the Windows Defender ATP service is running from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc query sense
```
If the service is running, the result should look like the following screenshot:
![Result of the sc query sense command](images/sc-query-sense-running.png)
If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
**Start the Windows Defender ATP service from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc start sense
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
```text
sc qc sense
```
### Ensure the telemetry and diagnostics service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
### Ensure the service is set to start
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```
**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Check the **Startup type** column - the service should be set as **Automatic**.
If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Right-click on the entry and click **Properties**.
4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
### Ensure the service is running
**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
1. Open an elevated command-line prompt on the endpoint:
a. **Go to **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc query diagtrack
```
If the service is running, the result should look like the following screenshot:
![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png)
If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
**Use the command line to start the Windows 10 telemetry and diagnostics service:**
1. Open an elevated command-line prompt on the endpoint:
a. **Go to **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc start diagtrack
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc query diagtrack
```
**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Check the **Status** column - the service should be marked as **Running**.
If the service is not running, you'll need to start it.
**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Right-click on the entry and click **Start**, as shown in the following image.
![Select Start to start the service](images/windef-utc-console-start.png)
### Ensure the endpoint has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
<!--
## Cyber events are not showing up on the portal and logs show event ID 28
If you don't see cyber events in the portal and checking the logs show the event that states _Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed_, you'll need to make sure that the diagnostics service is enabled and running. For more information on how to check, see [Ensure the service is running](#ensure-the-service-is-running).
-->
<!--
## There are no users in the Azure Active Directory
If you don't see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
1. Go to the Azure Management Portal and select the directory you want to manage.
2. Click **Users** from the top menu bar.
![Example Azure Management Portal organization](images/contoso-users.png)
3. Click **Add user** from the menu bar at the bottom.
![Add user menu](images/add-user.png)
4. Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you're done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
5. Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://securitycenter.windows.com/).
## The Windows Defender ATP app doesn't appear in the Azure Management Portal
If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
Log in to the application in the Azure Management Portal again:
1. Sign in to the [Windows Defender ATP portal](https://securitycenter.windows.com/) with the user account you want to give access to.
2. Confirm that you have signed in with the correct details, and click **Accept**.
3. Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
-->
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)