Windows Defender Cant Turn on in the Actiom Centre Please Try Again Later

Skip to principal content

Troubleshoot Microsoft Defender for Endpoint onboarding issues

• Article
• 03/25/2022
• 16 minutes to read

Is this page helpful?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback volition exist used to ameliorate Microsoft products and services. Privacy policy.

In this article

Applies to:

• Microsoft Defender for Endpoint Plan ii
• Windows Server 2012 R2
• Windows Server 2016
• Microsoft 365 Defender

Want to experience Defender for Endpoint? Sign up for a costless trial.

You lot might need to troubleshoot the Microsoft Defender for Endpoint onboarding process if y'all see issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.

Before yous kickoff troubleshooting issues with onboarding tools, it is important to check if the minimum requirements are met for onboarding devices to the services. Larn about the licensing, hardware, and software requirements to onboard devices to the service.

If you have completed the onboarding process and don't see devices in the Devices list after an hour, it might indicate an onboarding or connectivity problem.

Troubleshoot onboarding when deploying with Group Policy

Deployment with Group Policy is done past running the onboarding script on the devices. The Group Policy console does not bespeak if the deployment has succeeded or not.

If you take completed the onboarding process and don't see devices in the Devices listing after an hour, you tin check the output of the script on the devices. For more information, see Troubleshoot onboarding when deploying with a script.

If the script completes successfully, see Troubleshoot onboarding issues on the devices for additional errors that might occur.

Troubleshoot onboarding bug when deploying with Microsoft Endpoint Configuration Director

When onboarding devices using the following versions of Configuration Managing director:

• Microsoft Endpoint Configuration Manager
• System Center 2012 Configuration Manager
• System Eye 2012 R2 Configuration Managing director

Deployment with the above-mentioned versions of Configuration Manager is washed by running the onboarding script on the devices. You lot tin track the deployment in the Configuration Managing director Console.

If the deployment fails, you can check the output of the script on the devices.

If the onboarding completed successfully but the devices are not showing upward in the Devices listing subsequently an hour, encounter Troubleshoot onboarding bug on the device for additional errors that might occur.

Troubleshoot onboarding when deploying with a script

Bank check the upshot of the script on the device:

1. Click Start, blazon Result Viewer, and press Enter.

2. Go to Windows Logs > Application.

3. Await for an event from WDATPOnboarding consequence source.

If the script fails and the event is an error, you tin check the event ID in the post-obit table to aid y'all troubleshoot the outcome.

Note

The following event IDs are specific to the onboarding script only.

---

Event ID	Error Type	Resolution steps
v	Offboarding data was establish but couldn't be deleted	Check the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection.
10	Onboarding data couldn't be written to registry	Bank check the permissions on the registry, specifically HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection. Verify that the script has been run every bit an administrator.
15	Failed to start SENSE service	Check the service health (sc query sense command). Make sure it's not in an intermediate land ('Pending_Stopped', 'Pending_Running') and try to run the script over again (with administrator rights). If the device is running Windows x, version 1607 and running the command sc query sense returns START_PENDING, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding once again.
xv	Failed to start SENSE service	If the message of the mistake is: Organisation error 577 or fault 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM commuter, see Ensure that Microsoft Defender Antivirus is not disabled past a policy for instructions.
30	The script failed to wait for the service to start running	The service could accept taken more time to start or has encountered errors while trying to beginning. For more information on events and errors related to SENSE, see Review events and errors using Issue viewer.
35	The script failed to discover needed onboarding status registry value	When the SENSE service starts for the outset time, it writes onboarding condition to the registry location HKLM\SOFTWARE\Microsoft\Windows Avant-garde Threat Protection\Status. The script failed to find it after several seconds. You lot tin manually test it and check if it's there. For more information on events and errors related to SENSE, see Review events and errors using Event viewer.
40	SENSE service onboarding condition is non set up to ane	The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, come across Review events and errors using Upshot viewer.
65	Insufficient privileges	Run the script over again with administrator privileges.

Troubleshoot onboarding issues using Microsoft Intune

You lot tin use Microsoft Intune to bank check error codes and endeavour to troubleshoot the cause of the issue.

If you lot have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.

