none
How to Troubleshoot failed VM Endpoint Protection Installation RRS feed

  • Question

  • How do I go about troubleshooting a failed endpoint protection on a VM in our Azure subscription?

    The Install was triggered from a Recommended Action in Azure Security Center.

    Here's the associated JSON file from the 'failed' log entry:

    {
        "channels": "Operation",
        "correlationId": "64348edc-1d97-b8cd-56cd-e0683e705595",
        "description": "",
        "eventDataId": "57b8a4d3-619d-460a-8fb0-283ee2242689",
        "eventName": {
            "value": "Extension Installation",
            "localizedValue": "Extension Installation"
        },
        "category": {
            "value": "Administrative",
            "localizedValue": "Administrative"
        },
        "eventTimestamp": "2018-07-27T17:27:44.8982713Z",
        "id": "/subscriptions/7144852a-326b-4996-a90f-5c0653ccf335/resourceGroups/CQFLUENCYRG/providers/Microsoft.Compute/virtualMachines/TRADOS/events/57b8a4d3-619d-460a-8fb0-283ee2242689/ticks/636683092648982713",
        "level": "Error",
        "operationId": "182bc503-917a-4866-bcb5-0ff81339bd5c",
        "operationName": {
            "value": "Microsoft.Security/dataCollectionAgents/install/action",
            "localizedValue": "Microsoft.Security/dataCollectionAgents/install/action"
        },
        "resourceGroupName": "CQFLUENCYRG",
        "resourceProviderName": {
            "value": "Microsoft.Compute",
            "localizedValue": "Microsoft.Compute"
        },
        "resourceType": {
            "value": "Microsoft.Compute/virtualMachines",
            "localizedValue": "Microsoft.Compute/virtualMachines"
        },
        "resourceId": "/subscriptions/7144852a-326b-4996-a90f-5c0653ccf335/resourceGroups/CQFLUENCYRG/providers/Microsoft.Compute/virtualMachines/TRADOS",
        "status": {
            "value": "Failed",
            "localizedValue": "Failed"
        },
        "subStatus": {
            "value": "",
            "localizedValue": ""
        },
        "submissionTimestamp": "2018-07-27T17:27:44.9151825Z",
        "subscriptionId": "7144852a-326b-4996-a90f-5c0653ccf335",
        "relatedEvents": []
    }

    Any clues will be helpful....

    Thanks,

    Paul

    Friday, July 27, 2018 7:48 PM

All replies

  • Hi Paul,

    I was also having issues installing endpoint protection.  I looked at this file:

    C:\WindowsAzure\Logs\AggregateStatus\aggregatestatus

    I noticed this block in the JSON formatted status:

          {
            "handlerName": "Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent",
            "handlerVersion": "1.0.11081.4",
            "status": "NotReady",
            "code": 400,
            "formattedMessage": {
              "lang": "en-US",
              "message": "Microsoft Monitoring Agent is not configured correctly, please restart the VM or remove/add MicrosoftMonitoringAgent extension."
            },

    Restarting the VM did not resolve the issue, but removing and installing the agent did.  Take a look here if you have not uninstalled the agent before:

    https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-manage#uninstall-agent

    If this doesn't help, let us know if you see anything of interest in the 'aggregatestatus' file.  

    Tuesday, July 31, 2018 8:21 PM
    Moderator