After an upgrade to new Domain Controllers the MDI Sensor fails to start after it was rebooted on the new Domain Controllers. The service is in starting mode in both the Security portal and under services for each device. The new servers where members of the group that gives the Group Managed Account permissions to each new Domain Controller.

Issue:
The issue showed to be that the new domain controllers has overwritten and removed the group policy that gives the gMSA-account permission to run-as-a-service. If there is no GPO for this it might also be edited using secpol.msc. This means that we again need to give the gMSA account permission to run-as-a-service. Than reboot the server than the service should start again.

You can read more about the general setup here. https://learn.microsoft.com/en-us/defender-for-identity/directory-service-accounts

Another issue can be if you running Sensors on ADFS or Certificate services that you need to update your Domain Controllers in the security portal, to the new ones you installed. This can be done in the security portal under “Manage sensor”. Add the FQDN of the new Domain Controllers and remove the old ones.