Unable to onboard devices in Defender anymore
We have number of AVD’s which are onboarded automatically in Defender, suddenly this process started to fail.
We can see interesting error message:
VERBOSE: [2024-08-21 09:26:11Z][Information] Preparing onboarding package
VERBOSE: [2024-08-21 09:26:11Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-08-21 09:26:11Z][Information] Decode onboarding script successfully
VERBOSE: [2024-08-21 09:26:11Z][Information] Verifying JSON signature
VERBOSE: [2024-08-21 09:26:11Z][Information] Signature verification result: True
VERBOSE: [2024-08-21 09:26:11Z][Error] base chain cetificate is not valid because: PartialChain
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Chain valid: False
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate chain verification result: False
VERBOSE: [2024-08-21 09:26:11Z][Error] Onboarding blob signature is not valid
It looked a little different in the past – seems like the certificate was not verified:
VERBOSE: [2024-04-10 07:14:35Z][Information] Preparing onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string completed successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Onboarding package prepared successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Running onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Successfully started process, waiting to finish with timeout
VERBOSE: [2024-04-10 07:14:54Z][Information] Onboarding package script completed successfully
VERBOSE: [2024-04-10 07:14:54Z][Information] Setting Azure Defender for Server identifiers in registry
VERBOSE: [2024-04-10 07:14:54Z][Information] Path HKLM:SoftwarePoliciesMicrosoftWindows Advanced Threat Protection already exists
VERBOSE: [2024-04-10 07:14:54Z][Information] Registry path HKLM:SoftwarePoliciesMicrosoftWindows Advanced Threat ProtectionDeviceTagging doesn’t exist, creating it
We can see that version of Windows.MDE(?) has change currently it is 1.0.10.3 previously (for onboarded devices) it was 1.0.9.5 – I cant find version history anywhere – this is just the name of the folder where the logs are located.
We’ve checked all the policies we have implemented for these devices but we were unable to find anything which could break this.
Does anyone experience the same? Do you have any ideas what went wrong here?
We have number of AVD’s which are onboarded automatically in Defender, suddenly this process started to fail. We can see interesting error message:VERBOSE: [2024-08-21 09:26:11Z][Information] Preparing onboarding package
VERBOSE: [2024-08-21 09:26:11Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-08-21 09:26:11Z][Information] Decode onboarding script successfully
VERBOSE: [2024-08-21 09:26:11Z][Information] Verifying JSON signature
VERBOSE: [2024-08-21 09:26:11Z][Information] Signature verification result: True
VERBOSE: [2024-08-21 09:26:11Z][Error] base chain cetificate is not valid because: PartialChain
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
VERBOSE: [2024-08-21 09:26:11Z][Information] Chain valid: False
VERBOSE: [2024-08-21 09:26:11Z][Information] Certificate chain verification result: False
VERBOSE: [2024-08-21 09:26:11Z][Error] Onboarding blob signature is not valid It looked a little different in the past – seems like the certificate was not verified:VERBOSE: [2024-04-10 07:14:35Z][Information] Preparing onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string
VERBOSE: [2024-04-10 07:14:35Z][Information] Decoding onboarding script from base64 string completed successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Onboarding package prepared successfully
VERBOSE: [2024-04-10 07:14:35Z][Information] Running onboarding package
VERBOSE: [2024-04-10 07:14:35Z][Information] Successfully started process, waiting to finish with timeout
VERBOSE: [2024-04-10 07:14:54Z][Information] Onboarding package script completed successfully
VERBOSE: [2024-04-10 07:14:54Z][Information] Setting Azure Defender for Server identifiers in registry
VERBOSE: [2024-04-10 07:14:54Z][Information] Path HKLM:SoftwarePoliciesMicrosoftWindows Advanced Threat Protection already exists
VERBOSE: [2024-04-10 07:14:54Z][Information] Registry path HKLM:SoftwarePoliciesMicrosoftWindows Advanced Threat ProtectionDeviceTagging doesn’t exist, creating it We can see that version of Windows.MDE(?) has change currently it is 1.0.10.3 previously (for onboarded devices) it was 1.0.9.5 – I cant find version history anywhere – this is just the name of the folder where the logs are located. We’ve checked all the policies we have implemented for these devices but we were unable to find anything which could break this. Does anyone experience the same? Do you have any ideas what went wrong here? Read More
