Microsoft Defender 终结点载入问题疑难解答Troubleshoot Microsoft Defender for Endpoint onboarding issues

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

如果遇到问题,可能需要解决 Microsoft Defender 终结点载入过程的问题。You might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if you encounter issues. 此页提供了解决在使用部署工具之一进行部署时可能会发生的载入问题以及设备上可能会发生的常见错误的详细步骤。This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.

载入工具问题疑难解答Troubleshoot issues with onboarding tools

如果你已完成载入过程,但一小时后在"设备"列表中看不到设备,这可能表示存在载入或连接问题。If you have completed the onboarding process and don't see devices in the Devices list after an hour, it might indicate an onboarding or connectivity problem.

使用组策略进行部署时载入疑难解答Troubleshoot onboarding when deploying with Group Policy

使用组策略部署通过运行设备上载入脚本完成。Deployment with Group Policy is done by running the onboarding script on the devices. 组策略控制台不会指示部署是否成功。The Group Policy console does not indicate if the deployment has succeeded or not.

如果你已完成载入过程,一小时后在"设备"列表中看不到设备,你可以检查设备上脚本的输出。If you have completed the onboarding process and don't see devices in the Devices list after an hour, you can check the output of the script on the devices. 有关详细信息,请参阅使用脚本进行 部署时载入疑难解答For more information, see Troubleshoot onboarding when deploying with a script.

如果脚本成功完成,请参阅解决设备上载入问题 了解可能会发生的其他错误。If the script completes successfully, see Troubleshoot onboarding issues on the devices for additional errors that might occur.

使用 Microsoft Endpoint Configuration Manager 进行部署时载入问题疑难解答Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager

使用以下版本的 Configuration Manager 载入设备时:When onboarding devices using the following versions of Configuration Manager:

  • Microsoft Endpoint Configuration ManagerMicrosoft Endpoint Configuration Manager
  • System Center 2012 配置管理器System Center 2012 Configuration Manager
  • 系统中心 2012 R2 配置管理器System Center 2012 R2 Configuration Manager

使用上述版本的 Configuration Manager 进行部署是在设备上运行载入脚本完成。Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. 可以在 Configuration Manager 控制台中跟踪部署。You can track the deployment in the Configuration Manager Console.

如果部署失败,你可以检查设备上脚本的输出。If the deployment fails, you can check the output of the script on the devices.

如果载入成功完成,但设备未在一小时后显示在"设备"列表中,请参阅解决设备上载入问题,了解可能会发生的其他错误。If the onboarding completed successfully but the devices are not showing up in the Devices list after an hour, see Troubleshoot onboarding issues on the device for additional errors that might occur.

使用脚本进行部署时载入疑难解答Troubleshoot onboarding when deploying with a script

检查设备上脚本的结果:Check the result of the script on the device:

  1. 单击 "开始",键入事件查看器,然后按 Enter。Click Start, type Event Viewer, and press Enter.

  2. 转到 Windows 日志 > 应用程序Go to Windows Logs > Application.

  3. WDATPOnboarding 事件源查找 事件。Look for an event from WDATPOnboarding event source.

如果脚本失败并且事件是错误,您可以检查下表中的事件 ID,以帮助您解决问题。If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.

备注

以下事件 ID 仅特定于载入脚本。The following event IDs are specific to the onboarding script only.

事件 IDEvent ID 错误类型Error Type 解决方案步骤Resolution steps
5 已找到但无法删除载出数据Offboarding data was found but couldn't be deleted 检查注册表上的权限,特别是Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
10 载入数据无法写入注册表Onboarding data couldn't be written to registry 检查注册表上的权限,特别是Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
验证脚本是否以管理员身份运行。Verify that the script has been run as an administrator.
15 无法启动 SENSE 服务Failed to start SENSE service 检查服务运行状况 (sc query sense 命令) 。Check the service health (sc query sense command). 请确保它未在中间状态 ("Pending_Stopped","Pending_Running") 并尝试使用管理员权限 (再次运行) 。 Make sure it's not in an intermediate state ('Pending_Stopped', 'Pending_Running') and try to run the script again (with administrator rights).

