Agent Install Troubleshooting for Defender Reporter

Goal: Start from a known-good baseline so you can isolate real failures quickly. If you are still building the broader reporting workflow around the agent, start with the reporting basics pillar.

Downloaded installer command (recommended): the downloaded script already includes tenant key and base URL defaults.

PS> powershell -NoProfile -ExecutionPolicy Bypass -File "$env:USERPROFILE\Downloads\Install-DefenderReporter.ps1"

Repo/source script command (explicit values required):

PS> powershell -NoProfile -ExecutionPolicy Bypass `
>>   -File .\agent\Install-DefenderReporter.ps1 `
>>   -TenantKey "<tenant-key>" `
>>   -BaseUrl "https://defenderreporter.com" `
>>   -IntervalMinutes 5

Run the installed agent immediately (manual test run):

PS> powershell -ExecutionPolicy Bypass -File "C:\ProgramData\DefenderReporter\agent.ps1"

Expected: Installer shows numbered progress steps and ends with a summary block.

Symptom: "Running scripts is disabled" or PowerShell window flashes and closes.

Cause: Current execution policy or browser zone marker blocks script execution.

Fix:

1. Check all policy scopes.
2. Set process-scope bypass for this session only.
3. Rerun installer.

PS> Get-ExecutionPolicy -List
PS> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
PS> powershell -NoProfile -ExecutionPolicy Bypass -File "$env:USERPROFILE\Downloads\Install-DefenderReporter.ps1"

Alternative (repo/source installs): Use wrapper if direct .ps1 launch is unreliable.

PS> .\agent\Install-DefenderReporter.cmd -TenantKey "<tenant-key>" -BaseUrl "https://defenderreporter.com" -IntervalMinutes 5

Symptom: "Installer must be run from an elevated PowerShell session."

Cause: Command is running without admin privileges, so task registration and ACL writes fail.

Verify elevation:

PS> ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
PS> # Expected output: True

Fix: Open PowerShell as Administrator, rerun the installer command, and accept UAC prompt.

Goal: Confirm install succeeded operationally, not just syntactically.

Run:

PS> Get-ScheduledTask -TaskName "DefenderReporter"
PS> Get-ScheduledTaskInfo -TaskName "DefenderReporter"
PS> powershell -ExecutionPolicy Bypass -File "C:\ProgramData\DefenderReporter\agent.ps1"
PS> Get-Content "C:\ProgramData\DefenderReporter\install.log" -Tail 80
PS> Get-Content "C:\ProgramData\DefenderReporter\agent.log" -Tail 80

Expected:

• Task exists and has valid NextRunTime.
• Agent log shows agent.run_started and agent.run_finished.
• Ingest events show success or actionable failure metadata.

Symptom: Installer summary looks successful but dashboard has no device data.

Common causes: Wrong tenant key, wrong base URL, blocked network path, invalid TLS/proxy behavior.

Checks:

PS> Get-Content "C:\ProgramData\DefenderReporter\config.json"
PS> Invoke-WebRequest "https://defenderreporter.com/agent/agent.ps1" `
>>   -UseBasicParsing
PS> Get-Content "C:\ProgramData\DefenderReporter\agent.log" -Tail 120

Interpretation:

• ingest.send_success: endpoint can submit data.
• ingest.send_failed: network/auth/server issue to remediate.
• ingest.skipped_invalid_base_url: config URL is invalid for current policy.

If onboarding is working but daily operations are not, continue with the small-team reporting workflow or the reporting mistakes checklist.