You can set up an Azure ATP Sensor install on your domain controllers by following the right steps. Check all requirements before you begin. This helps you stop common mistakes. If you have problems, use troubleshooting steps to fix them fast. Always make sure each step works before you go to the next one. Careful setup keeps your system safe and your sensor working well.

Key Takeaways

• Azure ATP Sensor keeps your network safe. It does this by watching domain controllers for strange actions and bad behavior.

• Before you start, make sure you have the right license. You also need the right permissions, network setup, and enough hardware. This helps you avoid problems.

• Use a group Managed Service Account or a read-only Active Directory account. These accounts help run the sensor in a safe way.

• Get the installer from the Microsoft 365 Defender portal. Unzip the file. Run the setup as an administrator. Use your access key when you do this.

• After you install it, check if the sensor is working. Use PowerShell and the Defender portal to do this. If there are problems, use logs to help fix them.

Overview

What is Azure ATP Sensor

Azure ATP Sensor is a security tool. It helps you keep your network safe by watching your domain controllers. You can put it on your domain controllers or on another server with port mirroring. The sensor looks for signs of attacks and unsafe connections. It does more than regular antivirus software. It checks for patterns that attackers use, not just known viruses.

Some important features are:

• It watches domain controller activity in real time for strange behavior.

• It finds attacker actions like reconnaissance, lateral movement, and persistence.

• It works with Event Tracing for Windows to collect detailed logs.

• It connects with network traffic analysis and threat intelligence.

• It lets you manage updates easily, including a delayed update feature. This means you can choose when sensors update, so you can test changes before updating all sensors.

Tip: The delayed update feature helps you handle updates better. You can set some sensors to update 72 hours after the main service update. This gives you more control.

Here is a quick comparison between Azure ATP Sensor and regular security solutions:

Why Use on Domain Controllers

You get strong security when you use Azure ATP Sensor on your domain controllers. The sensor gives you alerts for identity-based threats, like strange logins or accounts that are not safe. It helps you find attackers who try to move through your network by watching authentication and directory service activity.

With Azure ATP Sensor, you can:

• Find suspicious insider actions, like odd logon times or access to important files.

• Stop lateral movement by spotting unsafe credentials and mapping attack paths.

• Get alerts for every part of a cyber-attack, like reconnaissance, credential theft, and data exfiltration.

• Use honeytokens to catch attackers early.

• Make investigations better by linking identity alerts with other Microsoft 365 Defender data.

• Set up automatic responses to stop threats fast.

When you finish installing Azure ATP Sensor on all domain controllers, you make your defenses stronger and see more about your network’s security.

Prerequisites

Licensing and Permissions

You need the right license before you start. You can get Azure ATP licensing with Enterprise Mobility + Security E5 or by itself. Buy it from the Microsoft 365 portal or a Cloud Solution Partner. You do not need a special license just to put the sensor on domain controllers.

You need a directory service account with read access to all domain objects. This account can be a normal Active Directory user or a Group Managed Service Account (gMSA). You only need local machine rights to install the sensor. You do not need Global Admin or Security Admin rights. You just need the installation key and local admin access.

Tip: Use an account with only the permissions you need. This helps keep your system safe and lowers risk.

Network and Hardware

Check your network and hardware first. Here is what you need:

• At least 5 GB of free disk space for the sensor.

• Two network adapters:

  • Management adapter: Connects to your company network. Use a static IP, default gateway, and DNS servers. The DNS suffix should match your domain.

  • Capture adapter: Captures domain controller traffic. Use a static, non-routable IP like 10.10.0.10/32. Do not set a gateway or DNS.

• Set up port mirroring on your switch or virtualization platform. This sends domain controller traffic to the capture adapter.

• Open these ports on the management adapter: LDAP (389), LDAPS (636), Global Catalog (3268, 3269), Kerberos (88), and Windows Time (123).

• Turn on NTLM auditing and make sure event 8004 is logged.

• Install Microsoft .NET Framework 4.7 or newer.

• Do not use NIC Teaming. It can cause problems.

• Run the sizing tool for 24 hours on each domain controller. This checks CPU and RAM needs.

Network setup can change how well the sensor works. If your domain controller does not have enough resources, the sensor may stop checking traffic. Always check your network and server settings before you install.

