Troubleshooting Windows Defender Advanced Threat Protection (WDATP) On-boarding

The blog describes some troubleshooting steps you can take if you have followed the process to on-board Windows 10 to WDATP (as described here), but the devices are not appearing in the Machine List on Windows Defender ATP portal

  1. From the Windows 10 device, verify the diagnostic data service is enabled and running

Open an elevated command prompt and run

sc qc diagtrack

In my case the service was running without errors

2. From the Windows 10 device, verify the on-boarding script ran successfully

Open the Application Event Log and look for Event ID 20

In my case the On-boarding script ran successfully

3. From the Windows 10 device, check the event logs for any on-boarding errors

Open the following event log and look for errors

  • Microsoft>Windows>SENSE>Operational

In my case I could see HTTP errors relating to Windows Defender ATP URL’s

4. Next, run the WDATP Connectivity Analyzer tool to verify that your Windows 10 device can access the Windows Defender ATP URL’s

  • Windows Defender ATP clients need access to these URL’s
  • To verify access, download and extract the WDATP Connectivity Analyzer tool from here

Note about running the WDATP Connectivity Analyzer tool

The Widows Defender ATP sensor runs in system context using the LocalSystem account. Therefore, when running WDATP Connectivity Analyzer tool you need to run it in LocalSystem context.  The Sysinternals utility “PSExec.exe” can be used to achieve this.

On your Windows 10 client, open a command prompt and browse to the extracted WDATP Connectivity Analyzer folder

Run the following command

Psexec.exe –I –s cmd.exe

This will open another command prompt under the load system context. You can verify this using “whoami”

From this new command prompt (under the local system context) browse to the WDATP Connectivity Analyzer folder and run WDATPConnectivityAnalyzer.cmd

Once complete, review the log file (WDATPConnectivityAnalyzer.txt) that was generated in the WDATP Connectivity Analyzer folder

In my case I could see “403” errors connecting to the Widows Defender ATP URL’s. I consulted with the networks team who could see the internet proxy blocking the connections.  After the networks team created an exception for the URL’s I re-ran the connectivity tests.  The WDATP Connectivity Analyzer log showed a “200” (success)

Soon after, my Windows 10 devices started to appear in the Machine List in the Windows Defender ATP portal

Leave a Reply

Your email address will not be published. Required fields are marked *