如果设备运行的是 Windows 10 版本 1607,并且运行命令 sc query sense 返回 START_PENDING ,请重新启动设备。If the device is running Windows 10, version 1607 and running the command sc query sense returns START_PENDING, reboot the device. 如果重新启动设备无法解决问题,请升级到 KB4015217 并再次尝试载入。If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 无法启动 SENSE 服务Failed to start SENSE service 如果错误的消息是:系统错误 577 或错误 1058 已发生,你需要启用 Microsoft Defender 防病毒 ELAM 驱动程序,请参阅确保策略未禁用 Microsoft Defender 防病毒,了解说明。If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see Ensure that Microsoft Defender Antivirus is not disabled by a policy for instructions.
30 脚本未能等待服务开始运行The script failed to wait for the service to start running 该服务可能有更多的时间来启动或在尝试启动时遇到错误。The service could have taken more time to start or has encountered errors while trying to start. 有关与 SENSE 相关的事件和错误的详细信息,请参阅使用事件查看器查看 事件和错误For more information on events and errors related to SENSE, see Review events and errors using Event viewer.
35 脚本未能找到所需的载入状态注册表值The script failed to find needed onboarding status registry value 当 SENSE 服务首次启动时,它会将载入状态写入注册表位置When the SENSE service starts for the first time, it writes onboarding status to the registry location
HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status.
脚本在几秒钟后未能找到它。The script failed to find it after several seconds. 你可以手动测试它并检查它是否在那里。You can manually test it and check if it's there. 有关与 SENSE 相关的事件和错误的详细信息,请参阅使用事件查看器查看 事件和错误For more information on events and errors related to SENSE, see Review events and errors using Event viewer.
40 SENSE 服务载入状态未设置为 1SENSE service onboarding status is not set to 1 SENSE 服务未能正确载入。The SENSE service has failed to onboard properly. 有关与 SENSE 相关的事件和错误的详细信息,请参阅使用事件查看器查看 事件和错误For more information on events and errors related to SENSE, see Review events and errors using Event viewer.
65 权限不足Insufficient privileges 使用管理员权限再次运行脚本。Run the script again with administrator privileges.

使用 Microsoft Intune 解决载入问题Troubleshoot onboarding issues using Microsoft Intune

可以使用 Microsoft Intune 检查错误代码并尝试对问题的原因进行故障排除。You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.

如果你在 Intune 中配置了策略,并且这些策略未在设备上传播,你可能需要配置自动 MDM 注册。If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.

使用下表了解载入时可能出现的问题原因:Use the following tables to understand the possible causes of issues while onboarding:

  • Microsoft Intune 错误代码和OMA-URIs表Microsoft Intune error codes and OMA-URIs table
  • 非合规性表的已知问题Known issues with non-compliance table
  • 移动设备管理 (MDM) 事件日志表Mobile Device Management (MDM) event logs table

如果任何事件日志和疑难解答步骤都不起作用,请从门户的" 设备 管理"部分下载本地脚本,在提升的命令提示符中运行它。If none of the event logs and troubleshooting steps work, download the Local script from the Device management section of the portal, and run it in an elevated command prompt.

Microsoft Intune 错误代码和OMA-URIsMicrosoft Intune error codes and OMA-URIs

错误代码十六进制Error Code Hex 错误代码 DecError Code Dec Error DescriptionError Description OMA-URIOMA-URI 可能的原因和疑难解答步骤Possible cause and troubleshooting steps
0x87D1FDE80x87D1FDE8 -2016281112-2016281112 修正失败Remediation failed 载入Onboarding
载出Offboarding
可能的原因: 载入或载出在错误的 blob 上失败:签名错误或缺少 PreviousOrgIds 字段。Possible cause: Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

疑难解答步骤:Troubleshooting steps:
在"查看设备事件日志中的代理载入错误"部分检查事件 ID。Check the event IDs in the View agent onboarding errors in the device event log section.

