Microsoft Defender for Identity sensor installation failing - error code 0x80070643

Description:

You are trying to install Microsoft Defender for Identity sensor on a Domain Controller. The Domain Controller need to use proxy to communicate to the internet. You've enter the correct proxy setting on the Domain Controller system setting. And you've make sure the required communication port (443) are already open from Domain Controller to *.atp.azure.com. However you still got stop error 0x80070643.

Resolution:

Configure the proxy setting using registry. You must copy the proxy configuration that you use in user context to the localsystem and localservice. To copy your user context proxy settings:

1. Make sure to back up the registry keys before you modify them.

2. In the registry, search for the value DefaultConnectionSettings as REG_BINARY under the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Export all the value inside the Connections key.

3. Open the exported file and edit the location to become HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the first copy of the file.

4. Double click the new file to import the value from the Current_user DefaultConnectionSettings to LocalSystem.

5. After that, open the exported file and edit the location to become HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings. Save the second copy of the file.

6. Double click the second file to import value from the Current_User DefaultConnectionSettings to LocalService.

7. Close the registry editor.

Try to re-run the installation process again.

Cannot Re-Install NPCAP

Description:

You are trying to re-install NPCAP as part of Microsoft Defender for Identity Sensor deployment on a Domain Controller. However you got stuck uninstall error problem.

You have try to remove the registry from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst. However the problem still exist.

Resolution:

Search for possible services that were using NPCAP. Example is Wireshark or Cisco Tetration. Stop those services and try to re-install NPCAP again.

Fixing Error nvlddmkm.sys on Event Viewer

Description:

You are using Nvidia GPU. And sometimes you saw nlddmkm.sys error in the event viewer. The GPU is crash and cannot restart normally.

Resolution:

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers

Add new Dword record. Enter TdrDelay as the name of the new DWORD. Set its Value Data to 8.

Click OK and close Registry Editor. Restart the Server.

Note:

If you still experiencing nlddmkm crash error after this, you may need to upgrade or downgrade your NVDIA Graphic driver. Version 472.12 seems to provide more stabile result.

Azure B2B Script to create Guest On-Prem Active Directory Account is Not Working

Description:

You are configuring Azure B2B to allow external users to access your on-premise application securely.

You have configure the Azure B2B setting and have publish the on-premise application using Azure AD Application Proxy. Now you want to use the Azure B2B script to create the Guest account in on-premise Active Directory automatically. 

You downloaded the script from https://www.microsoft.com/en-us/download/details.aspx?id=51495. 

However when you run it, you saw some error and the users never get created in on-premise Active Directory. 

During troubleshooting, you found out that the script has not enough application permission to connect or query to Azure AD. You even triple check the API permission, but cannot found the cause of the error.

Resolution:

The "AppProxy-GuestAccountCreation-v1.0.3.ps1" script is not updated. PowerShell script still uses deprecated Azure AD Graph API instead of MS Graph API. 

You can download the updated script from https://github.com/MicrosoftDocs/azure-docs/files/7090340/AppProxy-GuestAccountCreation-v1.0.3.txt.

Make sure you install Microsoft Graph PowerShell SDK prior to executing the script.

Error when using PowerShell Connect-MgGraph not recognized

Description:

You already install the Microsoft Graph PowerShell SDK on your machine. However when trying to run a script that has "Connect-MgGraph" command, you encountered not recognized cmdlet, function, script  error. You have also restarted the machine and make sure the Microsoft Graph Module was loaded.

Resolution:

There might be some conflict between Microsoft Graph module and other module on your machine. The possible conflict are with Azure AD or MSOnline modules.

Try to install the Microsoft Graph PowerShell SDK on other machine which has minimum or has only the default PowerShell module.

Intermittent ADFS Event ID 224 & 245 at WAP Server

Description:

At Web Application Proxy Server (WAP) configured to connect to ADFS, you saw several Event ID 224 & 245 intermittently appear. TCP Port 443 are already open between WAP and ADFS.

Resolution:

Make sure you have all the required certificate on WAP server, including the intermediate and trusted root of the SSL certificate.

Error 1297 when starting AD FS Service

Description:

When you try to start ADFS Service for the first time after finishing the configuration, you may encounter 1297 error.

Resolution:

You need to make sure that the service account that you use to run the ADFS Service has the following rights on the ADFS Server:

• Logon As Service
• Generate Security Audits

How to set mutisubnetfailover option on ADFS to SQL Database connection string

Description:

You want to use SQL Always On capability for your application. 

