question

Chned-6770 avatar image
0 Votes"
Chned-6770 asked azure-cxp-api edited

Intune - Devices reported as without ATP-sensor

So we activated Defender ATP within Intune and connected it with Microsoft Defender Security Center:

29124-atp.png


I can see the devices at https://securitycenter.windows.com/machines

29135-atp2.png


But Intune reports them as devices without ATP-sensor:

29108-atp3.png


Also Defender Security Center states: "Device not found in Azure ATP"


I don't know why this is, because I made a Device configuration profile for onboarding the devices in ATP:

29144-onboarsd.png


I looked at the SENSE log at Microsoft-Windows-SENSE/Operational, but don't see any errors there:

29173-image.png


only informational entry's >>

29163-info.png





Does anyone know where to look for now?

azure-security-center
atp.png (5.4 KiB)
atp2.png (3.8 KiB)
atp3.png (2.2 KiB)
onboarsd.png (11.7 KiB)
image.png (275.4 KiB)
info.png (132.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are looking into this issue and will update you shortly!

0 Votes 0 ·
Chned-6770 avatar image
0 Votes"
Chned-6770 answered Chned-6770 commented

By the way, the following setting is enabled within Intune:

29109-setting.png



setting.png (3.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, From your description, I know we configure the Device Configuration profile to onboard the devices in ATP. But it is not working. If there's any misunderstanding, feel free to let us know.

From Intune side, we can check the affected Device configuration profile , click Device status to see if the profile is applied successfully on these two devices. meanwhile, please click the " devices without ATP-sensor" and see what is the detailed status.

Please check the above information and if there's anything unclear, feel free to let us know.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

For these 2 devices I always see the following Error for System account? I assume this sensor isn't relying on any account?


29349-1.png


Below is the Error information

29290-2.png


Following is what I see after choosing "List of devices without ATP sensor"

29337-3.png


0 Votes 0 ·
1.png (7.4 KiB)
2.png (5.5 KiB)
3.png (3.8 KiB)
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@Chned-6770 Can you confirm if the device configuration profile was created before establishing the connection as if we do that the package file needs to be uploaded separately. Also try targeting the Device Config policy for the Device Group as the evaluation is done in Device context. So you would not see different UPNs and system accounts.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chned-6770 avatar image
0 Votes"
Chned-6770 answered Crystal-MSFT commented

This current profile was created AFTER making the Microsoft Intune connection in Microsoft Defender Security Center. I then choose for "Create a device configuration profile to configure ATP sensor" at the bottom of the "Microsoft Defender ATP"-page.
This profile is assigned to two groups and the Members in those groups are only those Devices.



29407-profile.png



profile.png (18.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, For the error code 0x87d1fde8, based on my research, the possible cause seems that Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. We can see more detaisl in the following link:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#microsoft-intune-error-codes-and-oma-uris

From your dexscrption in previous reply. it seems there's no error in Windows-SENS log. Given the situation, we suggest to open a case to look into more logs to troubleshoot on it.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

Thanks for the understanding and have a nice day!

0 Votes 0 ·
Chned-6770 avatar image
0 Votes"
Chned-6770 answered Crystal-MSFT commented

So here we go... I just deleted this onboarding device configuration profile again (for the 3rd time, as a last effort) and made it again (just the same way as I did this before) and now it is working! It's a really simple profile and you can't really mess up anything here..

Very strange/buggy behaviour here..

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, Thanks for the update. i am glad that it is working now. From the phenomenon, The device configuration profile is applied successfully. But the status is not changed. I guess it may have some synchronization issue in the background. If we face such issue in the future, open case to check logs in the background to find more information may help

Thanks again for your time and have a nice day!

0 Votes 0 ·

Unfortunately it isn't working consistently; I wiped the devices again (for testing purposes) and after enrollment it isn't working anymore.... Same settings et cetera..

The SENSE log still doesn't show any errors:

30894-3.png






But I do see the errors with "System account":


30809-1.png


30932-2.png


0 Votes 0 ·
3.png (261.9 KiB)
1.png (4.5 KiB)
2.png (16.1 KiB)

@Chned-6770, Based as I know, for some settings in device configuration profile, it can be only applied to the user login the device. Could you confirm if the error is there with system account when it is working before?

