How to Upload Api Key to Yacreader After First Attempt Failed

Skip to primary content

Troubleshoot Microsoft Defender for Endpoint onboarding issues

• Commodity
• 03/25/2022
• sixteen minutes to read

Is this page helpful?

Feedback volition be sent to Microsoft: Past pressing the submit button, your feedback volition be used to improve Microsoft products and services. Privacy policy.

In this article

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Windows Server 2012 R2
• Windows Server 2016
• Microsoft 365 Defender

Desire to experience Defender for Endpoint? Sign up for a gratis trial.

You might demand to troubleshoot the Microsoft Defender for Endpoint onboarding process if you run into issues. This page provides detailed steps to troubleshoot onboarding bug that might occur when deploying with 1 of the deployment tools and common errors that might occur on the devices.

Earlier y'all start troubleshooting problems with onboarding tools, it is of import to check if the minimum requirements are met for onboarding devices to the services. Learn about the licensing, hardware, and software requirements to onboard devices to the service.

If you have completed the onboarding procedure and don't see devices in the Devices list after an hour, information technology might indicate an onboarding or connectivity problem.

Troubleshoot onboarding when deploying with Group Policy

Deployment with Grouping Policy is done past running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.

If you take completed the onboarding process and don't see devices in the Devices list after an hr, you can cheque the output of the script on the devices. For more information, see Troubleshoot onboarding when deploying with a script.

If the script completes successfully, run across Troubleshoot onboarding issues on the devices for additional errors that might occur.

Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager

When onboarding devices using the following versions of Configuration Manager:

• Microsoft Endpoint Configuration Manager
• System Center 2012 Configuration Manager
• System Center 2012 R2 Configuration Manager

Deployment with the higher up-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console.

If the deployment fails, you can check the output of the script on the devices.

If the onboarding completed successfully but the devices are not showing upwards in the Devices list after an hour, see Troubleshoot onboarding bug on the device for boosted errors that might occur.

Troubleshoot onboarding when deploying with a script

Check the result of the script on the device:

1. Click Beginning, type Effect Viewer, and printing Enter.

2. Go to Windows Logs > Application.

3. Expect for an event from WDATPOnboarding outcome source.

If the script fails and the effect is an error, y'all tin check the outcome ID in the following table to help you troubleshoot the result.

Note

The following issue IDs are specific to the onboarding script simply.

---

Event ID	Mistake Type	Resolution steps
5	Offboarding information was found but couldn't be deleted	Bank check the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Avant-garde Threat Protection.
x	Onboarding data couldn't be written to registry	Cheque the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection. Verify that the script has been run equally an administrator.
fifteen	Failed to start SENSE service	Check the service health (sc query sense command). Make sure information technology's not in an intermediate land ('Pending_Stopped', 'Pending_Running') and try to run the script over again (with administrator rights). If the device is running Windows 10, version 1607 and running the command sc query sense returns START_PENDING, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
fifteen	Failed to showtime SENSE service	If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see Ensure that Microsoft Defender Antivirus is not disabled by a policy for instructions.
xxx	The script failed to wait for the service to offset running	The service could have taken more fourth dimension to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see Review events and errors using Issue viewer.
35	The script failed to detect needed onboarding status registry value	When the SENSE service starts for the starting time time, it writes onboarding status to the registry location HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status. The script failed to find it after several seconds. Yous tin can manually exam information technology and check if it's in that location. For more data on events and errors related to SENSE, see Review events and errors using Consequence viewer.
40	SENSE service onboarding status is not set to 1	The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, run across Review events and errors using Consequence viewer.
65	Bereft privileges	Run the script again with administrator privileges.

Troubleshoot onboarding issues using Microsoft Intune

Y'all can use Microsoft Intune to check mistake codes and endeavor to troubleshoot the cause of the issue.

If you accept configured policies in Intune and they are non propagated on devices, you lot might demand to configure automatic MDM enrollment.

Use the following tables to understand the possible causes of issues while onboarding:

• Microsoft Intune error codes and OMA-URIs table
• Known problems with non-compliance tabular array
• Mobile Device Direction (MDM) event logs table

If none of the event logs and troubleshooting steps work, download the Local script from the Device management section of the portal, and run it in an elevated command prompt.

