mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
21 KiB
21 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic, ms.date
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Review events and errors using Event Viewer | Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender ATP service. | troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender Advanced Threat Protection service, cannot start, broken, can't start | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article | 05/21/2018 |
Review events and errors using Event Viewer
Applies to:
You can review event IDs in the Event Viewer on individual machines.
For example, if machines are not appearing in the Machines list, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps.
Note
It can take several days for machines to begin reporting to the Microsoft Defender ATP service.
Open Event Viewer and find the Microsoft Defender ATP service event log:
-
Click Start on the Windows menu, type Event Viewer, and press Enter.
-
In the log list, under Log Summary, scroll until you see Microsoft-Windows-SENSE/Operational. Double-click the item to open the log.
a. You can also access the log by expanding Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational.
Note
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
-
Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
| Event ID | Message | Description | Action |
|---|---|---|---|
| 1 | Microsoft Defender Advanced Threat Protection service started (Version variable). |
Occurs during system start up, shut down, and during onbboarding. | Normal operating notification; no action required. |
| 2 | Microsoft Defender Advanced Threat Protection service shutdown. | Occurs when the machine is shut down or offboarded. | Normal operating notification; no action required. |
| 3 | Microsoft Defender Advanced Threat Protection service failed to start. Failure code: variable. |
Service did not start. | Review other messages to determine possible cause and troubleshooting steps. |
| 4 | Microsoft Defender Advanced Threat Protection service contacted the server at variable. |
Variable = URL of the Microsoft Defender ATP processing servers. This URL will match that seen in the Firewall or network activity. |
Normal operating notification; no action required. |
| 5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at variable. |
Variable = URL of the Microsoft Defender ATP processing servers. The service could not contact the external processing servers at that URL. |
Check the connection to the URL. See Configure proxy and Internet connectivity. |
| 6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. | The machine did not onboard correctly and will not be reporting to the portal. | Onboarding must be run before starting the service. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: variable. |
Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. | Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 8 | Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: variable. |
During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. |
Onboarding: No action required. Offboarding: Reboot the system. See Onboard Windows 10 machines. |
| 9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. |
During onboarding: The machine did not onboard correctly and will not be reporting to the portal. During offboarding: Failed to change the service start type. The offboarding process continues. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable. |
The machine did not onboard correctly and will not be reporting to the portal. | Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 11 | Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed. | The machine onboarded correctly. | Normal operating notification; no action required. It may take several hours for the machine to appear in the portal. |
| 12 | Microsoft Defender Advanced Threat Protection failed to apply the default configuration. | Service was unable to apply the default configuration. | This error should resolve after a short period of time. |
| 13 | Microsoft Defender Advanced Threat Protection machine ID calculated: variable. |
Normal operating process. | Normal operating notification; no action required. |
| 15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: variable. |
Variable = URL of the Microsoft Defender ATP processing servers. The service could not contact the external processing servers at that URL. |
Check the connection to the URL. See Configure proxy and Internet connectivity. |
| 17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable. |
An error occurred with the Windows telemetry service. | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 18 | OOBE (Windows Welcome) is completed. | Service will only start after any Windows updates have finished installing. | Normal operating notification; no action required. |
| 19 | OOBE (Windows Welcome) has not yet completed. | Service will only start after any Windows updates have finished installing. | Normal operating notification; no action required. If this error persists after a system restart, ensure all Windows updates have full installed. |
| 20 | Cannot wait for OOBE (Windows Welcome) to complete. Failure code: variable. |
Internal error. | If this error persists after a system restart, ensure all Windows updates have full installed. |
| 25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable. |
The machine did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. | Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 26 | Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: variable. |
The machine did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. |
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 27 | Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: variable. |
Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. | Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. Ensure real-time antimalware protection is running properly. |
| 28 | Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable. |
An error occurred with the Windows telemetry service. | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | This event occurs when the system can't read the offboarding parameters. | Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. |
| 30 | Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: variable. |
Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. | Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines Ensure real-time antimalware protection is running properly. |
| 31 | Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: variable. |
An error occurred with the Windows telemetry service during onboarding. The offboarding process continues. | Check for errors with the Windows telemetry service. |
| 32 | Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 | An error occurred during offboarding. | Reboot the machine. |
| 33 | Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable. |
A unique identifier is used to represent each machine that is reporting to the portal. If the identifier does not persist, the same machine might appear twice in the portal. |
Check registry permissions on the machine to ensure the service can update the registry. |
| 34 | Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable. |
An error occurred with the Windows telemetry service. | Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard Windows 10 machines. |
| 35 | Microsoft Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: variable. |
An error occurred with the Windows telemetry service during offboarding. The offboarding process continues. | Check for errors with the Windows diagnostic data service. |
| 36 | Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: variable. |
Registering Microsoft Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully. | Normal operating notification; no action required. |
| 37 | Microsoft Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4. | The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled. | Normal operating notification; no action required. |
| 38 | Network connection is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. | The machine is using a metered/paid network and will be contacting the server less frequently. | Normal operating notification; no action required. |
| 39 | Network connection is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. | The machine is not using a metered/paid connection and will contact the server as usual. | Normal operating notification; no action required. |
| 40 | Battery state is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. | The machine has low battery level and will contact the server less frequently. | Normal operating notification; no action required. |
| 41 | Battery state is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. | The machine doesn’t have low battery level and will contact the server as usual. | Normal operating notification; no action required. |
| 42 | Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4 | Internal error. The service failed to start. | If this error persists, contact Support. |
| 43 | Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5 | Internal error. The service failed to start. | If this error persists, contact Support. |
| 44 | Offboarding of Microsoft Defender Advanced Threat Protection service completed. | The service was offboarded. | Normal operating notification; no action required. |
| 45 | Failed to register and to start the event trace session [%1]. Error code: %2 | An error occurred on service startup while creating ETW session. This caused service start-up failure. | If this error persists, contact Support. |
| 46 | Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute. | An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started. | Normal operating notification; no action required. The service will try to start the session every minute. |
| 47 | Successfully registered and started the event trace session - recovered after previous failed attempts. | This event follows the previous event after successfully starting of the ETW session. | Normal operating notification; no action required. |
| 48 | Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported. | Failed to add a provider to ETW session. As a result, the provider events aren’t reported. | Check the error code. If the error persists contact Support. |
Want to experience Microsoft Defender ATP? Sign up for a free trial.