检查下表中的 MDM 事件日志或按照在 Windows 10中诊断 MDM 故障中的说明操作。Check the MDM event logs in the following table or follow the instructions in Diagnose MDM failures in Windows 10.
载入Onboarding
载出Offboarding
SampleSharingSampleSharing
可能的原因: Microsoft Defender for Endpoint Policy 注册表项不存在,或者 OMA DM 客户端没有写入它的权限。Possible cause: Microsoft Defender for Endpoint Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

疑难解答步骤: 确保存在以下注册表项: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat ProtectionTroubleshooting steps: Ensure that the following registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

如果不存在,请打开提升的命令并添加密钥。If it doesn't exist, open an elevated command and add the key.
SenseIsRunningSenseIsRunning
OnboardingStateOnboardingState
OrgIdOrgId
可能的原因: 尝试通过只读属性修正。Possible cause: An attempt to remediate by read-only property. 载入失败。Onboarding has failed.

疑难解答步骤: 查看解决设备上载入 问题中的疑难解答步骤Troubleshooting steps: Check the troubleshooting steps in Troubleshoot onboarding issues on the device.

检查下表中的 MDM 事件日志或按照在 Windows 10中诊断 MDM 故障中的说明操作。Check the MDM event logs in the following table or follow the instructions in Diagnose MDM failures in Windows 10.
全部All 可能的原因: 尝试在不支持的 SKU/平台上部署 Microsoft Defender for Endpoint,尤其是全息 SKU。Possible cause: Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.

当前支持的平台:Currently supported platforms:
企业版、教育版和专业版。Enterprise, Education, and Professional.
不支持服务器。Server is not supported.
0x87D101A90x87D101A9 -2016345687-2016345687 SyncML (425) :请求的命令失败,因为发件人没有足够的访问控制权限 (对收件人) ACL 权限。SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. 全部All 可能的原因: 尝试在不支持的 SKU/平台上部署 Microsoft Defender for Endpoint,尤其是全息 SKU。Possible cause: Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.

当前支持的平台:Currently supported platforms:
企业版、教育版和专业版。Enterprise, Education, and Professional.

不合规的已知问题Known issues with non-compliance

下表提供了有关不合规问题以及如何解决这些问题的信息。The following table provides information on issues with non-compliance and how you can address the issues.

情况Case 症状Symptoms 可能的原因和疑难解答步骤Possible cause and troubleshooting steps
1 设备符合 SenseIsRunning OMA-URI。Device is compliant by SenseIsRunning OMA-URI. 但不符合 OrgId、Onboarding 和 OnboardingState OMA-URI。But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. 可能的原因: 检查用户在安装或升级 Windows 后是否通过了 OOBE。Possible cause: Check that user passed OOBE after Windows installation or upgrade. 在 OOBE 载入期间无法完成,但 SENSE 已在运行。During OOBE onboarding couldn't be completed but SENSE is running already.

疑难解答步骤: 等待 OOBE 完成。Troubleshooting steps: Wait for OOBE to complete.
2 设备符合 OrgId、Onboarding 和 OnboardingState OMA-URI,但不符合 SenseIsRunning OMA-URI。Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. 可能的原因: Sense 服务的启动类型设置为"延迟启动"。Possible cause: Sense service's startup type is set as "Delayed Start". 有时,当系统启动 DM 会话时,这会导致 Microsoft Intune 服务器将设备报告为不符合 SenseIsRunning。Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.

疑难解答步骤: 该问题应在 24 小时内自动修复。Troubleshooting steps: The issue should automatically be fixed within 24 hours.
3 设备不兼容Device is non-compliant 疑难解答步骤: 确保未在同一设备上同时部署载入和载出策略。Troubleshooting steps: Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.