0 Votes 0 ·
Show more comments
Chned-6770 avatar image
0 Votes"
Chned-6770 answered Crystal-MSFT commented

Unfortunately, like I said: the device got wiped already so I can't see those logs anymore..

Problem is that ATP-sensor doesn't work anymore. What could be the cause?

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, If so, we suggest to open a case to Microsoft to check the logs in the background to know more.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/get-support

0 Votes 0 ·

What logs are you aiming for?

0 Votes 0 ·

@Chned-6770, For the logs on client side, we can enroll the device into Intune, collect MDM Diagnostic log, event log and provide them to Microsoft support engineer to analyze. For the intune side background log, only support engineer can check.

Thanks for the understanding and have a nice day!

0 Votes 0 ·
Show more comments
Chned-6770 avatar image
0 Votes"
Chned-6770 answered Crystal-MSFT edited

In the MDM Diagnostic Report I can't find anything related to "onboard" or "onboarding".

At the event log under Applications and Services Logs\Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider I didn't find anything related to "onboarding" or "WindowsAdvancedThreatProtection".

Also I logged on with a local admin account on this device and now I see the status on the Device configuration profile for the Defender Onboarding change to succeeded:
33688-atp.png


Also the ATP-sensor seems to be working now!

33610-atp2.png

But https://securitycenter.windows.com still shows:

33657-atp3.png




Additional question: It shouldn't be required to logon with a local account to have the security on these Win10 devices activated in the right way, right?? I can't let this ship to our end-users this way.


atp.png (4.6 KiB)
atp2.png (1.0 KiB)
atp3.png (1.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, Thanks for the update. From your description, it seems the Device with ATP sensor shows 1 device but it is not onborading on the ATP portal. Here, we suggest to sign out the local account and sign in the Azure AD account, wait some time to see if the device will be onboard into ATP portal.

For the policy to local account, I notice the policy is assigned to two groups. Could you make a description of the two groups?

0 Votes 0 ·
Chned-6770 avatar image
0 Votes"
Chned-6770 answered Crystal-MSFT commented

Strange, because I do see other details like (see screenshot below).

About the policy groups: these are 2 Azure Cloud Security groups. In one of these groups is this particular device a Direct member. In the groups only Win10 Devices are assigned.



33817-1.png



1.png (46.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Chned-6770, Thanks for the reply. From the picture you provided, it seems there's information in "Azure ATP alerts" but it shows "Device not found in Azure AD". It seems to be strange. Here, we suggest to contact ATP support to know it better.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/contact-support

In addition, I notice there's a tab named "Device details". Could you confirm if our device is there?

For the group assigned with Intune policy, I notice it is device group. Could you change to user group and see if the result will be different?


0 Votes 0 ·

In Device details I see the correct details for this device.

For the group question: it should be a device group right?

0 Votes 0 ·

@Chned-6770, Thanks for the reply. From your description, I know our device is under device details, it seems the device is onboarded successfully.

For the group setting, based on our testing, when the Microsoft Defender ATP client configuration package type is applied to the device group, it will applied to all users include local users . From our official article, I didn't find the policy is limited to device group. So we suggest to apply this policy to user group to see if the status under "Device with ATP sensor" shows correctly without local user logging.

Thanks and I look forward to your reply.

0 Votes 0 ·
Chned-6770 avatar image
0 Votes"
Chned-6770 answered

I assigned the configuration profile for onboarding Defender to all users group, but I see the same error. SENSE-log shows no errors. No ATP-sensor active.

34496-1.png


34516-2.png


34427-3.png


34475-4.png



1.png (164.7 KiB)
2.png (2.4 KiB)
3.png (6.7 KiB)
4.png (1.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chned-6770 avatar image
0 Votes"
Chned-6770 answered

The above response was too quickly; it is working now the onboarding profile is assigned to the All users group! After the adjustment I enrolled a device too soon I guess.

Only thing is that https://securitycenter.windows.com/ still shows: "Device not found in Azure ATP"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@Chned-6770, Thanks for the update. I am glad to hear that the onboarding is working well now. Congratulations! For the issue in security center, as we are not familiar with this. To better help on this, we suggest to contact the windows security support to help:
https://docs.microsoft.com/en-us/answers/topics/windows-10-security.html

Thanks for the understanding.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.