Use the following tables to sympathize the possible causes of issues while onboarding:

• Microsoft Intune error codes and OMA-URIs tabular array
• Known bug with non-compliance table
• Mobile Device Management (MDM) outcome logs table

If none of the result logs and troubleshooting steps work, download the Local script from the Device direction section of the portal, and run information technology in an elevated command prompt.

Microsoft Intune error codes and OMA-URIs

---

Mistake Lawmaking Hex	Mistake Code Dec	Fault Clarification	OMA-URI	Possible cause and troubleshooting steps
0x87D1FDE8	-2016281112	Remediation failed	Onboarding Offboarding	Possible crusade: Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. Troubleshooting steps: Check the event IDs in the View agent onboarding errors in the device effect log section. Check the MDM event logs in the following table or follow the instructions in Diagnose MDM failures in Windows.
			Onboarding Offboarding SampleSharing	Possible cause: Microsoft Defender for Endpoint Policy registry key does non exist or the OMA DM client doesn't take permissions to write to it. Troubleshooting steps: Ensure that the post-obit registry central exists: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection If it doesn't be, open an elevated command and add the key.
			SenseIsRunning OnboardingState OrgId	Possible cause: An try to remediate past read-only holding. Onboarding has failed. Troubleshooting steps: Check the troubleshooting steps in Troubleshoot onboarding issues on the device. Check the MDM effect logs in the following table or follow the instructions in Diagnose MDM failures in Windows.
			All	Possible cause: Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU. Currently supported platforms: Enterprise, Educational activity, and Professional. Server is non supported.
0x87D101A9	-2016345687	SyncML(425): The requested command failed because the sender does not have acceptable admission control permissions (ACL) on the recipient.	All	Possible crusade: Endeavor to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, specially Holographic SKU. Currently supported platforms: Enterprise, Pedagogy, and Professional.

Known issues with non-compliance

The following table provides data on issues with non-compliance and how you can address the problems.

---

Case	Symptoms	Possible cause and troubleshooting steps
1	Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs.	Possible cause: Check that user passed OOBE later on Windows installation or upgrade. During OOBE onboarding couldn't be completed simply SENSE is running already. Troubleshooting steps: Wait for OOBE to complete.
two	Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI.	Possible cause: Sense service's startup blazon is set as "Delayed Starting time". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start. Troubleshooting steps: The issue should automatically exist fixed inside 24 hours.
3	Device is non-compliant	Troubleshooting steps: Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.

Mobile Device Direction (MDM) event logs

View the MDM event logs to troubleshoot issues that might arise during onboarding:

Log proper noun: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider

Channel name: Admin

---

ID	Severity	Event description	Troubleshooting steps
1819	Error	Microsoft Defender for Endpoint CSP: Failed to Set Node'southward Value. NodeId: (%1), TokenName: (%2), Outcome: (%3).	Download the Cumulative Update for Windows 10, 1607.

Troubleshoot onboarding issues on the device

If the deployment tools used does not point an error in the onboarding process, but devices are even so not appearing in the devices list in an hour, become through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint agent.

• View agent onboarding errors in the device consequence log
• Ensure the diagnostic data service is enabled
• Ensure the service is set to get-go
• Ensure the device has an Cyberspace connection
• Ensure that Microsoft Defender Antivirus is not disabled by a policy

View agent onboarding errors in the device effect log

1. Click Start, type Event Viewer, and press Enter.

2. In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows > SENSE.

   Note

   SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint.

3. Select Operational to load the log.

4. In the Action pane, click Filter Current log.

5. On the Filter tab, nether Event level: select Critical, Alert, and Error, and click OK.

   

6. Events which can indicate issues will appear in the Operational pane. You lot can try to troubleshoot them based on the solutions in the post-obit table:

   
   