移动设备管理 (MDM) 事件日志Mobile Device Management (MDM) event logs

查看 MDM 事件日志,解决载入期间可能出现的问题:View the MDM event logs to troubleshoot issues that might arise during onboarding:

日志名称:Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-ProviderLog name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider

频道名称:管理员Channel name: Admin

IDID SeveritySeverity 事件描述Event description 故障排除步骤Troubleshooting steps
18191819 错误Error 适用于终结点 CSP 的 Microsoft Defender:未能设置节点的值。Microsoft Defender for Endpoint CSP: Failed to Set Node's Value. NodeId: (%1) ,TokenName: (%2) ,结果: (%3) 。NodeId: (%1), TokenName: (%2), Result: (%3). 下载 Windows 10 1607 累积更新Download the Cumulative Update for Windows 10, 1607.

解决设备上载入问题Troubleshoot onboarding issues on the device

如果使用的部署工具未指示载入过程中的错误,但设备在一小时内仍不显示在设备列表中,请浏览以下验证主题,检查 Microsoft Defender for Endpoint 代理是否发生了错误。If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint agent.

查看设备事件日志中的代理载入错误View agent onboarding errors in the device event log

  1. 单击 "开始",键入事件查看器,然后按 Enter。Click Start, type Event Viewer, and press Enter.

  2. 在"事件查看器 (本地) 窗格中,展开"应用程序 和服务日志 > ""Microsoft > Windows > SENSE"。In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows > SENSE.

    备注

    SENSE 是内部名称,用于引用支持 Microsoft Defender for Endpoint 的行为传感器。SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.

  3. 选择 "操作 "以加载日志。Select Operational to load the log.

  4. 在"操作"窗格中,单击"筛选当前日志"。In the Action pane, click Filter Current log.

  5. 在"筛选器" 选项卡上的"事件级别: 选择 严重警告错误"下,然后单击"确定 "。On the Filter tab, under Event level: select Critical, Warning, and Error, and click OK.

    事件查看器日志筛选器的图像

  6. 可指示问题的事件将显示在"操作" 窗格中Events which can indicate issues will appear in the Operational pane. 您可以尝试根据下表中的解决方案进行疑难解答:You can attempt to troubleshoot them based on the solutions in the following table:

事件 IDEvent ID 邮件Message 解决方案步骤Resolution steps
5 Microsoft Defender for Endpoint 服务无法连接到位于 variable 的服务器Microsoft Defender for Endpoint service failed to connect to the server at variable 确保设备可以访问 Internet。Ensure the device has Internet access.
6 Microsoft Defender for Endpoint 服务未载入,并且未找到任何载入参数。Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. 失败代码: 变量Failure code: variable 再次运行载入脚本Run the onboarding script again.
7 Microsoft Defender for Endpoint 服务无法读取载入参数。Microsoft Defender for Endpoint service failed to read the onboarding parameters. 失败代码: 变量Failure code: variable 确保设备可以访问 Internet,然后再次运行整个载入过程。Ensure the device has Internet access, then run the entire onboarding process again.
9 Microsoft Defender for Endpoint 服务未能更改其启动类型。Microsoft Defender for Endpoint service failed to change its start type. 失败代码:变量Failure code: variable 如果事件在载入期间发生,请重新启动并重新尝试运行载入脚本。If the event happened during onboarding, reboot and re-attempt running the onboarding script. 有关详细信息,请参阅再次 运行载入脚本For more information, see Run the onboarding script again.

如果事件在载出期间发生,请联系支持人员。If the event happened during offboarding, contact support.
10 Microsoft Defender for Endpoint 服务无法保留载入信息。Microsoft Defender for Endpoint service failed to persist the onboarding information. 失败代码:变量Failure code: variable 如果事件在载入期间发生,请重新尝试运行载入脚本。If the event happened during onboarding, re-attempt running the onboarding script. 有关详细信息,请参阅再次 运行载入脚本For more information, see Run the onboarding script again.