You need to change the Database Connection string.

Resolution:

Please run the following at PowerShell on all ADFS Server (one by one):

$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data source=<you sql instance>;multisubnetfailover=true;initial catalog=adfsconfiguration;integrated security=true”
$temp.put()

Set-AdfsProperties –artifactdbconnection ”Data source=<you sql instance>;multisubnetfailover=true;Initial Catalog=AdfsArtifactStore;Integrated Security=True”

Exception Error when Running PowerShell command to Update the ADFS SQL Connection String.

Description:

As per article from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server, we need to run the following command to update the SQL connection string for the AD FS configuration database:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService

PS:\>$temp.ConfigurationdatabaseConnectionstring="datasource=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"

PS:\>$temp.put()

The update is necessary to support SQL Always On feature.

However, there's an "exception error" when you run the above script in PowerShell.

Resolution:

For modifying the connection string on the additional ADFS server in the Farm, you need to stop the ADFS Service first. After that run the above script and start the ADFS Service again.

Error when adding a new Windows Server 2016 to ADFS Server Farm with SQL Database

Description:
You have successfully configured the first ADFS Server with SQL Database in a ADFS farm. Now you want to add another node to the ADFS Farm. 

However when you run the ADFS Configuration wizard, you encountered an error and the process stops.

At the prerequisite checks, we can see several errors as per below:

• "An error occurred during an attempt to connect to the AD FS configuration database. Error: Login failed for user 'Domain\The account I am logged into the server with'.. Confirm that the database hostname and instance name are correct and that the specified service account has logon access to the database."

• "Cannot open database "AdfsConfigurationV0" requested by the login. The login failed.

• Login failed for user 'domain\managed service account$'."

Resolution:
Make sure the account that you are using have the Owner Access to the ADFS database. 
The permissions can be removed after adding the new nodes.

Cannot Start ADFS Service after changing the Database Connection string to support SQL Always On

Description:
You have configured the first ADFS 2016 Server with SQL as the Database. Later on the day, the SQL Admin has also set the ADFS Database to have Always On capability.

You've follow the syntax from https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server to change the SQL Connection string on the first ADFS server to support SQL Always On feature.

However when you try to restart the ADFS service, it is always failed.

Example Script:

PS:\>$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
PS:\>$temp.ConfigurationdatabaseConnectionstring="data source=<SQLCluster\SQLInstance>;initial catalog=adfsconfiguration;integrated security=true"
PS:\>$temp.put()

Resolution:

You need to modify the above example script. Make sure the "data source" are correct, and also the "initial catalog" value are the same as the actual database name in SQL. For example you may need to write "adfsconfgurationv3" instead of just "adfsconfiguration" on the above script.

Cannot Delete Domain Controller - Access is Denied

Description:

You are using Domain Admins account and wanted to delete a "stale" Domain Controller (DC) from Active Directory Users and Computers console. However you got an access denied error.

Resolution:

Most probably there's a protection against accidental deletion of DC.

• Go to Active Directory Sites and Services
• Expand the Sites folder > expand the site name where the DC you want to delete is > expand the Servers folder > expand the DC you want to delete
• Right click on NTDS Settings
• Click on the Object tab
• Uncheck the “Protect object from accidental deletion” checkbox.
• Click OK.

Now you should be able to delete the Domain Controller from Active Directory Users and Computers console.

Error connecting to SQL Server after changing Service Account to normal domain users

Description:

As security best practice, we should not run SQL Server Services with domain admin credential. However after changing it to the normal domain user credential, you encounter connection error message when trying to connect from SQL Server Management Studio.

The error may say something like "The target principal name is incorrect.  Cannot generate SSPI context."

Resolution:

We need to provide the appropriate permission for the domain user credential to modify ServicePrincipalName attribute in Active Directory.

• Run Adsiedit.msc
• In the ADSI Edit snap-in, expand Domain [YourDomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= [YourAccountName, and then click Properties.
• In the CN= AccountName Properties dialog box, click the Security tab.
• On the Security tab, click Advanced.
• In the Advanced Security Settings dialog box, select one (any) of "SELF"'s row
• Click Edit, Open Permission Entry dialog box.
• Make sure Pricipal is "SELF", Type is "Allow" and "Applied to" is "This Object Only", in Properties section, select the properties below:
  • Read servicePrincipalName
  • Write servicePrincipalName
• Click OK to apply all changes and exit the ADSI Edit snap-in
• Restart the SQL Service(s) that use the account in question.

