Recent Discussions
Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts
Hi We have currently setup a ADConnect Sync to Office 365, this is working well. We would like to start converting Sync'ed accounts in Office 365/Azure AD to "In Cloud" accounts. Can you advise or does anyone know how we might approach this? Or can point to alternative resources? We need to ensure the accounts in Office 365/Azure AD remain active and usable. Much appreciated PaulCybersecurity Month Tech Community Giveaway!
Hey everyone! October is Cybersecurity Month and we wanted to celebrate by giving away some awesome Microsoft Swag to 20 lucky Tech Community members as a thank you for supporting this community. All you must do to enter is share our registration link to your favorite social media platform (Twitter, LinkedIn, Reddit, etc), take a screenshot and post down below for proof, and send an email with the screenshot of your post to bweenig@microsoft.com. At the end of October, we will be selecting 20 responders at random to receive some exclusive Microsoft swag. Good luck and thanks again!Secure Score - Enable conditional access policies to block legacy authentication.
Hi all, it reports me to block legacy authentications for all users, however I have already done so by configuring conditional access; does anyone else have the same report despite the fact that we have already implemented blocking?Failed Downloading Information Protection Policy
We have configured Sensitivity Labels in Office 365 Security and published the Classification Labels. We have installed Azure AIP Unified Labelling client on Desktop. We are unable to see the labels in our Office Apps. We are getting error ' Failed Downloading Information Protection Policy'
Azure ATP Sensor install failing (Updater Service do not start)
Hello All! We try to install the Azure ATP Sensor on a DC, setup wizard is running until this point ...then do some retries for about 3 minutes, during this time the service "Azure Advanced Threat Protection Sensor Updater" is several times on state "starting" und back to not started. Then setup fails with 0x80070643 and do a rollback. In the "Microsoft.Tri.Sensor.Updater-Errors" log, we find this error every 10 seconds during the setup: 2019-12-23 11:27:37.8384 Error CommunicationWebClient+<SendWithRetryAsync>d__8`1 Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.Http.HttpRequestExceptionMessage=7INzM3PVZQKggOiiHcWjqw==StackTrace= at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count)InnerException=Microsoft.Tri.Infrastructure.ExtendedException: Sanitized exception: [Type=System.Net.WebExceptionMessage=5iiWw0iPCPzCGdZStU4OxA==StackTrace= at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)InnerException=]] at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task<TResponse> Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync<TResponse>(IRequestWithResponse<TResponse> request) at async Task Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater.UpdateConfigurationAsync(bool isStarted) at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at new Microsoft.Tri.Sensor.Updater.SensorUpdaterConfigurationUpdater(IConfigurationManager configurationManager, IMetricManager metricManager, ISecretManager secretManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at ModuleManager Microsoft.Tri.Sensor.Updater.SensorUpdaterService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args) A proxy is used which allows access to *.atp.azure.com without auth. In proxy logs, we see no block for this server, only successful requests from this DC. There is no indication that 443 would be blocked somewhere else... The AD account which is configured in the ATP portal was checked, domain is given in FQDN there and the password is correct. Any ideas someone?
AIP Scanner - Unable to authenticate and setup Microsoft Azure Information Protection
Hi All, I'm getting stuck in below issues to test AIP Scanner. Error Set-AIPAuthentication : As I worked through below the steps I had faced the following issue and cannot move forward. https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/deploy-aip-scanner-configure-install.md or https://alberthoitingh.com/2020/07/21/azure-information-protection-scanner-2/ I have done these steps Install Win Server 2019 & SQL Express on VM Workstation. Install AIP Client Install AIP Client on PowerShell and it's running in services.msc Install-AIPScanner -SqlServerInstance AIPSCANNER\SQLEXPRESS -Profile Cluster1 Create AD on premise (GG.COM) and installed AD Connect (Express Setting) to Azure AD (testing.onmicrosoft.com) Create User on premise (aipscanner) role (Administrator) and sync to Azure AD (aipscanner@testing.onmicrosoft.com) and assigned E5 license. Login with GG\aipscanner on Win Server 2019. Get APPID, App Secret, Tenant ID from Azure Portal I tried to get the token run below the command but no ok. $pscreds = Get-Credential "testingtenant101.onmicrosoft.com\aipscanner" Set-AIPAuthentication -AppId "bac7ce5e-7a0b-40da-bb89-888888888" -AppSecret "6192e5b8-afb0-49bc-9a0e-888888888" -TenantId "623c0945-6ee5-42a1-8894-888888888" -DelegatedUser aipscanner@testing.onmicrosoft.com -OnBehalfOf $pscreds I think something wrong in authentication on-premise to azure (-DelegatedUser). Please kindly help me to move forward.