如果问题仍然存在,请联系支持人员。If the problem persists, contact support.
15 Microsoft Defender for Endpoint 无法使用 URL 启动命令 通道:变量Microsoft Defender for Endpoint cannot start command channel with URL: variable 确保设备可以访问 Internet。Ensure the device has Internet access.
17 Microsoft Defender for Endpoint 服务未能更改连接用户体验和遥测服务位置。Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. 失败代码:变量Failure code: variable 再次运行载入脚本Run the onboarding script again. 如果问题仍然存在,请联系支持人员。If the problem persists, contact support.
25 Microsoft Defender for Endpoint 服务无法重置注册表中的运行状况状态。Microsoft Defender for Endpoint service failed to reset health status in the registry. 失败代码: 变量Failure code: variable 请联系支持人员。Contact support.
27 未能在终结点模式下启用 Microsoft Defender Windows Defender。Failed to enable Microsoft Defender for Endpoint mode in Windows Defender. 载入过程失败。Onboarding process failed. 失败代码:变量Failure code: variable 请联系支持人员。Contact support.
29 未能读取 offboarding参数。Failed to read the offboarding parameters. 错误类型:%1,错误代码:%2,说明:%3Error type: %1, Error code: %2, Description: %3 确保设备可以访问 Internet,然后再次运行整个载出过程。Ensure the device has Internet access, then run the entire offboarding process again.
30 在 Microsoft Defender for Endpoint (禁用 $ build.sense.productDisplayName) 模式失败。Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender for Endpoint. 失败代码:%1Failure code: %1 请联系支持人员。Contact support.
32 $ (build.sense.productDisplayName) 服务在板载过程后无法请求自行停止。$(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. 失败代码:%1Failure code: %1 验证服务启动类型是手动的,然后重新启动设备。Verify that the service start type is manual and reboot the device.
55 未能创建安全 ETW 自动记录器。Failed to create the Secure ETW autologger. 失败代码:%1Failure code: %1 重新启动设备。Reboot the device.
63 更新外部服务的启动类型。Updating the start type of external service. 名称:%1,实际开始类型:%2,预期开始类型:%3,退出代码:%4Name: %1, actual start type: %2, expected start type: %3, exit code: %4 确定导致上述服务启动类型发生更改的原因。Identify what is causing changes in start type of mentioned service. 如果退出代码不为 0,请手动将启动类型修复为预期的开始类型。If the exit code is not 0, fix the start type manually to expected start type.
64 启动已停止的外部服务。Starting stopped external service. 名称:%1,退出代码:%2Name: %1, exit code: %2 如果事件一直重新显示,请联系支持人员。Contact support if the event keeps re-appearing.
68 服务的启动类型是意外的。The start type of the service is unexpected. 服务名称:%1,实际启动类型:%2,预期启动类型:%3Service name: %1, actual start type: %2, expected start type: %3 确定导致开始类型更改的原因。Identify what is causing changes in start type. 修复了提及的服务启动类型。Fix mentioned service start type.
69 服务已停止。The service is stopped. 服务名称:%1Service name: %1 启动提及的服务。Start the mentioned service. 如果仍然存在,请联系支持人员。Contact support if persists.

设备上还有 Microsoft Defender for Endpoint 代理正常运行所依赖的其他组件。There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. 如果 Microsoft Defender for Endpoint 代理事件日志中没有载入相关错误,请继续执行以下步骤,以确保正确配置其他组件。If there are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly.

确保诊断数据服务已启用Ensure the diagnostic data service is enabled

如果设备未正确报告,你可能需要检查 Windows 10 诊断数据服务是否设置为自动启动并且正在设备上运行。If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. 该服务可能已被其他程序或用户配置更改禁用。The service might have been disabled by other programs or user configuration changes.

首先,应检查服务是否设置为在 Windows 启动时自动启动,然后应检查服务当前是否正在运行 (如果未运行该服务,则启动) 。First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).

