The Microsoft Defender for Identity Health Issues page lists any current health issues for your Defender for Identity deployment and sensors, alerting you to any problems in your Defender for Identity deployment.
Health issues page
The Microsoft Defender for Identity Health issues page lets you know when there's a problem with your Defender for Identity workspace, by raising a health issue. To access the page, follow these steps:
The Health issues page appears, where you can see health issues for both your general Defender for Identity environment and specific sensors.
Defender for Identity supports the following types of health alerts:
Domain-related or aggregated health issues, listed on the Global health issues tab
Sensor-specific health issues, listed on the Sensor health issues tab
Filter issues by status, issue name, or severity to help you find the issue you're looking for.
For example:
Select any issue for more details and the option to close or suppress the issue. For example:
Health issues
This section describes all the health issues for each component, listing the cause and the steps needed to resolve the problem.
Sensor-specific health issues are displayed in the Sensor health issues tab and domain related or aggregated health issues are displayed in the Global health issues tab as detailed in the following tables:
A domain controller is unreachable by a sensor
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor has limited functionality due to connectivity issues to the configured domain controller.
This affects Defender for Identity's ability to detect suspicious activities related to domain controllers monitored by this Defender for Identity sensor.
Make sure the domain controllers are up and running and that this Defender for Identity sensor can open LDAP connections to them. In addition, in Settings make sure to configure a Directory Service account for every deployed forest.
Medium
Sensors health issues tab
All/Some of the capture network adapters on a sensor are not available
Alert
Description
Resolution
Severity
Displayed in
All/Some of the selected capture network adapters on the Defender for Identity sensor are disabled or disconnected.
Network traffic for some/all of the domain controllers is no longer captured by the Defender for Identity sensor. This issue affects the ability to detect suspicious activities, related to those domain controllers.
Make sure these selected capture network adapters on the Defender for Identity sensor are enabled and connected.
Medium
Sensors health issues tab
Directory services user credentials are incorrect
Alert
Description
Resolution
Severity
Displayed in
The credentials for the directory services user account are incorrect.
This issue affects sensors' ability to detect activities using LDAP queries against domain controllers.
- For a standard AD accounts: Verify that the username, password, and domain in the Directory services configuration page are correct. - For group Managed Service Accounts: Verify that the username and domain in the Directory Services configuration page are correct. Also check all the other gMSA account prerequisites described on the Directory Service account recommendations page.
Medium
Global health issues tab
Low success rate of active name resolution
Alert
Description
Resolution
Severity
Displayed in
The listed Defender for Identity sensors are failing to resolve IP addresses to device names more than 90% of the time using the following methods: - NTLM over RPC - NetBIOS - Reverse DNS
This affects Defender for Identity's detections capabilities and might increase the number of false positive alarms.
- For NTLM over RPC: Check that port 135 is open for inbound communication from Defender for Identity sensors on all computers in the environment. - For reverse DNS: Check that the sensors can reach the DNS server and that Reverse Lookup Zones are enabled. - For NetBIOS: Check that port 137 is open for inbound communication from Defender for Identity sensors on all computers in the environment. Additionally, make sure that the network configuration (such as firewalls) isn't preventing communication to the relevant ports.
Low
Sensors health issues tab and Global health issues tab
No traffic received from domain controller
Alert
Description
Resolution
Severity
Displayed in
No traffic was received from the domain controller via this Defender for Identity sensor.
This issue might indicate that port mirroring from the domain controllers to the Defender for Identity sensor isn't configured yet or not working.
Sensors health issues tab and Global health issues tab
Sensor reached a memory resource limit
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor stopped itself and restarts automatically to protect the domain controller from a low memory condition.
The Defender for Identity sensor enforces memory limitations upon itself to prevent the domain controller from experiencing resource limitations. This issue occurs when memory usage on the domain controller is high. Data from this domain controller is only partly monitored.
Increase the amount of memory (RAM) on the domain controller or add more domain controllers in this site to better distribute the load of this domain controller.
Medium
Sensors health issues tab
Sensor service failed to start
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor service failed to start for at least 30 minutes.
This issue can affect the ability to detect suspicious activities originating from domain controllers that are monitored by this Defender for Identity sensor.
Monitor Defender for Identity sensor logs to understand the root cause for Defender for Identity sensor service failure.
