地端VM升級至Windows Server 2022後,MDE.Windows Extension部署失敗
我們將地端 VM 進行作業系統(OS)升級,由 Windows Server 2016 升級至 Windows Server 2022,升級之後發現,Azure Arc 裡的 MDE.Windows Extensions 有點不太正常。
備註,MDE.Windows Extension 只支援 Windows Server 2019 之後的作業系統。例如,Windows Server 2016 那麼是不會被安裝此 Extension。
在嘗試了幾次 MDE.Windows 移除與重新安裝後都一樣是失敗的情況。更甚至把整個地端 Windows Server 從 Machines - Azure Arc 清單移除,連 VM 都重新加入也是一樣。
Extension Message: Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid, executionlog: [2024-08-23 01:18:45Z][Information] Signature verification result: True
[2024-08-23 01:18:45Z][Information] base chain cetificate is valid
[2024-08-23 01:19:00Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: False
[2024-08-23 01:19:00Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
[2024-08-23 01:19:00Z][Information] Chain valid: False
[2024-08-23 01:19:00Z][Information] Certificate chain verification result: False
[2024-08-23 01:19:00Z][Error] Onboarding blob signature is not valid
[2024-08-23 01:19:00Z][Error] Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid
[2024-08-23 01:19:00Z][Error] Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid
[2024-08-23 01:19:00Z][Information] Set handler status (C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\status\0.status), Status=error, Code=888, Message='Failed to configure Microsoft Defender for Endpoint: Error during prepare defenderForEndpointOnboardingScript Onboarding blob signature is not valid'
Extension Error:
C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3>Powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\\MdeExtensionHandlerWrapper.ps1 -Action enable
VERBOSE: [2024-08-23 01:18:40Z][Information] Start executing handler action: enable
VERBOSE: [2024-08-23 01:18:40Z][Information] Set handler status
(C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\status\0.status),
Status=transitioning, Code=1, Message='Configuration In Progress'
VERBOSE: [2024-08-23 01:18:40Z][Information] Invoking MdeExtensionHandler.ps1 in background process in order to
install/configuration/onboard MDE
VERBOSE: [2024-08-23 01:18:41Z][Information] End executing handler action: enable with exit code: 0
C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3>Powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows\1.0.10.3\\MdeExtensionHandlerWrapper.ps1 -Action install
VERBOSE: [2024-08-23 01:18:37Z][Information] Start executing handler action: install
VERBOSE: [2024-08-23 01:18:37Z][Information] MDE installation/configuration/onboarding occurs / will occur in 'enable'
VERBOSE: [2024-08-23 01:18:37Z][Information] End executing handler action: install with exit code: 0
從 Azure 提供的錯誤訊息來看,問題比較可能是這裡。
[2024-08-23 01:19:00Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011 is valid: False
[2024-08-23 01:19:00Z][Information] Certificate C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2011 is valid: True
因為我從本機查詢 azcmagent extension
的狀態,可以看到 MDE.Windows 是 State: ENABLED
PS C:\> azcmagent extension list
INFO Stopping and disabling service: Extension Service
Extension: MDE.Windows
Version: 1.0.10.3
Extension Path: C:\Packages\Plugins\Microsoft.Azure.AzureDefenderForServers.MDE.Windows
State: ENABLED
Extension: AzureMonitorWindowsAgent
Version: 1.29.0.0
Extension Path: C:\Packages\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent
State: ENABLED
INFO Enabling and starting service: Extension Service
由於 MDE.Windows 是 Azure Arc 自動化安裝與設定,我並沒有任何處理的能力,最後只好開 Azure Support 請求支援。經過 Azure Support 提供情境與產品組確認,是 MDE.Windows extension 本身的問題。
等 Update available 有新版出現,重跑一次移除等重新安裝的流程,系統升級造成的問題就解決了。
沒有留言:
張貼留言
感謝您的留言,如果我的文章你喜歡或對你有幫助,按個「讚」或「分享」它,我會很高興的。