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and the alert was accurate. But right now, we do have honeytoken activity from around 185 sources (clients) with sam-r queries so far, counting! It seems to be a bug and we will wait for the next releases from Defender for Identity, so far we couldn't find a cause which makes sense that this alert keeps being triggered... (meaning no signs of a real attack, no idea what update or other config changes could have started this behaviour) Maybe someone else experiences the same right now, this is meant as an information... BREncrypt button disappearing from Outlook
Hello, We seem to be having an issue with the Office 365 Office Message Encryption (OME) for a couple of customers. They are properly licensed with Business Premium and AIP Plan 1 and have the latest version of the Office desktop (1812.11126.20196). The button has just disappeared. Recently, it's been upgraded from the previous envelope with red circle to the new lock icon. Yesterday, it is now either grayed out or the tab has completely been removed from the "New" message window in the "Options" section. It was working fine the day before. Not sure if this is related to the recent update of the Office client, but other customers with the same set up are not experiencing this issue. The current affected customers still have the ability to use OWA to use the Protect/Encrypt button or mail flow rules I created for a work around. I have also tried using the Online Repair option, new Outlook profile, and uninstall and reinstall. These do not resolved the issue. Also, they do not have the AIP client software installed. I have not checked this out yet, has the other customers with the same licensing and set up or working as expected.ATA Client on a Server 2019 Domain Controller
We have noticed that when installing the ATA client on a Windows Server 2019 domain controller the Lsass.exe service crashes every 10-25 minutes and causes the server to reboot. We also noticed that when we installed the client on multiple 2019 domain controllers they all have Lsass.exe crash at the same time and they reboot within a few moments of each other.Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Exposed entities tab I only see computer accounts. In the Implementation instructions they only mention user accounts. How do I complete this recommended action and get rid of the computer accounts detected?Azure information protection custom policies not working
Hello, I'm playing around with an Enterprise Mobility + E3 license and security and I was following the next tutorial/document from Microsoft: https://docs.microsoft.com/en-gb/information-protection/get-started/infoprotect-quick-start-tutorial However, after completing every step the following error will pop up when trying to select a custom policy. I have tried creating different policies with different setups in vain: I wonder what else is needed? Thank you.
ATP sensor install fails 0x80070643
I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers. All is well on about 70% of them. However I get this failure on many: During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails. I have errors in the logs but Im not sure what the cause is: === Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe === MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0 MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex. MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled. MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex. MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0 MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine: ******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi ******* Action: ******* CommandLine: ********** MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode. MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level. MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32 MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1 MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0 MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'. MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database. MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure. MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'. MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824 MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'. MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: '' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed. MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'. MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource. MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu' MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi' MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1 MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine. MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'. MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0 MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened. MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now: MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'. MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16 MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'. MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0 MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'. MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'. === Logging started: 10/10/2024 15:54:26 === MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes. MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'. MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: INSTALL. MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action start 15:54:26: FindRelatedProducts. MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FindRelatedProducts. Return value 1. Action start 15:54:26: LaunchConditions. MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: LaunchConditions. Return value 1. Action start 15:54:26: ValidateProductID. MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: ValidateProductID. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10 MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId` MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch Action start 15:54:26: CostInitialize. MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostInitialize. Return value 1. MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly Action start 15:54:26: FileCost. MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: FileCost. Return value 1. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'. MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table... MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing) MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\ MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ? Action start 15:54:26: CostFinalize. MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: CostFinalize. Return value 1. Action start 15:54:26: MigrateFeatureStates. MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: MigrateFeatureStates. Return value 0. MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib Action start 15:54:26: InstallValidate. MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'. MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2: MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallValidate. Return value 1. MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0 MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction. MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Action start 15:54:26: InstallInitialize. MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText Action ended 15:54:26: InstallInitialize. Return value 1. MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install MSI (s) (D8:80) [15:54:26:970]: Generating random cookie. MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014). MSI (s) (D8:74) [15:54:27:227]: Running as a service. MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server. Action start 15:54:26: InstallCustomAction. SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\ SFXCA: Binding to CLR version v4.0.30319 Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install 2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started 2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started 2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished 2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished 2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False] 2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==] 2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False] 2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started 2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3] 2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3] 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started 2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished 2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3] 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started 2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished 2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished 2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction] at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure) at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session) 2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure] CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035 MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 Action ended 16:00:09: InstallCustomAction. Return value 3. MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation. MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server Action ended 16:00:09: INSTALL. Return value 3. Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2} Property(S): TARGETDIR = C:\ Property(S): ALLUSERS = 1 Property(S): Manufacturer = Microsoft Corporation Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} Property(S): ProductLanguage = 1033 Property(S): ProductName = Azure Advanced Threat Protection Sensor Property(S): ProductVersion = 2.240.18288.55492 Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242} Property(S): ProductState = -1 Property(S): PackagecodeChanging = 1 Property(S): ARPSYSTEMCOMPONENT = 1 Property(S): MSIFASTINSTALL = 7 Property(S): ACCESSKEY = ********** Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ Property(S): REBOOT = ReallySuppress Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) Property(S): CLIENTUILEVEL = 3 Property(S): MSICLIENTUSESEXTERNALUI = 1 Property(S): CLIENTPROCESSID = 1824 Property(S): MsiSystemRebootPending = 1 Property(S): VersionDatabase = 500 Property(S): VersionMsi = 5.00 Property(S): VersionNT = 603 Property(S): VersionNT64 = 603 Property(S): WindowsBuild = 9600 Property(S): ServicePackLevel = 0 Property(S): ServicePackLevelMinor = 0 Property(S): MsiNTProductType = 3 Property(S): MsiNTSuiteDataCenter = 1 Property(S): WindowsFolder = C:\windows\ Property(S): WindowsVolume = C:\ Property(S): System64Folder = C:\windows\system32\ Property(S): SystemFolder = C:\windows\SysWOW64\ Property(S): RemoteAdminTS = 1 Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\ Property(S): ProgramFilesFolder = C:\Program Files (x86)\ Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\ Property(S): ProgramFiles64Folder = C:\Program Files\ Property(S): CommonFiles64Folder = C:\Program Files\Common Files\ Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\ Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\ Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\ Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\ Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\ Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\ Property(S): CommonAppDataFolder = C:\ProgramData\ Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\ Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\ Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\ Property(S): DesktopFolder = C:\Users\Public\Desktop\ Property(S): FontsFolder = C:\windows\Fonts\ Property(S): GPTSupport = 1 Property(S): OLEAdvtSupport = 1 Property(S): ShellAdvtSupport = 1 Property(S): MsiAMD64 = 6 Property(S): Msix64 = 6 Property(S): Intel = 6 Property(S): PhysicalMemory = 8192 Property(S): VirtualMemory = 4026 Property(S): AdminUser = 1 Property(S): MsiTrueAdminUser = 1 Property(S): LogonUser = v-<name>.admin Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610 Property(S): UserLanguageID = 1033 Property(S): ComputerName = AZVDS01 Property(S): SystemLanguageID = 1033 Property(S): ScreenX = 1024 Property(S): ScreenY = 768 Property(S): CaptionHeight = 23 Property(S): BorderTop = 1 Property(S): BorderSide = 1 Property(S): TextHeight = 16 Property(S): TextInternalLeading = 3 Property(S): ColorBits = 32 Property(S): TTCSupport = 1 Property(S): Time = 16:00:09 Property(S): Date = 10/10/2024 Property(S): MsiNetAssemblySupport = 4.8.3761.0 Property(S): MsiWin32AssemblySupport = 6.3.14393.5786 Property(S): RedirectedDllSupport = 2 Property(S): MsiRunningElevated = 1 Property(S): Privileged = 1 Property(S): DATABASE = C:\windows\Installer\69b9569f.msi Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi Property(S): UILevel = 2 Property(S): MsiUISourceResOnly = 1 Property(S): ACTION = INSTALL Property(S): ROOTDRIVE = C:\ Property(S): CostingComplete = 1 Property(S): OutOfDiskSpace = 0 Property(S): OutOfNoRbDiskSpace = 0 Property(S): PrimaryVolumeSpaceAvailable = 0 Property(S): PrimaryVolumeSpaceRequired = 0 Property(S): PrimaryVolumeSpaceRemaining = 0 Property(S): INSTALLLEVEL = 1 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603. MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603 MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed. MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation. === Logging stopped: 10/10/2024 16:00:09 === MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0 MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object. MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending. MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603 === Verbose logging stopped: 10/10/2024 16:00:09 ===
Secure Score empty page
Last week i was editing our Secure Score. Everything went great. A day later i was doing the same thing, and i'm getting an empty page after saving some notes. I'm also getting a blank page after clicking on "Resolved through third-party". Never seen this one before. All of the Admins are getting blank pages after saving. I tested this issue in all major browsers and on different clients. Edit 15-10-2019: After clicking on save, the following error occured: Edit 16-10-2019: Just spoke to Microsoft, they are aware of the problem. It's the new experience look causing issues. They do not have an ETA for a solution.MDI Roles/Permissions - where art thou now ?
It used to be simple. In ATP (now MDI), there used to be 3 groups used for administration/viewing (Azure ATP [workspace] Admin, Azure ATP [workspace] Users and Azure ATP [workspace] Viewers). Having gone round and round in Role groups - Microsoft Defender for Identity | Microsoft Learn - I am now lost on whether this is still the case, as I have recently heard a few of my MDI "admins" (with the ATP User group) can no longer manage alerts. They used to be able to, and now it is greyed out and if you hover over the button it says "You don't have permissions to perform this action". Has RBAC gone up the wazzoo since the forced transition to the new portal ? There is no menu/config for Identity permissions...so I don't even know where those groups are shown any more. Anyone know ?
Events
in 8 hours
Microsoft Entra Suite helps enforce Conditional Access to cloud apps and internet resources. Watch our product expert demo how to implement secure risk-based access to all resources with Microsoft En...
Online
Recent Blogs
- Part 1: What Is Cyber Resiliency and How Do I Get It? Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when ...Mar 10, 2025
- When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Ten...Mar 06, 2025
