https://worldofeuc.com logo
Join Slack
Powered by
Has anyone deployed Microsoft ATP / MDE on layers ...
# citrix-app-layering
d
Has anyone deployed Microsoft ATP / MDE on layers by chance? I think I asked that before but dont recall specifics.
d
There are some considerations for this. I believe we will require you to include it in the OS layer as of App Layering 2409, although I need to confirm this with engineering. I will aim to let you know on Monday if that is OK.
🙏 1
For eATP, engineering recommends NOT to install any binaries into the app layer. In fact that would result in unpredictable behavior in the VDA. You need to put just the install script generated from the console and configure that to run at logon. We put all the binaries to our Always On Boot, so every logon would get the authentic and supposedly up to date version of ATP, with this configuration. We do aim to put out some doc/KB guidance for deploying ATP, I do not have an ETA for that just yet.
🙏 1
d
So I tried putting it on OS and now on Platform layer. Should I uninstall from Platform as well? Can you tell me more about install script?
d
I suppose it would be good to understand exactly what you’re setting up. My understanding is that ATP is not the same product as e-ATP (endpoint ATP). eATP can be configured to deploy from the web at each login. In that config a script is generated which you can configure to run at login time. For that setup, you don’t want any of the ATP components going into any layers as it can cause issues. In general, with Defender, its components need to be only in the OS layer. in AL 2409 or later, we do additional enforcement to ensure it will work only if you set it up this way.
that said... can you describe more the issue you are seeing if it wasn't working when you added it to the OS layer? Also, is it AL 2409?
(and yes you want to uninstall from the platform layer, and only have it configured in the OS layer)
d
Im not on al2409 yet. The issue I’m having is according to the team that manages defender for endpoints my layer built images do not send all of the expected logs to the back end. This is not an issue with manually built pvs images. TBH I don’t fully understand how MDE works but I hope that we are not the only ones using it in layered environment. Is the script you are mentioning the original MDE onboarding script by chance?
This is for onprem CVAD and we have DaaS...
d
ok, yeah the wording in that external update is not accurate... the changes we released are really the opposite, we will not allow Defender updates in an app layer to persist during publish. Updates must be applied in the OS layer.
i will have the external update removed for now
d
OK so I tried a few different things. I ran the offboarding script on Platform and OS layers. When I try to onboard the individual VDIs I get an ambiguous error: [Error Id: 15, Error Level: 1] Unable to start Microsoft Defender for Endpoint Service. Error message: The Windows Defender Advanced Threat Protection Service service is starting...
offboarding and oboarding works fine on both the platform and OS layer. Its only actual VDA's where things break.... 🤷‍♂️
d
ok, i talked a bit more with eng, and i think based on what you describe now, you want to refer to the steps here: https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi Specifically: > Important > > If you're deploying non-persistent VDIs through cloning technology, make sure that your internal template VMs are not onboarded to Defender for Endpoint. This recommendation is to avoid cloned VMs from being onboarded with the same senseGuid as your template VMs, which could prevent VMs from showing up as new entries in the Devices list. ... which means you should be careful not to run the onboarding scripts in any of the layers, or the published master image, but only on the provisioned endpoints, at user login. Based on what you are describing though of the service not starting at all, this may not resolve the problem. I think you want to try and configure it this way, and if you still see problems after that, maybe raise a ticket with us and with Microsoft to have a closer look at it?
d
I made some progress, and now MDE works on an image built only from OS and Platform layers. As soon as I add software layer (even one) it breaks. 😞
d
Are these layers which were created previously, or even a new app layer breaks it?
d
They were created by previously. I did try to open and seal one - no luck.
d
The reason I asked is because there is a chance your old layers have some kind of pollution from the MDE components being present in the OS layer previously (maybe they ran or updated in your packaging machines, for example). It would be worth testing it with a new app layer, maybe install something simple like notepad++ in it, finalize and include that app layer along with the platform and OS. Most likely this will also work now.
👍 1
🙏 1
d
Will do that next.
created a new blank layer - still broken. 🤔 🤦‍♂️
d
That doesn’t really make much sense… a template with only the OS and platform layer works, but you add a brand new app layer with nothing in it and that composited image has problems?
d
yep. will re-test with blank image again.
d
I assume you used the same OS layer to create that test app layer?
d
yep, same OS layer. I am probably doing something very wrong 😞
if it makes a diff - app ver is 2403
24.3.2.1021
d
Did a support ticket get raised? On the one that is failing we can probably try to help debug that, though Microsoft may also be needed for that.
I don’t believe 2409 would change the behavior by itself.
d
havent opened a ticket yet. never a dun experience tbh
fun
d
If you raise one send me over the case number I can urge it along.
d
Thank you, I will open it today.
👍 1
image.png
have u seen this?
Open in Slack
PreviousNext
Powered by