---

Consequence ID	Message	Resolution steps
five	Microsoft Defender for Endpoint service failed to connect to the server at variable	Ensure the device has Internet access.
half-dozen	Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. Failure code: variable	Run the onboarding script once again.
7	Microsoft Defender for Endpoint service failed to read the onboarding parameters. Failure code: variable	Ensure the device has Cyberspace admission, then run the entire onboarding process again.
9	Microsoft Defender for Endpoint service failed to change its offset type. Failure code: variable	If the event happened during onboarding, reboot and re-effort running the onboarding script. For more data, see Run the onboarding script over again. If the event happened during offboarding, contact back up.
ten	Microsoft Defender for Endpoint service failed to persist the onboarding data. Failure code: variable	If the consequence happened during onboarding, re-endeavour running the onboarding script. For more information, see Run the onboarding script over again. If the trouble persists, contact back up.
15	Microsoft Defender for Endpoint cannot start control channel with URL: variable	Ensure the device has Net access.
17	Microsoft Defender for Endpoint service failed to alter the Connected User Experiences and Telemetry service location. Failure code: variable	Run the onboarding script again. If the problem persists, contact support.
25	Microsoft Defender for Endpoint service failed to reset wellness status in the registry. Failure lawmaking: variable	Contact support.
27	Failed to enable Microsoft Defender for Endpoint fashion in Windows Defender. Onboarding process failed. Failure code: variable	Contact support.
29	Failed to read the offboarding parameters. Mistake blazon: %1, Error code: %ii, Description: %three	Ensure the device has Internet access, then run the entire offboarding procedure over again.
xxx	Failed to disable $(build.sense.productDisplayName) style in Microsoft Defender for Endpoint. Failure code: %1	Contact back up.
32	$(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure lawmaking: %1	Verify that the service kickoff type is manual and reboot the device.
55	Failed to create the Secure ETW autologger. Failure lawmaking: %ane	Reboot the device.
63	Updating the start type of external service. Proper noun: %1, actual start blazon: %ii, expected start type: %3, get out code: %4	Place what is causing changes in showtime type of mentioned service. If the get out code is non 0, fix the start type manually to expected get-go type.
64	Starting stopped external service. Name: %1, exit code: %2	Contact back up if the outcome keeps re-actualization.
68	The start type of the service is unexpected. Service name: %one, actual start type: %ii, expected start type: %3	Identify what is causing changes in start type. Ready mentioned service first type.
69	The service is stopped. Service name: %1	Showtime the mentioned service. Contact back up if persists.

There are additional components on the device that the Microsoft Defender for Endpoint agent depends on to role properly. If in that location are no onboarding related errors in the Microsoft Defender for Endpoint agent effect log, proceed with the following steps to ensure that the additional components are configured correctly.

Ensure the diagnostic information service is enabled

If the devices aren't reporting correctly, you might need to check that the Windows diagnostic data service is set up to automatically outset and is running on the device. The service might accept been disabled by other programs or user configuration changes.

Kickoff, you should check that the service is set to start automatically when Windows starts, so you lot should check that the service is currently running (and first it if it isn't).

Ensure the service is prepare to start

Use the control line to check the Windows diagnostic data service startup type:

1. Open an elevated command-line prompt on the device:

   a. Click Start, blazon cmd, and press Enter.

   b. Correct-click Command prompt and select Run every bit administrator.

2. Enter the following command, and press Enter:

                     sc qc diagtrack                                  

   If the service is enabled, then the issue should await like the following screenshot:

   

   If the START_TYPE is non set to AUTO_START, then y'all'll need to set the service to automatically start.

Use the control line to prepare the Windows diagnostic information service to automatically offset:

1. Open an elevated command-line prompt on the device:

   a. Click Start, type cmd, and press Enter.

   b. Right-click Control prompt and select Run as administrator.

2. Enter the post-obit control, and press Enter:

                     sc config diagtrack get-go=automobile                                  

3. A success message is displayed. Verify the change by entering the post-obit control, and printing Enter:

                     sc qc diagtrack                                  

4. Outset the service. In the command prompt, type the following control and printing Enter:

                     sc start diagtrack                                  

Ensure the device has an Internet connection

The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor information and communicate with the Microsoft Defender for Endpoint service.

WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to discover the proxy servers that are available in your item environment.

To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity to Microsoft Defender for Endpoint service URLs topic.

If the verification fails and your surroundings is using a proxy to connect to the Internet, so follow the steps described in Configure proxy and Cyberspace connectivity settings topic.

Ensure that Microsoft Defender Antivirus is not disabled by a policy

Important

The following only applies to devices that take not yet received the Baronial 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.

The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.

Trouble: The Microsoft Defender for Endpoint service does not start after onboarding.

Symptom: Onboarding successfully completes, simply you encounter fault 577 or mistake 1058 when trying to start the service.