Error Connecting to SQL Server Instances after enabling Windows Firewall

Description:

For security reason, you need to enable the Windows Firewall on your SQL server machine.

However, after you enable them, user cannot connect to one of your SQL Instances. You already create Inbound TCP rule to allow port 1433 and another TCP port where the instance listened, but users still cannot connect. They can connect if the specified the port number for that instance was directly written on the connection page.

Resolution:

Make sure you also create inbound rule for UDP port 1434. The SQL Server browser service runs on UDP port 1434 and listens for incoming connections to a named instance.

Cannot Access Remote Share on Workgroup Computer using Local Admin Account

Description:

You have several servers in Workgroup environment. You know the Local Administrator Account and Password. You try to connect to the Administrative Share from Remote Workgroup machine but always failed. Network port for Ping, RPC, SMB from source to destination are all open. Username and password are both correct.

Resolution:

Open Regedit and go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System". 

1. On the Edit menu, point to New, and then click DWORD (32-bit) Value.

2. Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.

3. Right-click LocalAccountTokenFilterPolicy, and then click Modify.

4. In the Value data box, type 1, and then click OK.

5. Exit Registry Editor.

BitLocker with MBAM Failed to Encrypt because Access Denied by Remote Endpoint

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "Unable to connect to the MBAM Recovery and Hardware Service". It also give Error Code: -2143485947 and more detail "Access was denied by the remote endpoint".

Resolution:

Make sure the account for MBAM web application pool has the correct SPN.

You can use the following command to set the SPN for FQDN and NETBIOS.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

Error when Encrypting Drive in BitLocker with MBAM

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "an error occurred while applying MBAM policies" And it also give error code -2147217402.

Resolution:

Please update the MBAM client on that machine to the latest servicing update. At the moment it can be downloaded from Download Microsoft Desktop Optimization Pack October 2020 Servicing Release from Official Microsoft Download Center. After restart you will see the encryption process is running successfully.

Error when Granting Access to the User at tenant root scope “/” to deploy Enterprise-Scale

Description:

You want to deploy Enterprise-Scale Architecture at your Azure Environment.

One of the prerequisite is to explicitly provide roleAssignment (RBAC) at the tenant root scope via CLI or PowerShell (Note: There’s no portal UX to make this roleAssignment)

However several error occurred when you try to run the following command at Azure CLI to provide the role Assignment.

• az login

Error message: The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query  objectId)

Error message: Failed to query --assignee-principal-type for "7786a679-034b-42cc-a23a-xxxxxxxxxxxx" by invoking Graph API. RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually. The Principal ID '"7786a679-034b-42cc-a23a-xxxxxxxxxxxx"' is not valid. Principal ID must be a GUID.

Resolution:

To fix the issue, the command needs some small changes. Instead of using the above command, try to use the following command:

• az login -t yourdomainname.onmicrosoft.com

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id "7786a679-034b-42cc-a23a-xxxxxxxxxxx"

How to connect to RDP with Azure AD account?

Description:

You have an Azure AD joined machine in the network. You want to use the Azure AD credentials to remote desktop that machine.

You try to enter the Azure AD username and password when prompted, however the login process is always fail.

Resolution:

1. Open Control Panel and go to System, then open Remote settings.

2. Uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication.

3. Edit the RDP connection file in notepad.

4. Add a line to the file and type "enablecredsspsupport:i:0". Save the File.

5. Use the RDP connection file to connect to the Azure AD  joined machine.

Cannot Start Azure ATP or Defender for Identity Services when using gMSA

Description:

You are deploying Azure Advanced Threat Protection (AATP) or Microsoft Defender for Identity (MDI) in your Multi-Domain Single-Forest IT environment. You plan to use gMSA account for the Defender for Identity services account when communicating to Active Directory. 

You have created a new universal group or domain local group and add all of the Domain Controllers in the Forest to that group. You also have created the gMSA account and configured that group to be able to retrieve password and use the gMSA account.

However when you configure MDI to use the gMSA account, the Sensor Services on the Domain Controllers cannot be start.

Resolution:

Make sure you have Restarted the Domain Controllers that you put inside the new universal or domain local group. After the Domain Controller restart, try to login and notice that Azure ATP Sensor Services will be able to start properly. Delayed start is expected for Azure ATP services.