question

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 asked saldana-msft edited

Installation Microsoft Defender Endpoint

Hello,

I have created an Application Deployment for Microsoft Defender Endpoint but apparently it failed...


AppDiscovery.log


Entering ExecQueryAsync for query "select from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd" AND Revision = 1)" AppDiscovery 5/12/2022 9:20:12 PM 4876 (0x130C)
Performing detection of app deployment type Microsoft Defender for Endpoint - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd, revision 1) for system. AppDiscovery 5/12/2022 9:20:12 PM 4876 (0x130C)
+++ MSI application not discovered [MSI Product Code: {7408CCAD-F482-5316-A83E-A83EB073A520}, MSI Product version: ] AppDiscovery 5/12/2022 9:20:12 PM 4876 (0x130C)
+++ Did not detect app deployment type Microsoft Defender for Endpoint - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd, revision 1) for system. AppDiscovery 5/12/2022 9:20:12 PM 4876 (0x130C)
ActionType - Install will use Content Id: Content_ef967186-a197-4bc7-8e42-62f58650a22b + Content Version: 1 for AppDT "Microsoft Defender for Endpoint - Windows Installer (.msi file)" [ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd], Revision - 1 AppDiscovery 5/12/2022 9:20:13 PM 4876 (0x130C)
ActionType - Install will use Content Id: Content_ef967186-a197-4bc7-8e42-62f58650a22b + Content Version: 1 for AppDT "Microsoft Defender for Endpoint - Windows Installer (*.msi file)" [ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd], Revision - 1 AppDiscovery 5/12/2022 9:20:13 PM 4876 (0x130C)


AppEnforce.log

+++ Starting Install enforcement for App DT "Microsoft Defender for Endpoint - Windows Installer (.msi file)" ApplicationDeliveryType - ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd, Revision - 1, ContentPath - C:\Windows\ccmcache\z, Execution Context - System AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Performing detection of app deployment type Microsoft Defender for Endpoint - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd, revision 1) for system. AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
+++ MSI application not discovered [MSI Product Code: {7408CCAD-F482-5316-A83E-A83EB073A520}, MSI Product version: ] AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
App enforcement environment:
Context: Machine
Command line: cmd /c Powershell -executionpolicy Bypass -command "& {. .\Install.ps1 -OnboardingScript ".\WindowsDefenderATPOnboardingScript.CMD"}"
Allow user interaction: No
UI mode: 0
User token: null
Session Id: 2
Content path: C:\Windows\ccmcache\z
Working directory: AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Prepared working directory: C:\Windows\ccmcache\z AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Found executable file cmd with complete path C:\Windows\system32\cmd.exe AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Prepared command line: "C:\Windows\system32\cmd.exe" /c Powershell -executionpolicy Bypass -command "& {. .\Install.ps1 -OnboardingScript ".\WindowsDefenderATPOnboardingScript.CMD"}" AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Executing Command line: "C:\Windows\system32\cmd.exe" /c Powershell -executionpolicy Bypass -command "& {. .\Install.ps1 -OnboardingScript ".\WindowsDefenderATPOnboardingScript.CMD"}" with user context AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Working directory C:\Windows\ccmcache\z AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Post install behavior is BasedOnExitCode AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Waiting for process 7152 to finish. Timeout = 120 minutes. AppEnforce 5/12/2022 9:20:13 PM 4876 (0x130C)
Process 7152 terminated with exitcode: 1 AppEnforce 5/12/2022 9:20:16 PM 4876 (0x130C)
Looking for exit code 1 in exit codes table... AppEnforce 5/12/2022 9:20:16 PM 4876 (0x130C)
Unmatched exit code (1) is considered an execution failure. AppEnforce 5/12/2022 9:20:16 PM 4876 (0x130C)
++++++ App enforcement completed (2 seconds) for App DT "Microsoft Defender for Endpoint - Windows Installer (*.msi file)" [ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_75d770f0-437b-4e0f-be0a-8521401f49fd], Revision: 1, User SID: ] ++++++ AppEnforce 5/12/2022 9:20:16 PM 4876 (0x130C)


I used the command line to install it manually and it works... Not sure what is failing when deployed with Configuration Manager...

Any idea?

Thanks,
Dom



mem-cm-generalmem-cm-site-deployment
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image DucheminDominique-7551 ·

  1. Correction in the script to force to use TLS 1.2
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    $osVersion = Get-OSVersion

  2. Install Windows Defender Features previous to the run of the Script...


Thanks,
Dom

0 Votes 0 ·

3 Answers

RitaHu-MSFT avatar image
1 Vote"
RitaHu-MSFT answered

Hello Dom,

Thanks for your response.

Thanks very much for your feedback. We're glad that the question is solved now. Here's a short summary for the problem , this will help other users to search for useful information more quickly.

Problem/Symptom:
Application Deployment for Microsoft Defender Endpoint failed

Solution/Workaround:
Enable the TLS 1.2 help to resolve the issue

Reference script to enable the TLS 1.2:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$osVersion = Get-OSVersion

I believe it will be helpful for others who have the same issue :-)

Best regards,
Rita

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

Hello Dom,

Thanks for your posting on Q&A.

I used the command line to install it manually and it works...

I don't know what is actual account you have tried to simulate the installation manually. Perhaps the local administartor or current account. As far as I know, we use the System account to install the deployed application and packages by MECM. In order to rule out the mistakes command lines, please try to follow the below steps to run the System account to install the application.

1. Download and extract the PsExec.exe
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

2. Run the psexec -s -i powershell.exe or psexec -s -i cmd.exe command to run the remote process into the System account. Then we could try to install the application use the System account on a test computer and confirm whether the command lines are correct.
Reference screenshot:
202251-9.png

Hope the above will be helpful.

Best regards,
Rita

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


9.png (41.8 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered DucheminDominique-7551 edited

Hello Rita,

Thank you we could not use psexec as blocked by the company policy.
But I find the execution working after forcing it to use TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$osVersion = Get-OSVersion

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.