Microsoft Intune fault codes and OMA-URIs

---

Fault Lawmaking Hex	Fault Code Dec	Error Description	OMA-URI	Possible cause and troubleshooting steps
0x87D1FDE8	-2016281112	Remediation failed	Onboarding Offboarding	Possible cause: Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. Troubleshooting steps: Check the issue IDs in the View agent onboarding errors in the device event log section. Check the MDM event logs in the post-obit table or follow the instructions in Diagnose MDM failures in Windows.
			Onboarding Offboarding SampleSharing	Possible cause: Microsoft Defender for Endpoint Policy registry key does not exist or the OMA DM customer doesn't take permissions to write to it. Troubleshooting steps: Ensure that the following registry fundamental exists: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Avant-garde Threat Protection If it doesn't exist, open an elevated command and add the key.
			SenseIsRunning OnboardingState OrgId	Possible cause: An attempt to remediate by read-only property. Onboarding has failed. Troubleshooting steps: Bank check the troubleshooting steps in Troubleshoot onboarding issues on the device. Check the MDM event logs in the following table or follow the instructions in Diagnose MDM failures in Windows.
			All	Possible cause: Attempt to deploy Microsoft Defender for Endpoint on not-supported SKU/Platform, particularly Holographic SKU. Currently supported platforms: Enterprise, Education, and Professional. Server is not supported.
0x87D101A9	-2016345687	SyncML(425): The requested command failed considering the sender does not have acceptable access command permissions (ACL) on the recipient.	All	Possible crusade: Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, peculiarly Holographic SKU. Currently supported platforms: Enterprise, Education, and Professional.

Known bug with non-compliance

The post-obit table provides data on issues with non-compliance and how yous can address the issues.

---

Example	Symptoms	Possible cause and troubleshooting steps
i	Device is compliant past SenseIsRunning OMA-URI. But is not-compliant by OrgId, Onboarding and OnboardingState OMA-URIs.	Possible crusade: Cheque that user passed OOBE later on Windows installation or upgrade. During OOBE onboarding couldn't exist completed but SENSE is running already. Troubleshooting steps: Wait for OOBE to complete.
2	Device is compliant past OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI.	Possible cause: Sense service's startup type is set every bit "Delayed Outset". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on organisation kickoff. Troubleshooting steps: The issue should automatically be fixed within 24 hours.
3	Device is non-compliant	Troubleshooting steps: Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.

Mobile Device Management (MDM) event logs

View the MDM consequence logs to troubleshoot issues that might arise during onboarding:

Log proper name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider

Channel name: Admin

---

ID	Severity	Event description	Troubleshooting steps
1819	Error	Microsoft Defender for Endpoint CSP: Failed to Prepare Node'south Value. NodeId: (%1), TokenName: (%2), Result: (%3).	Download the Cumulative Update for Windows 10, 1607.

Troubleshoot onboarding issues on the device

If the deployment tools used does not indicate an error in the onboarding process, but devices are still non actualization in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint amanuensis.

• View agent onboarding errors in the device upshot log
• Ensure the diagnostic data service is enabled
• Ensure the service is set to start
• Ensure the device has an Internet connection
• Ensure that Microsoft Defender Antivirus is not disabled past a policy

View agent onboarding errors in the device event log

1. Click Kickoff, type Issue Viewer, and press Enter.

2. In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows > SENSE.

   Note

   SENSE is the internal proper noun used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.

3. Select Operational to load the log.

4. In the Action pane, click Filter Current log.

5. On the Filter tab, under Upshot level: select Critical, Alert, and Error, and click OK.

   

6. Events which can signal issues will appear in the Operational pane. You can attempt to troubleshoot them based on the solutions in the following table:

   
   

---

Event ID	Message	Resolution steps
5	Microsoft Defender for Endpoint service failed to connect to the server at variable	Ensure the device has Net access.
6	Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were institute. Failure code: variable	Run the onboarding script again.
7	Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure code: variable	Ensure the device has Net access, then run the entire onboarding process again.
9	Microsoft Defender for Endpoint service failed to change its get-go type. Failure code: variable	If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, run into Run the onboarding script again. If the event happened during offboarding, contact support.
ten	Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: variable	If the result happened during onboarding, re-attempt running the onboarding script. For more information, come across Run the onboarding script over again. If the problem persists, contact back up.
15	Microsoft Defender for Endpoint cannot start command channel with URL: variable	Ensure the device has Net access.
17	Microsoft Defender for Endpoint service failed to alter the Connected User Experiences and Telemetry service location. Failure code: variable	Run the onboarding script again. If the problem persists, contact support.
25	Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: variable	Contact support.
27	Failed to enable Microsoft Defender for Endpoint way in Windows Defender. Onboarding procedure failed. Failure code: variable	Contact back up.
29	Failed to read the offboarding parameters. Fault type: %1, Error code: %2, Description: %3	Ensure the device has Internet admission, then run the entire offboarding procedure again.
thirty	Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender for Endpoint. Failure code: %one	Contact support.
32	$(build.sense.productDisplayName) service failed to request to terminate itself after offboarding procedure. Failure code: %1	Verify that the service commencement blazon is transmission and reboot the device.
55	Failed to create the Secure ETW autologger. Failure code: %1	Reboot the device.
63	Updating the start type of external service. Name: %1, bodily start blazon: %2, expected offset type: %3, exit code: %iv	Place what is causing changes in commencement type of mentioned service. If the leave code is not 0, ready the start type manually to expected outset type.
64	Starting stopped external service. Name: %1, exit code: %2	Contact support if the event keeps re-appearing.
68	The first type of the service is unexpected. Service proper noun: %1, bodily beginning type: %2, expected start blazon: %three	Identify what is causing changes in outset type. Fix mentioned service start type.
69	The service is stopped. Service proper noun: %1	Showtime the mentioned service. Contact support if persists.

There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to function properly. If in that location are no onboarding related errors in the Microsoft Defender for Endpoint agent event log, proceed with the following steps to ensure that the additional components are configured correctly.

Ensure the diagnostic information service is enabled

If the devices aren't reporting correctly, you might need to cheque that the Windows diagnostic data service is set to automatically start and is running on the device. The service might accept been disabled past other programs or user configuration changes.

Starting time, you should bank check that the service is set to get-go automatically when Windows starts, so you should check that the service is currently running (and commencement it if it isn't).

Ensure the service is set to first

Employ the command line to bank check the Windows diagnostic data service startup type:

1. Open an elevated command-line prompt on the device:

   a. Click Start, type cmd, and press Enter.

   b. Right-click Command prompt and select Run as administrator.

2. Enter the following control, and press Enter:

                     sc qc diagtrack                                  

   If the service is enabled, so the result should look like the following screenshot:

   

   If the START_TYPE is not ready to AUTO_START, and then you'll need to set up the service to automatically showtime.

Use the command line to set the Windows diagnostic data service to automatically start:

1. Open an elevated command-line prompt on the device:

   a. Click Beginning, type cmd, and press Enter.

   b. Right-click Command prompt and select Run as administrator.

2. Enter the post-obit command, and press Enter:

                     sc config diagtrack outset=motorcar                                  

3. A success message is displayed. Verify the change by inbound the post-obit command, and printing Enter:

                     sc qc diagtrack                                  

4. Commencement the service. In the command prompt, type the post-obit command and press Enter:

                     sc first diagtrack                                  

Ensure the device has an Net connectedness

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor information and communicate with the Microsoft Defender for Endpoint service.

WinHTTP is independent of the Cyberspace browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.

To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity to Microsoft Defender for Endpoint service URLs topic.

If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in Configure proxy and Cyberspace connectivity settings topic.

Ensure that Microsoft Defender Antivirus is not disabled past a policy

Of import

The following only applies to devices that take not yet received the August 2020 (version 4.18.2007.viii) update to Microsoft Defender Antivirus.

The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.

Trouble: The Microsoft Defender for Endpoint service does not start after onboarding.

Symptom: Onboarding successfully completes, but you meet error 577 or error 1058 when trying to showtime the service.

Solution: If your devices are running a third-party antimalware client, the Microsoft Defender for Endpoint amanuensis needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that information technology'due south not turned off by a organization policy.