确保服务设置为启动Ensure the service is set to start

使用命令行检查 Windows 10 诊断数据服务启动类型Use the command line to check the Windows 10 diagnostic data service startup type:

  1. 在设备上打开提升的命令行提示符:Open an elevated command-line prompt on the device:

    a.a. 单击 "开始",键入 cmd,然后按 Enter。Click Start, type cmd, and press Enter.

    b.b. 右键单击“命令提示符”,然后选择“以管理员身份运行”。Right-click Command prompt and select Run as administrator.

  2. 输入以下命令,然后按 Enter:Enter the following command, and press Enter:

    sc qc diagtrack
    

    如果服务已启用,则结果应如以下屏幕截图所示:If the service is enabled, then the result should look like the following screenshot:

    diagtrack 的 sc 查询命令的结果

    如果未设置为 ,则需要将服务设置为 START_TYPE AUTO_START 自动启动。If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.

使用命令行将 Windows 10 诊断数据服务设置为自动启动:Use the command line to set the Windows 10 diagnostic data service to automatically start:

  1. 在设备上打开提升的命令行提示符:Open an elevated command-line prompt on the device:

    a.a. 单击 "开始",键入 cmd,然后按 Enter。Click Start, type cmd, and press Enter.

    b.b. 右键单击“命令提示符”,然后选择“以管理员身份运行”。Right-click Command prompt and select Run as administrator.

  2. 输入以下命令,然后按 Enter:Enter the following command, and press Enter:

    sc config diagtrack start=auto
    
  3. 将显示成功消息。A success message is displayed. 通过输入以下命令验证更改,然后按 Enter:Verify the change by entering the following command, and press Enter:

    sc qc diagtrack
    
  4. 启动服务。Start the service.

    a.a. 在命令提示符中,键入以下命令并按 Enter:In the command prompt, type the following command and press Enter:

    sc start diagtrack
    

确保设备具有 Internet 连接Ensure the device has an Internet connection

Microsoft Defender for Endpoint 感官方案需要 Microsoft Windows HTTP (WinHTTP) 报告感官数据,并与 Microsoft Defender for Endpoint 服务进行通信。The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.

WinHTTP 独立于 Internet 浏览代理设置和其他用户上下文应用程序,必须能够检测特定环境中可用的代理服务器。WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.

若要确保传感器具有服务连接,请按照验证客户端与 Microsoft Defender for Endpoint 服务 URL 的连接主题中所述的步骤操作。To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity to Microsoft Defender for Endpoint service URLs topic.

如果验证失败,并且您的环境正在使用代理连接到 Internet,请按照配置代理和 Internet 连接设置主题 中所述 的步骤操作。If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in Configure proxy and Internet connectivity settings topic.

确保策略未禁用 Microsoft Defender 防病毒Ensure that Microsoft Defender Antivirus is not disabled by a policy

重要

以下仅适用于尚未收到 Microsoft Defender 防病毒的 2020 (年 8 月版本 4.18.2007.8) 更新的设备。The following only applies to devices that have not yet received the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.

更新可确保无法通过系统策略在客户端设备上关闭 Microsoft Defender 防病毒。The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.

问题:载入后 Microsoft Defender for Endpoint 服务未启动。Problem: The Microsoft Defender for Endpoint service does not start after onboarding.

症状:载入成功完成,但在尝试启动服务时看到错误 577 或错误 1058。Symptom: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.

解决方案:如果你的设备正在运行第三方反恶意软件客户端,Microsoft Defender for Endpoint 代理需要启用"提前启动反恶意软件 (ELAM) 驱动程序。Solution: If your devices are running a third-party antimalware client, the Microsoft Defender for Endpoint agent needs the Early Launch Antimalware (ELAM) driver to be enabled. 必须确保系统策略未将其关闭。You must ensure that it's not turned off by a system policy.