Solution: If your devices are running a third-party antimalware customer, the Microsoft Defender for Endpoint agent needs the Early Launch Antimalware (ELAM) commuter to be enabled. You must ensure that it's not turned off by a organisation policy.

• Depending on the tool that yous use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:

  • DisableAntiSpyware
  • DisableAntiVirus

  For case, in Group Policy in that location should be no entries such as the following values:

  • <Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Central>
  • <Fundamental Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>

Important

The disableAntiSpyware setting is discontinued and will be ignored on all Windows 10 devices, as of the August 2020 (version 4.xviii.2007.eight) update to Microsoft Defender Antivirus.

• Later on clearing the policy, run the onboarding steps over again.

• You lot can also cheque the previous registry primal values to verify that the policy is disabled, by opening the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender.

  

  Note

  All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default country. Changing the startup of these services is unsupported and may force you lot to reimage your arrangement.

  Example default configurations for WdBoot and WdFilter:

  • <Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Proper name="First"/></Key>
  • <Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Primal>

Troubleshoot onboarding issues

Note

The following troubleshooting guidance is merely applicable for Windows Server 2016 and lower.

If you run into issues while onboarding a server, go through the following verification steps to address possible bug.

• Ensure Microsoft Monitoring Agent (MMA) is installed and configured to study sensor data to the service
• Ensure that the server proxy and Internet connectivity settings are configured properly

You lot might besides need to cheque the post-obit:

• Cheque that there is a Microsoft Defender for Endpoint Service running in the Processes tab in Chore Director. For example:

  

• Check Consequence Viewer > Applications and Services Logs > Operation Managing director to see if there are whatsoever errors.

• In Services, bank check if the Microsoft Monitoring Amanuensis is running on the server. For example,

  

• In Microsoft Monitoring Amanuensis > Azure Log Analytics (OMS), check the Workspaces and verify that the status is running.

  

• Check to see that devices are reflected in the Devices listing in the portal.

Confirming onboarding of newly built devices

There may be instances when onboarding is deployed on a newly built device but not completed.

The steps below provide guidance for the following scenario:

• Onboarding package is deployed to newly built devices
• Sensor does not start considering the Out-of-box experience (OOBE) or get-go user logon has not been completed
• Device is turned off or restarted before the stop user performs a first logon
• In this scenario, the SENSE service volition not start automatically fifty-fifty though onboarding bundle was deployed

Note

The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more than details about onboarding using Microsoft Endpoint Configuration Manager, encounter Microsoft Defender for Endpoint.

1. Create an application in Microsoft Endpoint Configuration Manager.

   

2. Select Manually specify the application information.

   

3. Specify information nearly the application, then select Adjacent.

   

4. Specify information about the software eye, so select Next.

   

5. In Deployment types select Add.

   

6. Select Manually specify the deployment type information, then select Next.

   

7. Specify information most the deployment type, so select Next.

   

8. In Content > Installation programme specify the command: cyberspace first sense.

   

9. In Detection method, select Configure rules to observe the presence of this deployment type, and then select Add Clause.

   

10. Specify the following detection rule details, then select OK:

    

11. In Detection method select Next.

    

12. In User Experience, specify the following information, and then select Side by side:

    

13. In Requirements, select Next.

    

14. In Dependencies, select Next.

    

15. In Summary, select Next.

    

16. In Completion, select Close.

    

17. In Deployment types, select Adjacent.

    

18. In Summary, select Next.

    

    The status is so displayed:

19. In Completion, select Close.

    

20. You can now deploy the application by right-clicking the app and selecting Deploy.

    

21. In General select Automatically distribute content for dependencies and Scan.

    

22. In Content select Side by side.

    

23. In Deployment settings, select Side by side.

    

24. In Scheduling select As before long equally possible after the available fourth dimension, and then select Side by side.

    

25. In User experience, select Commit changes at deadline or during a maintenance window (requires restarts), then select Next.

    

26. In Alerts select Next.

    

27. In Summary, select Adjacent.

    

    The condition is then displayed

28. In Completion, select Close.

    

• Troubleshoot Microsoft Defender for Endpoint
• Onboard devices
• Configure device proxy and Internet connectivity settings

Feedback

Submit and view feedback for

butlercoutiquather.blogspot.com

Source: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding

Share this post