• Depending on the tool that y'all apply to implement policies, yous'll need to verify that the following Windows Defender policies are cleared:

  • DisableAntiSpyware
  • DisableAntiVirus

  For example, in Grouping Policy at that place should be no entries such as the post-obit values:

  • <Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Primal>
  • <Primal Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Proper noun="DisableAntiVirus"/></Central>

Of import

The disableAntiSpyware setting is discontinued and will be ignored on all Windows 10 devices, as of the Baronial 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.

• After clearing the policy, run the onboarding steps once again.

• You lot can also cheque the previous registry key values to verify that the policy is disabled, by opening the registry fundamental HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.

  

  Annotation

  All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Irresolute the startup of these services is unsupported and may force yous to reimage your system.

  Example default configurations for WdBoot and WdFilter:

  • <Key Path="Organisation\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>
  • <Key Path="Organization\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Proper noun="Start"/></Key>

Troubleshoot onboarding issues

Note

The following troubleshooting guidance is only applicable for Windows Server 2016 and lower.

If you lot come across issues while onboarding a server, go through the post-obit verification steps to address possible issues.

• Ensure Microsoft Monitoring Amanuensis (MMA) is installed and configured to report sensor data to the service
• Ensure that the server proxy and Net connectivity settings are configured properly

You might as well need to check the following:

• Bank check that in that location is a Microsoft Defender for Endpoint Service running in the Processes tab in Task Manager. For example:

  

• Check Event Viewer > Applications and Services Logs > Operation Manager to run into if there are whatsoever errors.

• In Services, check if the Microsoft Monitoring Agent is running on the server. For example,

  

• In Microsoft Monitoring Agent > Azure Log Analytics (OMS), cheque the Workspaces and verify that the status is running.

  

• Check to see that devices are reflected in the Devices list in the portal.

Confirming onboarding of newly congenital devices

There may be instances when onboarding is deployed on a newly built device only not completed.

The steps beneath provide guidance for the post-obit scenario:

• Onboarding package is deployed to newly built devices
• Sensor does not start because the Out-of-box experience (OOBE) or first user logon has non been completed
• Device is turned off or restarted before the end user performs a offset logon
• In this scenario, the SENSE service will non beginning automatically even though onboarding packet was deployed

Annotation

The following steps are but relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see Microsoft Defender for Endpoint.

1. Create an application in Microsoft Endpoint Configuration Manager.

   

2. Select Manually specify the awarding information.

   

3. Specify information about the application, then select Side by side.

   

4. Specify information about the software center, then select Next.

   

5. In Deployment types select Add.

   

6. Select Manually specify the deployment type information, and so select Next.

   

7. Specify information about the deployment blazon, and so select Next.

   

8. In Content > Installation program specify the command: net start sense.

   

9. In Detection method, select Configure rules to detect the presence of this deployment blazon, then select Add together Clause.

   

10. Specify the following detection rule details, then select OK:

    

11. In Detection method select Next.

    

12. In User Experience, specify the following information, then select Side by side:

    

13. In Requirements, select Next.

    

14. In Dependencies, select Next.

    

15. In Summary, select Adjacent.

    

16. In Completion, select Shut.

    

17. In Deployment types, select Next.

    

18. In Summary, select Next.

    

    The status is and then displayed:

19. In Completion, select Close.

    

20. You tin can now deploy the awarding by correct-clicking the app and selecting Deploy.

    

21. In General select Automatically distribute content for dependencies and Browse.

    

22. In Content select Next.

    

23. In Deployment settings, select Next.

    

24. In Scheduling select Every bit before long every bit possible later the bachelor time, then select Adjacent.

    

25. In User experience, select Commit changes at deadline or during a maintenance window (requires restarts), then select Side by side.

    

26. In Alerts select Next.

    

27. In Summary, select Next.

    

    The condition is then displayed

28. In Completion, select Close.

    

• Troubleshoot Microsoft Defender for Endpoint
• Onboard devices
• Configure device proxy and Internet connectivity settings

Feedback

Submit and view feedback for

torresyouck1982.blogspot.com

Source: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding

Share this post