  • 根据用于实现策略的工具,需要验证是否清除以下Windows Defender策略:Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:

    • DisableAntiSpywareDisableAntiSpyware
    • DisableAntiVirusDisableAntiVirus

    例如,在组策略中,应该没有诸如以下值这样的条目:For example, in Group Policy there should be no entries such as the following values:

    • <Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
    • <Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>

重要

从 Microsoft Defender 防病毒的 2020 年 8 月 (版 disableAntiSpyware 4.18.2007.8) 起,该设置将停止使用,并且将在所有客户端设备上忽略。The disableAntiSpyware setting is discontinued and will be ignored on all client devices, as of the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.

  • 清除策略后,再次运行载入步骤。After clearing the policy, run the onboarding steps again.

  • 您还可以通过打开注册表项来检查以前的注册表项值,以验证策略是否被禁用 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows DefenderYou can also check the previous registry key values to verify that the policy is disabled, by opening the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.

    Microsoft Defender 防病毒注册表项的图像

    备注

    wdboot (wdboot、wdfilter、wdnisdrv、wdnissvc 和 windefend) 所有服务都应默认状态。 Windows DefenderAll Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. 更改这些服务的启动不受支持,可能会强制你重新映像系统。Changing the startup of these services is unsupported and may force you to reimage your system.

    WdBoot 和 WdFilter 的默认配置示例:Example default configurations for WdBoot and WdFilter:

    • <Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>
    • <Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>

在服务器上载入问题疑难解答Troubleshoot onboarding issues on a server

如果在载入服务器时遇到问题,请执行以下验证步骤来解决可能的问题。If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.

您可能还需要检查以下内容:You might also need to check the following:

  • 检查在任务管理器 的"进程"选项卡中是否正在运行适用于 Endpoint Service 的 Microsoft Defender。Check that there is a Microsoft Defender for Endpoint Service running in the Processes tab in Task Manager. 例如:For example:

    运行 Microsoft Defender for Endpoint Service 的进程视图的图像

  • 检查 事件 > 查看器应用程序和服务日志 > 操作管理器,以查看是否有错误。Check Event Viewer > Applications and Services Logs > Operation Manager to see if there are any errors.

  • " 服务"中,检查 Microsoft 监控代理 是否正在服务器上运行。In Services, check if the Microsoft Monitoring Agent is running on the server. 例如,For example,

    服务的图像

  • Microsoft 监视代理 > Azure Log Analytics (OMS) 中,检查工作区并验证状态是否正在运行。In Microsoft Monitoring Agent > Azure Log Analytics (OMS), check the Workspaces and verify that the status is running.

    Microsoft 监视代理属性的图像

  • 检查设备是否反映在门户中的 "设备" 列表中。Check to see that devices are reflected in the Devices list in the portal.

确认新构建设备的载入Confirming onboarding of newly built devices

在新构建的设备上部署载入时,可能会存在一些实例,但未完成。There may be instances when onboarding is deployed on a newly built device but not completed.

以下步骤为以下方案提供指导:The steps below provide guidance for the following scenario:

  • 载入包部署到新构建的设备Onboarding package is deployed to newly built devices
  • 传感器未启动,因为尚未完成 (OOBE) 或第一个用户登录Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
  • 在最终用户执行第一次登录之前,设备已关闭或重新启动Device is turned off or restarted before the end user performs a first logon
  • 在此方案中,SENSE 服务不会自动启动,即使已部署载入包In this scenario, the SENSE service will not start automatically even though onboarding package was deployed

备注

以下步骤仅在使用 Microsoft Endpoint Configuration Manager 时相关。The following steps are only relevant when using Microsoft Endpoint Configuration Manager. 有关使用 Microsoft Endpoint Configuration Manager 载入的更多详细信息,请参阅 Microsoft Defender for EndpointFor more details about onboarding using Microsoft Endpoint Configuration Manager, see Microsoft Defender for Endpoint.

  1. 在 Microsoft Endpoint Configuration Manager 中创建应用程序。Create an application in Microsoft Endpoint Configuration Manager.

    Microsoft Endpoint Configuration Manager 配置的图像1

  2. 选择 "手动指定应用程序信息"。Select Manually specify the application information.

    Microsoft Endpoint Configuration Manager 配置的图像2

  3. 指定有关应用程序的信息,然后选择"下一 步"。Specify information about the application, then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像3

  4. 指定有关软件中心的信息,然后选择"下一 步"。Specify information about the software center, then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像4

  5. "部署类型"中, 选择"添加"。In Deployment types select Add.

    Microsoft Endpoint Configuration Manager 配置的图像5

  6. 选择 "手动指定部署类型信息", 然后选择"下一 步"。Select Manually specify the deployment type information, then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像6

  7. 指定有关部署类型的信息,然后选择"下一 步"。Specify information about the deployment type, then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像7

  8. 内容 > 安装程序中,指定命令 net start sense :。In Content > Installation program specify the command: net start sense.

    Microsoft Endpoint Configuration Manager 配置的图像8

  9. 检测方法 中,选择"配置规则以检测此部署类型是否存在", 然后选择"添加子句"。In Detection method, select Configure rules to detect the presence of this deployment type, then select Add Clause.

    Microsoft Endpoint Configuration Manager 配置的图像9

  10. 指定以下检测规则详细信息,然后选择"确定 ":Specify the following detection rule details, then select OK:

    Microsoft Endpoint Configuration Manager 配置的图像10

  11. "检测方法"中, 选择"下 一步"。In Detection method select Next.

    Microsoft Endpoint Configuration Manager 配置的图像11

  12. "用户体验" 中,指定以下信息,然后选择"下一 步":In User Experience, specify the following information, then select Next:

    Microsoft Endpoint Configuration Manager 配置的图像12

  13. "要求" 中,选择"下 一步"。In Requirements, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像13

  14. "依赖项"中,选择"下 一步"。In Dependencies, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像14

  15. "摘要"中,选择"下一 步"。In Summary, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像15

  16. "完成" 中,选择"关闭"。In Completion, select Close.

    Microsoft Endpoint Configuration Manager 配置的图像16

  17. "部署类型"中,选择"下 一步"。In Deployment types, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像17

  18. "摘要"中,选择"下一 步"。In Summary, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像18

    然后显示状态  :Microsoft Endpoint Configuration Manager 配置的图像19The status is then displayed: Image of Microsoft Endpoint Configuration Manager configuration19

  19. "完成" 中,选择"关闭"。In Completion, select Close.

    Microsoft Endpoint Configuration Manager 配置的图像20

  20. 现在,可以通过右键单击应用并选择部署 来部署 应用程序You can now deploy the application by right-clicking the app and selecting Deploy.

    Microsoft Endpoint Configuration Manager 配置的图像21

  21. "常规****"中,选择"自动分配依赖项的内容"和"****浏览"。In General select Automatically distribute content for dependencies and Browse.

    Microsoft Endpoint Configuration Manager 配置的图像22

  22. "内容"中,选择"下一 步"。In Content select Next.

    Microsoft Endpoint Configuration Manager 配置的图像23

  23. "部署设置"中,选择"下 一步"。In Deployment settings, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像24

  24. "计划",选择"在可用时间后尽快", 然后选择"下一 步"。In Scheduling select As soon as possible after the available time, then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像25

  25. 用户体验中, 选择"在截止时间或维护时段内提交更改 (需要重新启动) ,然后选择"下 一****步"。In User experience, select Commit changes at deadline or during a maintenance window (requires restarts), then select Next.

    Microsoft Endpoint Configuration Manager 配置的图像26

  26. 警报中选择下In Alerts select Next.

    Microsoft Endpoint Configuration Manager 配置的图像27

  27. "摘要"中,选择"下一 步"。In Summary, select Next.

    Microsoft Endpoint Configuration Manager 配置的图像28

    然后显示状态  Microsoft Endpoint Configuration Manager 配置的图像29The status is then displayed Image of Microsoft Endpoint Configuration Manager configuration29

  28. "完成" 中,选择"关闭"。In Completion, select Close.

    Microsoft Endpoint Configuration Manager 配置的图像30