This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 59%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
So we activated Defender ATP within Intune and connected it with Microsoft Defender Security Center:
I can see the devices at https://securitycenter.windows.com/machines
But Intune reports them as devices without ATP-sensor:
Also Defender Security Center states: "Device not found in Azure ATP"
I don't know why this is, because I made a Device configuration profile for onboarding the devices in ATP:
I looked at the SENSE log at Microsoft-Windows-SENSE/Operational, but don't see any errors there:
only informational entry's >>
Does anyone know where to look for now?
Hi, we are looking into this issue and will update you shortly!
By the way, the following setting is enabled within Intune:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Chned , From your description, I know we configure the Device Configuration profile to onboard the devices in ATP. But it is not working. If there's any misunderstanding, feel free to let us know.
From Intune side, we can check the affected Device configuration profile , click Device status to see if the profile is applied successfully on these two devices. meanwhile, please click the " devices without ATP-sensor" and see what is the detailed status.
Please check the above information and if there's anything unclear, feel free to let us know.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
For these 2 devices I always see the following Error for System account? I assume this sensor isn't relying on any account?
Below is the Error information
Following is what I see after choosing "List of devices without ATP sensor"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Chned Can you confirm if the device configuration profile was created before establishing the connection as if we do that the package file needs to be uploaded separately. Also try targeting the Device Config policy for the Device Group as the evaluation is done in Device context. So you would not see different UPNs and system accounts.
This current profile was created AFTER making the Microsoft Intune connection in Microsoft Defender Security Center. I then choose for "Create a device configuration profile to configure ATP sensor" at the bottom of the "Microsoft Defender ATP"-page.
This profile is assigned to two groups and the Members in those groups are only those Devices.
@Chned , For the error code 0x87d1fde8, based on my research, the possible cause seems that Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. We can see more detaisl in the following link:
https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#microsoft-intune-error-codes-and-oma-uris
From your dexscrption in previous reply. it seems there's no error in Windows-SENS log. Given the situation, we suggest to open a case to look into more logs to troubleshoot on it.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
Thanks for the understanding and have a nice day!
So here we go... I just deleted this onboarding device configuration profile again (for the 3rd time, as a last effort) and made it again (just the same way as I did this before) and now it is working! It's a really simple profile and you can't really mess up anything here..
Very strange/buggy behaviour here..
@Chned , Thanks for the update. i am glad that it is working now. From the phenomenon, The device configuration profile is applied successfully. But the status is not changed. I guess it may have some synchronization issue in the background. If we face such issue in the future, open case to check logs in the background to find more information may help
Thanks again for your time and have a nice day!
Unfortunately it isn't working consistently; I wiped the devices again (for testing purposes) and after enrollment it isn't working anymore.... Same settings et cetera..
The SENSE log still doesn't show any errors:
But I do see the errors with "System account":
@Chned , Based as I know, for some settings in device configuration profile, it can be only applied to the user login the device. Could you confirm if the error is there with system account when it is working before?
I think so, but how to be 100% sure? (since devices got wiped, I can't see those statusses anymore) Maybe in some log?
@Chned , To check the device configuration policy applied status, on client side, we can see the MDM Diagnostic log or event log to check. We can see if the setting is under Diagnostic logs or if there's any related error under event log. To find the log, we can refer to the following links
https://learn.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10
https://osddeployment.dk/2017/10/22/what-is-new-in-mdm-diagnostic-in-windows-10-1709/
Note: Non-Microsoft link, just for the reference.
Hope it can help.
Unfortunately, like I said: the device got wiped already so I can't see those logs anymore..
Problem is that ATP-sensor doesn't work anymore. What could be the cause?
@Chned , If so, we suggest to open a case to Microsoft to check the logs in the background to know more.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/get-support
What logs are you aiming for?
@Chned , For the logs on client side, we can enroll the device into Intune, collect MDM Diagnostic log, event log and provide them to Microsoft support engineer to analyze. For the intune side background log, only support engineer can check.
Thanks for the understanding and have a nice day!
What can I check further on my side except for the things I already checked (SENSE-log)?
And what to look for then?
@Chned Chned-6770, As we don't have ATP in my environment, we can't check the logs for you. Here, I have done research and find the following article. You can see if there's any other log we can check
https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#troubleshoot-onboarding-issues-using-microsoft-intune
Hope it can help.
Look at my startpost, I already gave information about the SENSE-log >> that looks all fine. Also device is to find in https://securitycenter.windows.com/
What to look for in the MDM Diagnostic Information log? When I search for Defender I find the following: 32548-log.txt
@Chned , Thanks for the reply.
As a reminder, to protect the customer information, please ensure there's no privacy information included.
For the MDM Diagnostic report, we can check if there's any keyword like onboarding. If not, maybe we can check the event log under Applications and Services Logs\Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider to see if any event with the CSP:
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
https://learn.microsoft.com/en-us/windows/client-management/mdm/windowsadvancedthreatprotection-csp
Meanwhile, for the error under system account, after doing more and more research, I find a similar case is fixed after login the device with a local account. maybe we can try. After that, we can check if the error will go away and if the device will be put into the "Devices with ATP sensor."
Hope it can help.