Account Setup

Follow these steps to set up accounts for Azure ATP Sensor:

1. Use PowerShell to test Defender cloud service access from your domain controller.

2. Make sure your forest schema is at least Windows Server 2012. You need a master root key and at least one Windows Server 2012 domain controller.

3. Use PowerShell to check for the KDS root key. Make it if you do not have one.

4. Create a gMSA:

   • Make an Active Directory group for your domain controllers.

   • Add your domain controllers to this group.

   • Use PowerShell to create the gMSA and let the group get the managed password.

5. Check the gMSA with PowerShell.

6. Put the gMSA on each domain controller. Wait for Kerberos ticket renewal or restart the servers.

7. Add the directory service account in Microsoft 365 Defender. Enter the account details and save them to connect your sensors.

Note: Use an account with only read access to Active Directory. You can add SAM-R permissions if you want the sensor to find lateral movement paths.

Azure ATP Sensor install

Putting an Azure ATP Sensor on your domain controllers helps keep your network safe. You need to follow each step so the sensor works right. This guide shows you how to do it.

Download and Extract Installer

You have to get the installer from the Microsoft 365 Defender portal. Here are the steps:

1. Go to the Microsoft 365 Defender portal at

https://security.microsoft.com/

1. .

2. Open Settings, pick Identities, and go to the Sensors page.

3. Click + Add Sensor to start downloading.

4. Download the file called Azure ATP Sensor Setup.zip.

5. Write down the Access key you see. You need it later.

6. Unzip the file to a folder on your computer. Do not run the installer from the zip file. This can cause problems.

7. Move the unzipped files to the domain controller where you want to put the sensor.

Tip: Always unzip the installer files before you run them. If you run the installer from the zip file, you might get errors.

Some problems you might see when unzipping are:

• The update service might not start if you do not have the right permissions.

• You could get MSI errors like 2203 or 2262 if you do not unzip the files.

• Software rules can block the installer if signatures or permissions are missing.

• Run the installer as an administrator to avoid access errors.

Run Setup and Enter Access Key

After you unzip the files, you can start installing the Azure ATP Sensor:

1. Make sure your server has Microsoft .NET Framework 4.7 or newer. If not, the setup will install it and may ask you to restart.

2. Right-click Azure ATP sensor setup.exe and pick Run as administrator.

3. Pick your language and go through the setup wizard.

4. The installer checks your server and picks the right sensor type.

5. On the sensor screen, enter the install path or use the default.

6. Paste the Access key you saved from the Defender portal.

7. Click Install to start. The setup puts in the sensor service, updater service, and Npcap OEM driver.

8. When it finishes, check that the sensor services are running in Windows Services.

9. Restart the domain controller to finish the setup.

Note: The Access key links your sensor to the cloud. You only need it for installation. After that, the sensor uses certificates to talk safely.

You can also use PowerShell for a silent install if you want to automate:

."Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="YourAccessKey"

Change YourAccessKey to the key you copied from the portal.

Tip: Put the sensor on all your domain controllers. This gives you better security.

Configure gMSA Account

A group Managed Service Account (gMSA) helps you handle sensor permissions safely. Here is how to set it up:

1. Check if your Active Directory has a KDS Root Key. If not, make one with this PowerShell command:

Add-KdsRootKey -EffectiveImmediately

1. Make a security group for your domain controllers, or use the built-in "Domain Controllers" group.

2. Use PowerShell to make the gMSA account:

New-ADServiceAccount -Name "YourGMSAName" -DNSHostName "yourdomain.com" -PrincipalsAllowedToRetrieveManagedPassword "YourGroup"

1. Add the gMSA account to the "Log on as a service" policy. You can do this in Local Security Policy or Group Policy Management Editor.

2. In the Microsoft Defender for Identity portal, go to Settings > Identities > Directory Service accounts.

3. Add the gMSA account. Type the account name (ending with $), the domain, and mark it as a group managed service account.

4. Save your changes and check that the sensor can use the gMSA account.

Note: The gMSA account takes care of its own password. You do not need to set or remember a password for it.

If you have more than one domain, you can use a universal group for all domain controllers. Sometimes, you need to wait or restart servers for new group memberships to work.

Verify Installation

You need to check that your Azure ATP Sensor install worked. Here are ways to check:

1. Open PowerShell on the domain controller and run:

Get-Service -Name AATP* | FT -AutoSize

1. This shows if the sensor services are running.

2. Go to the Microsoft 365 Defender portal and look at the Sensors page. Check your sensor's service status and health.

3. If the sensor is not healthy, set your server's power plan to High Performance and make sure NTLM auditing is on.

4. You can also run:

New-MDIConfigurationReport -Path C:\temp -OpenHtmlReport

1. This makes a report about your sensor's setup.

2. After you install, restart your domain controller. Wait at least 15 minutes if this is your first sensor. The backend needs time to set up.

3. In the portal, look for recent activity and heartbeat signals from your sensor. This means the sensor is sending data and working.

Tip: If you do not see telemetry or heartbeat signals, check your network settings. Make sure nothing blocks traffic to Microsoft endpoints.

A good Azure ATP Sensor install gives you real-time protection and lets you see what is happening. Always check the sensor status after setup to make sure everything works.

Troubleshooting

Common Issues

You may have some problems when you install Azure ATP Sensor. You can fix many of these by doing a few things. First, check your network connection. Make sure the sensor can talk to Microsoft endpoints. Look at your firewall and proxy settings. These might block the sensor from connecting. Check if your account has the right permissions. Make sure you installed the correct .NET Framework version. If you use a virtual machine, turn off IPv4 TCP Segmentation Offload (TSO). This helps stop network problems. If the sensor service will not start, try to reinstall the sensor. Use the readiness script from Microsoft’s official repository to check your setup.

If you get errors during installation, look at the sensor logs for more details.

Service and Account Fixes

Sometimes, the sensor service stops or will not start. You can fix this by doing these steps. First, stop both the Azure Advanced Threat Protection Sensor and Updater services. Next, uninstall the sensor software from your domain controller. Delete all files in the sensor’s program folder. Remove the sensor services using the command prompt:

sc delete AATPSensor
sc delete AATPSensorUpdater

Reboot your server. Run the Microsoft readiness script to check your environment. Reinstall the sensor using the same access key. If you use a gMSA account, remove it from the Directory Services accounts in the Defender portal. Then add it again.

These steps usually fix service errors and account problems.

Log File Checks

Log files help you find out what is wrong. You can find them in the sensor’s log directory. Here are some important log files to check. Microsoft.Tri.Sensor.Updater-Errors.log shows updater and service startup errors. Microsoft.Tri.Sensor.Deployment.Deployer_*.log records deployment and service controller issues. Azure Advanced Threat Protection Sensor_*.log (MsiPackage.log) captures MSI installation errors.

Here are some common error messages and ways to fix them:

Always check your log files after any Azure ATP Sensor install problem. Logs give you the best clues to fix issues.

You now know how to put Azure ATP Sensor on your domain controllers. To keep your sensors working well, do these things: 1. Look at the sensor’s status and health in the Microsoft Defender XDR portal. 2. Check the log files for any errors or warnings. 3. Save sensor reports if you need them for audits. 4. Watch for updates and set up delayed updates if you want.

Make sure you learn about new features like better NTLM detection, gMSA support, and TLS 1.2 needs. Checking and updating often helps keep your network safe.

FAQ

How do you get the Azure ATP Sensor installer?

You get the installer from the Microsoft 365 Defender portal. Go to Settings and pick Identities. Then choose Sensors. Click + Add Sensor to download the setup file. Save it on your computer.

What should you do if the sensor service does not start?

First, stop both sensor services. Next, uninstall the software and delete the program files. Remove the services with sc delete. Restart your server and install the sensor again. Check your log files for any errors.

Can you use a regular user account instead of gMSA?

Yes, you can use a normal Active Directory user account with read access. But using a group Managed Service Account (gMSA) is safer and easier to manage.

Where do you find sensor log files?

Sensor log files are in C:\Program Files\Azure Advanced Threat Protection Sensor\VersionInUse\Logs. These files help you find errors and fix problems.

What is the best way to check if the sensor is working?

Open PowerShell and run Get-Service -Name AATP*. You can also check the sensor status in the Microsoft 365 Defender portal. Look for heartbeat signals and recent activity there.