High
Sensors health issues tab
Sensor stopped communicating
Alert
Description
Resolution
Severity
Displayed in
There has been no communication from the Defender for Identity sensor. The default time span for this alert is 5 minutes.
This indicates that the sensor failed to send data or a keep-alive signal to the Defender for Identity services for a period exceeding the allowed time. This typically suggests either a network issue in the environment that prevented data transmission or a server restart that took longer than the acceptable time frame, impacting Defender for Identity's ability to detect suspicious activities.
Check the communication between the Defender for Identity sensor and Defender for Identity cloud service isn't blocked by any routers or firewalls.
Medium
Sensors health issues tab
Some Windows events are not being analyzed
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is receiving more events than it can process.
Some Windows events aren't being analyzed. This can affect the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.
Consider adding more processors and memory as required. If you're using a standalone Defender for Identity sensor, verify that only the required events are forwarded to the sensor. Or, try forwarding some events to another Defender for Identity sensor.
Medium
Sensors health issues tab and Global health issues tab
Some network traffic could not be analyzed
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is receiving more network traffic than it can process.
Some network traffic couldn't be analyzed. This issue can affect the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.
Consider adding more processors and memory as required. If you're using a standalone Defender for Identity sensor, reduce the number of domain controllers being monitored.
This issue can also happen if you're using domain controllers on VMware virtual machines. To avoid these issues, you can check that the following settings are set to 0 or Disabled in the virtual machine (in the Windows OS, not in the VMware settings):
- Large Send Offload V2 (IPv4)
- IPv4 TSO Offload
The names can vary depending on your VMware version. For more information, see your VMware documentation.
Medium
Sensors health issues tab and Global health issues tab
Some ETW events are not being analyzed
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is receiving more Event Tracing for Windows (ETW) events than it can process.
Some Event Tracing for Windows (ETW) events aren't being analyzed. This can affect the ability to detect suspicious activities originating from domain controllers being monitored by this Defender for Identity sensor.
Sensors health issues tab and Global health issues tab
Sensor running on an operating system that will soon become unsupported
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is running on an operating system that will soon become unsupported.
Windows Server 2012 and 2012 R2 reached end of support on October 10, 2023. More details can be fount at: https://aka.ms/mdi/oseos
The operating system on the server should be upgraded to the latest supported operating system. For more details, see: https://aka.ms/mdi/os
Medium
Sensors health issues tab
Sensor running on an unsupported operating system
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is running on an unsupported operating system.
Windows Server 2012 and 2012 R2 reached end of support on October 10, 2023. More details can be found at: https://aka.ms/mdi/oseos
The operating system on the server should be upgraded to the latest supported operating system. For more details, see: https://aka.ms/mdi/os
High
Sensors health issues tab
Sensor has issues with packet capturing component
Alert
Description
Resolution
Severity
Displayed in
The Defender for Identity sensor is using WinPcap drivers instead of Npcap drivers.
All customers should be using Npcap drivers instead of the WinPcap drivers. Starting with Defender for Identity version 2.184, the installation package installs Npcap 1.0 OEM.
Power mode is not configured for optimal processor performance
Alert
Description
Resolution
Severity
Displayed in
Power mode is not configured for optimal processor performance. (This configuration is validated once a day, per sensor).
The operating system's power mode isn't configured to the optimal processor performance settings. This issue can affect the server's performance and the sensors' ability to detect suspicious activities.
Do one of the following:
- Configure the power option of the machine running the Defender for Identity sensor to High Performance - Set both the minimum and maximum processor state to 100
The custom log path provided in the sensor configuration can't be created.
1. Stop the AATPSensorUpdater and AATPSensor services. 2. Change the SensorCustomLogLocation in the sensor configuration file to a valid path or set it to null. 3. Start the AATPSensorUpdater and AATPSensor services again.
Low
Sensors health issues tab
Radius accounting (VPN integration) data ingestion failures
Alert
Description
Resolution
Severity
Displayed in
Radius accounting (VPN integration) data ingestion failures.
The listed Defender for Identity sensors have radius accounting (VPN integration) data ingestion failures.
Audit and diagnostic logs within Microsoft Entra ID provide a rich view into how users are accessing your Azure solution. Learn to monitor, troubleshoot, and analyze sign-in data.