locked
Windows 7& 10 Devices not sending data via ATP RRS feed

  • Question

  • We have deployed ATP to our fleet of endpoints. However only around 80% are reporting back to the console.

    We have a mixture of Windows 10 and Windows 7 devices.

    Error found in the event viewer of a device not communicating back (W7 device):

    A module of type "Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.WindowsDefenderATPModule" reported an exception System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 51.143.136.35:443 
    at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) 
    at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) 
    --- End of inner exception stack trace --- 
    at System.Net.HttpWebRequest.GetResponse() 
    at Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.WebRequestWrapper.SendRequest(Uri uri, WebProxy proxy) 
    at Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.WebRequestWrapper.Get(Uri uri) 
    at Microsoft.EnterpriseManagement.Mom.Modules.Downloader.FileDownloader.GetWebResponse(Uri uri) 
    at Microsoft.EnterpriseManagement.Mom.Modules.Downloader.FileDownloader.Download(Uri uri, String fileName) 
    at Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.ConfigReader.DownloadConfiguration(String cncRootUrl, String workspaceId, String defenderGuid, String senseGuid, String machineId, String agentId, String clientVer, String configVer, String machineDnsName, String osVer, Int32 productType, String groupId, UInt32 deniedCnCActionsBitmask, String filePath) 
    at Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.SenseRunner.DownloadConfigurationFile(String configFilePath) 
    at Microsoft.EnterpriseManagement.Mom.Modules.WindowsDefenderATPModule.SenseRunner.DoCommandAndControl(Object state) which was running as part of rule "Microsoft.Windows.WindowsDefenderATP.CollectEtwEvent" running for instance "" with id:"{BE9F3D7C-53BD-55BB-AF31-973D29914CB9}" in management group "AOI-13af7bbd-3b2e-4e97-be28-e637d2049834".

    Any help would be appreciated.

    Liam


    Tuesday, February 5, 2019 2:28 PM