Share via

Defender for Endpoint - Migrating servers from Microsoft Monitoring Agent to the unified solution

Bojan Zivkovic 436 Reputation points
2024-05-09T10:30:28.92+00:00

Hi, I am following https://learn.microsoft.com/en-us/defender-endpoint/application-deployment-via-mecm but on test machine nothing is happening - machine onboarded to MDEP (Windows Server 2016) using MMA. I think

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense

as detection method is not appropriate here because this registry entry already exists on the machine hence application is not installed.

Any help would be appreciated.

Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
18 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,436 Reputation points Microsoft Employee
    2024-05-14T06:31:01.0033333+00:00

    @Bojan Zivkovic

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for alternate detection method of unfired solution.

    • If we navigate to the prerequisites of this document, it says "Down-level OS devices in your environment onboarded with Microsoft Monitoring Agent. To confirm, verify that MsSenseS.exe is running in Task Manager." so that is the reason why you would see the registry key.
    • While creating the package in step 8 you must have used the following PowerShell command as "installation program" which have -RemoveMMA <workspace ID> 
        Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd
    • If above command is executed successfully, this should remove the MMA agent provided workspace ID is correct and onboard the unified agent as a result the registry should be re written.
    • Additionally you could check the following:
    1. Run Get-MpComputerStatus in PowerShell and validate AntivirusSignatureAge

    AntivirusSignatureLastUpdated both the parameters should refer to the date you ran the package.

    1. You may check in control panel and see if workspace ID still exist for MMA.

    control-panel properties @Bojan Zivkovic

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for alternate detection method of unfired solution.

    • If we navigate to the prerequisites of this document, it says "Down-level OS devices in your environment onboarded with Microsoft Monitoring Agent. To confirm, verify that MsSenseS.exe is running in Task Manager." so that is the reason why you would see the registry key.
    • While creating the package in step 8 you must have used the following PowerShell command as "installation program" which have -RemoveMMA <workspace ID> 
        Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd
    • If above command is executed successfully, this should remove the MMA agent provided workspace ID is correct and onboard the unified agent as a result the registry should be re written.
    • Additionally you could check the following:
    1. Run Get-MpComputerStatus in PowerShell and validate AntivirusSignatureAge

    AntivirusSignatureLastUpdated both the parameters should refer to the date you ran the package.

    1. You may check in control panel and see if workspace ID still exist for MMA.

    control-panel properties

    If you don't see the expected results, then kindly post the query on Microsoft Defender for Endpoint Tech Community which is a dedicated channel.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments