Forum Discussion

ryan666's avatar
ryan666
Copper Contributor
Oct 10, 2024

ATP sensor install fails 0x80070643

I am trying to install ATP sensor to all DCS, Federations, CS, and EntraSync servers.

All is well on about 70% of them.

However I get this failure on many:

During installation, I can see both the ATP service and the ATP update service being created. It looks like the update service keeps trying to start but never succeeds. Then eventually it just fails.

 

I have errors in the logs but Im not sure what the cause is:

 

=== Verbose logging started: 10/10/2024 15:54:25 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\v-<name>.admin\AppData\Local\Temp\11\{1F707719-5FF8-471B-A9EC-2BDB54E2DEC5}\.be\Azure ATP Sensor Setup.exe ===
MSI (c) (20:F4) [15:54:25:457]: Resetting cached policy values
MSI (c) (20:F4) [15:54:25:457]: Machine policy value 'Debug' is 0
MSI (c) (20:F4) [15:54:25:457]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (c) (20:F4) [15:54:25:457]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (20:F4) [15:54:25:457]: Grabbed execution mutex.
MSI (c) (20:F4) [15:54:25:764]: Cloaking enabled.
MSI (c) (20:F4) [15:54:25:764]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (20:F4) [15:54:25:764]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D8:54) [15:54:25:811]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (D8:54) [15:54:25:811]: Grabbed execution mutex.
MSI (s) (D8:B8) [15:54:25:827]: Resetting cached policy values
MSI (s) (D8:B8) [15:54:25:827]: Machine policy value 'Debug' is 0
MSI (s) (D8:B8) [15:54:25:827]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (s) (D8:B8) [15:54:25:842]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (D8:B8) [15:54:25:875]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (D8:B8) [15:54:25:875]: SRSetRestorePoint skipped for this transaction.
MSI (s) (D8:B8) [15:54:25:890]: File will have security applied from OpCode.
MSI (s) (D8:B8) [15:54:26:031]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy
MSI (s) (D8:B8) [15:54:26:047]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature
MSI (s) (D8:B8) [15:54:26:314]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (D8:B8) [15:54:26:314]: MSCOREE not loaded loading copy from system32
MSI (s) (D8:B8) [15:54:26:360]: End dialog not enabled
MSI (s) (D8:B8) [15:54:26:360]: Original package ==> C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (D8:B8) [15:54:26:360]: Package we're running from ==> C:\windows\Installer\69b9569f.msi
MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'.
MSI (s) (D8:B8) [15:54:26:360]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (D8:B8) [15:54:26:376]: Machine policy value 'TransformsSecure' is 1
MSI (s) (D8:B8) [15:54:26:376]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisablePatch' is 0
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: looking for appcompat database entry with ProductCode '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'.
MSI (s) (D8:B8) [15:54:26:392]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (D8:B8) [15:54:26:392]: Transforms are not secure.
MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Control
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log'.
MSI (s) (D8:B8) [15:54:26:392]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6) CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=1824
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{8C836763-469E-4773-93EC-0FA1DC250242}'.
MSI (s) (D8:B8) [15:54:26:392]: Product Code passed to Engine.Initialize: ''
MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table before transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'
MSI (s) (D8:B8) [15:54:26:392]: Product Code from property table after transforms: '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}'
MSI (s) (D8:B8) [15:54:26:392]: Product not registered: beginning first-time install
MSI (s) (D8:B8) [15:54:26:392]: Product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26} is not managed.
MSI (s) (D8:B8) [15:54:26:392]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (D8:B8) [15:54:26:392]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (D8:B8) [15:54:26:392]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (D8:B8) [15:54:26:392]: Adding new sources is allowed.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:392]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (D8:B8) [15:54:26:392]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2205 2: 3: Error
MSI (s) (D8:B8) [15:54:26:392]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableMsi' is 1
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (D8:B8) [15:54:26:392]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (D8:B8) [15:54:26:392]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (D8:B8) [15:54:26:392]: Running product '{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}' with elevated privileges: Product is assigned.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:392]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '1824'.
MSI (s) (D8:B8) [15:54:26:392]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is '5d021cc0366c544297f2faf55cf5a598'.
MSI (s) (D8:B8) [15:54:26:407]: RESTART MANAGER: Session opened.
MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:407]: TRANSFORMS property is now:
MSI (s) (D8:B8) [15:54:26:407]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming
MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Favorites
MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (D8:B8) [15:54:26:423]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Documents
MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (D8:B8) [15:54:26:439]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Local
MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Pictures
MSI (s) (D8:B8) [15:54:26:454]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (D8:B8) [15:54:26:470]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (D8:B8) [15:54:26:485]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\Users\v-<name>.admin\Desktop
MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (D8:B8) [15:54:26:501]: SHELL32::SHGetFolderPath returned: C:\windows\Fonts
MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (D8:B8) [15:54:26:517]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\windows\Installer\69b9569f.msi'.
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi'.
MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (s) (D8:B8) [15:54:26:517]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (D8:B8) [15:54:26:517]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:B8) [15:54:26:517]: User policy value 'DisableRollback' is 0
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (s) (D8:B8) [15:54:26:517]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
=== Logging started: 10/10/2024 15:54:26 ===
MSI (s) (D8:B8) [15:54:26:517]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (D8:B8) [15:54:26:517]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (s) (D8:B8) [15:54:26:532]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (D8:B8) [15:54:26:532]: Doing action: INSTALL
MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText
Action start 15:54:26: INSTALL.
MSI (s) (D8:B8) [15:54:26:532]: Running ExecuteSequence
MSI (s) (D8:B8) [15:54:26:532]: Doing action: FindRelatedProducts
MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText
Action start 15:54:26: FindRelatedProducts.
MSI (s) (D8:B8) [15:54:26:532]: Doing action: LaunchConditions
MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: FindRelatedProducts. Return value 1.
Action start 15:54:26: LaunchConditions.
MSI (s) (D8:B8) [15:54:26:532]: Doing action: ValidateProductID
MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: LaunchConditions. Return value 1.
Action start 15:54:26: ValidateProductID.
MSI (s) (D8:B8) [15:54:26:532]: Doing action: CostInitialize
MSI (s) (D8:B8) [15:54:26:532]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: ValidateProductID. Return value 1.
MSI (s) (D8:B8) [15:54:26:548]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
MSI (s) (D8:B8) [15:54:26:548]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: Patch
Action start 15:54:26: CostInitialize.
MSI (s) (D8:B8) [15:54:26:548]: Doing action: FileCost
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: CostInitialize. Return value 1.
MSI (s) (D8:B8) [15:54:26:548]: Note: 1: 2205 2: 3: MsiAssembly
Action start 15:54:26: FileCost.
MSI (s) (D8:B8) [15:54:26:564]: Doing action: CostFinalize
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: FileCost. Return value 1.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Patch
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Condition
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
MSI (s) (D8:B8) [15:54:26:564]: Target path resolution complete. Dumping Directory table...
MSI (s) (D8:B8) [15:54:26:564]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (D8:B8) [15:54:26:564]: Dir (target): Key: TARGETDIR , Object: C:\
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiAssembly
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
Action start 15:54:26: CostFinalize.
MSI (s) (D8:B8) [15:54:26:564]: Doing action: MigrateFeatureStates
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: CostFinalize. Return value 1.
Action start 15:54:26: MigrateFeatureStates.
MSI (s) (D8:B8) [15:54:26:564]: Doing action: InstallValidate
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: MigrateFeatureStates. Return value 0.
MSI (s) (D8:B8) [15:54:26:564]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is '5d021cc0366c544297f2faf55cf5a598'.
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Dialog
MSI (s) (D8:B8) [15:54:26:564]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local
MSI (s) (D8:B8) [15:54:26:564]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Registry
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: BindImage
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: ProgId
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Extension
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Font
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Class
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: Icon
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: TypeLib
Action start 15:54:26: InstallValidate.
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (s) (D8:B8) [15:54:26:564]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (D8:B8) [15:54:26:579]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Registry
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: BindImage
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: ProgId
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Extension
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Font
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Class
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: Icon
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: TypeLib
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2727 2:
MSI (s) (D8:B8) [15:54:26:579]: Note: 1: 2205 2: 3: FilesInUse
MSI (s) (D8:B8) [15:54:26:595]: Note: 1: 2727 2:
MSI (s) (D8:B8) [15:54:26:689]: Doing action: InstallInitialize
MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: InstallValidate. Return value 1.
MSI (s) (D8:B8) [15:54:26:689]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (D8:B8) [15:54:26:689]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (D8:B8) [15:54:26:689]: BeginTransaction: Locking Server
MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (D8:B8) [15:54:26:689]: SRSetRestorePoint skipped for this transaction.
MSI (s) (D8:B8) [15:54:26:689]: Note: 1: 2203 2: C:\windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (D8:B8) [15:54:26:689]: Server not locked: locking for product {3725E0BC-A942-4D76-A0AC-0BF7197CCD26}
Action start 15:54:26: InstallInitialize.
MSI (s) (D8:B8) [15:54:26:736]: Doing action: InstallCustomAction
MSI (s) (D8:B8) [15:54:26:736]: Note: 1: 2205 2: 3: ActionText
Action ended 15:54:26: InstallInitialize. Return value 1.
MSI (s) (D8:40) [15:54:26:908]: Invoking remote custom action. DLL: C:\windows\Installer\MSI59EB.tmp, Entrypoint: Install
MSI (s) (D8:80) [15:54:26:970]: Generating random cookie.
MSI (s) (D8:80) [15:54:26:986]: Created Custom Action Server with PID 12308 (0x3014).
MSI (s) (D8:74) [15:54:27:227]: Running as a service.
MSI (s) (D8:74) [15:54:27:253]: Hello, I'm your 64bit Impersonated custom action server.
Action start 15:54:26: InstallCustomAction.
SFXCA: Extracting custom action to temporary directory: C:\windows\Installer\MSI59EB.tmp-\
SFXCA: Binding to CLR version v4.0.30319
Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install
2024-10-10 19:54:38.1970 Debug CustomActions RunActionGroup InstallActionGroup started
2024-10-10 19:54:38.2264 Debug InstallActionGroup Apply started
2024-10-10 19:54:38.2264 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False]
2024-10-10 19:54:38.2420 Debug CreateDirectoryDeploymentAction Apply finished
2024-10-10 19:54:38.2420 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False]
2024-10-10 19:54:41.9326 Debug DownloadMinorDeploymentPackageBytesAction Apply finished
2024-10-10 19:54:41.9482 Debug UnpackDeploymentPackageBytesAction Apply started [suppressFailure=False]
2024-10-10 19:54:47.8276 Debug UnpackDeploymentPackageBytesAction Apply finished
2024-10-10 19:54:47.8427 Debug RunDeployerMajorDeploymentAction Apply started [suppressFailure=False]
2024-10-10 19:54:47.8896 Info RunDeployerMajorDeploymentAction ApplyInternal started [filePath=iK1cVt1Xc4vGwiroM2VEUg== _arguments=T4sYPoIz64FeLb4UnM4vNA==]
2024-10-10 20:00:08.9110 Info RunDeployerMajorDeploymentAction ApplyInternal finished [isSuccessful=False]
2024-10-10 20:00:08.9735 Debug InstallActionGroup Revert started
2024-10-10 20:00:08.9735 Warn InstallActionGroup Revert reverting [rollbackAction=UnpackDeploymentPackageBytesAction index=0 count=3]
2024-10-10 20:00:08.9891 Debug UnpackDeploymentPackageBytesAction Revert started
2024-10-10 20:00:09.1298 Debug UnpackDeploymentPackageBytesAction Revert finished
2024-10-10 20:00:09.1454 Warn InstallActionGroup Revert reverting [rollbackAction=DownloadMinorDeploymentPackageBytesAction index=1 count=3]
2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert started
2024-10-10 20:00:09.1621 Debug DownloadMinorDeploymentPackageBytesAction Revert finished
2024-10-10 20:00:09.1766 Warn InstallActionGroup Revert reverting [rollbackAction=CreateDirectoryDeploymentAction index=2 count=3]
2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert started
2024-10-10 20:00:09.1766 Debug CreateDirectoryDeploymentAction Revert finished
2024-10-10 20:00:09.2079 Debug InstallActionGroup Revert finished
2024-10-10 20:00:09.2512 Error DeploymentAction Failed to apply InstallActionGroup
Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=RunDeployerMajorDeploymentAction]
at Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(Boolean suppressFailure)
at Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.RunActionGroup(DeploymentActionGroup deploymentActionGroup, Session session)
2024-10-10 20:00:09.2572 Debug CustomActions RunActionGroup InstallActionGroup finished [result=Failure]
CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (D8:B8) [16:00:09:586]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
Action ended 16:00:09: InstallCustomAction. Return value 3.
MSI (s) (D8:B8) [16:00:09:586]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D8:B8) [16:00:09:586]: No System Restore sequence number for this installation.
MSI (s) (D8:B8) [16:00:09:586]: Unlocking Server
Action ended 16:00:09: INSTALL. Return value 3.
Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
Property(S): TARGETDIR = C:\
Property(S): ALLUSERS = 1
Property(S): Manufacturer = Microsoft Corporation
Property(S): ProductCode = {3725E0BC-A942-4D76-A0AC-0BF7197CCD26}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Azure Advanced Threat Protection Sensor
Property(S): ProductVersion = 2.240.18288.55492
Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
Property(S): MsiLogFileLocation = C:\Users\v-<name>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241010155357_000_MsiPackage.log
Property(S): PackageCode = {8C836763-469E-4773-93EC-0FA1DC250242}
Property(S): ProductState = -1
Property(S): PackagecodeChanging = 1
Property(S): ARPSYSTEMCOMPONENT = 1
Property(S): MSIFASTINSTALL = 7
Property(S): ACCESSKEY = **********
Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)\
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = C:\Temp\GLB-C-DefenderForIdentitySensor\Azure ATP Sensor Setup (6)
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 1824
Property(S): MsiSystemRebootPending = 1
Property(S): VersionDatabase = 500
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 603
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 3
Property(S): MsiNTSuiteDataCenter = 1
Property(S): WindowsFolder = C:\windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\windows\system32\
Property(S): SystemFolder = C:\windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\v-<name>.admin\AppData\Local\Temp\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\v-<name>.admin\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\v-<name>.admin\Favorites\
Property(S): NetHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\v-<name>.admin\Documents\
Property(S): PrintHoodFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\v-<name>.admin\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\v-<name>.admin\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\v-<name>.admin\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 8192
Property(S): VirtualMemory = 4026
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = v-<name>.admin
Property(S): UserSID = S-1-5-21-4037986163-3075043171-3260184774-136610
Property(S): UserLanguageID = 1033
Property(S): ComputerName = AZVDS01
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 23
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 16:00:09
Property(S): Date = 10/10/2024
Property(S): MsiNetAssemblySupport = 4.8.3761.0
Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): DATABASE = C:\windows\Installer\69b9569f.msi
Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi
Property(S): UILevel = 2
Property(S): MsiUISourceResOnly = 1
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 1708
MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error
MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2205 2: 3: Error
MSI (s) (D8:B8) [16:00:09:655]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (D8:B8) [16:00:09:655]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.

MSI (s) (D8:B8) [16:00:09:655]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.240.18288.55492. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

MSI (s) (D8:B8) [16:00:09:670]: Deferring clean up of packages/files, if any exist
MSI (s) (D8:B8) [16:00:09:670]: MainEngineThread is returning 1603
MSI (s) (D8:54) [16:00:09:686]: RESTART MANAGER: Session closed.
MSI (s) (D8:54) [16:00:09:686]: No System Restore sequence number for this installation.
=== Logging stopped: 10/10/2024 16:00:09 ===
MSI (s) (D8:54) [16:00:09:717]: User policy value 'DisableRollback' is 0
MSI (s) (D8:54) [16:00:09:717]: Machine policy value 'DisableRollback' is 0
MSI (s) (D8:54) [16:00:09:717]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D8:54) [16:00:09:717]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D8:54) [16:00:09:717]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (D8:54) [16:00:09:717]: Destroying RemoteAPI object.
MSI (s) (D8:80) [16:00:09:717]: Custom Action Manager thread ending.
MSI (c) (20:F4) [16:00:09:733]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (20:F4) [16:00:09:733]: MainEngineThread is returning 1603
=== Verbose logging stopped: 10/10/2024 16:00:09 ===

 

 

  • Alikoc's avatar
    Alikoc
    Iron Contributor

    Hi,
    Can you check the steps I will forward? I believe it will be useful in reaching a solution.

     

     

    Check for Pending Updates and Restart:
    Ensure that the server has no pending Windows Updates. Sometimes, pending updates or a required restart can interfere with installations.
    Restart the server to clear any temporary issues and try the installation again.
    Verify .NET Framework Version:
    ATP Sensor installation may require a specific .NET Framework version. Ensure the server has the latest .NET Framework installed (ideally, version 4.7.2 or later).
    You can download the latest .NET Framework from the Microsoft website
    Ensure Sufficient Permissions:

    Verify that the account used to install the ATP sensor has administrator privileges on the server.
    Also, ensure that the account has permission to write to the required directories and access necessary registry entries.
    Check Microsoft Defender for Identity Sensor Requirements:
    Ensure the server meets all prerequisites for installing the ATP sensor. Check if there are specific role or feature requirements, such as certain Windows services or firewall settings.
    Disable Anti-Virus/Third-Party Security Software Temporarily:
    If there is any third-party antivirus or security software, try temporarily disabling it. Sometimes, security software interferes with the ATP installation by blocking files or processes.
    Check the Logs for More Details:
    Click on the View Logs option during installation failure to get more information about why the installation is failing.
    Logs can often indicate a specific dependency or permission issue that may need to be addressed.
    Clear the Software Distribution Folder:
    Sometimes, clearing the Software Distribution folder can resolve installation issues.
    To do this:
    Stop the Windows Update service by running net stop wuauserv in Command Prompt (as administrator).
    Go to C:\Windows\SoftwareDistribution and delete the contents of the folder.
    Start the Windows Update service again by running net start wuauserv.
    Reinstall ATP Sensor as Administrator:
    Try running the installer with elevated privileges (right-click and select Run as administrator).

     

    These steps should help in troubleshooting the installation failure.
    Best Regards,

    Ali Koc

  • ryan666's avatar
    ryan666
    Copper Contributor
    BTW - These logs are from the EntraSync server. I get the same error on several DCs.
    • RyanP1895's avatar
      RyanP1895
      Copper Contributor
      Hi and sorry for the delay. Here are the Deployer logs:

      2024-10-21 15:53:50.7051 Info Program Main Deployer started [arguments=T4sYPoIz64FeLb4UnM4vNA==]
      2024-10-21 15:53:50.9863 Debug InstallActionGroup Apply started
      2024-10-21 15:53:50.9863 Debug CreateCertificateAction Apply started [suppressFailure=False]
      2024-10-21 15:53:51.6712 Debug CreateCertificateAction Apply finished
      2024-10-21 15:53:51.6712 Debug CreateSensorAction Apply started [suppressFailure=False]
      2024-10-21 15:53:54.1407 Info CreateSensorAction ApplyInternal Adfs installation research log [adfsCommandOutput=Get-Command : The term 'Get-AdfsProperties' is not recognized as the name of a cmdlet, function, script file, or
      operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
      again.
      At line:1 char:2
      + (Get-Command Get-AdfsProperties).Source
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : ObjectNotFound: (Get-AdfsProperties:String) [Get-Command], CommandNotFoundException
      + FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.GetCommandCommand

      adfssrv state=null user=<removed>]
      2024-10-21 15:53:54.1407 Info CreateSensorAction ApplyInternal Sense machine id registry value:
      2024-10-21 15:53:54.3126 Warn CreateSensorAction ApplyInternal Started
      2024-10-21 15:53:54.5432 Warn CreateSensorAction ApplyInternal Auto selected DC: domainControllerDnsName=FaeYPcf01r4dSE6DvdnR4w==]
      2024-10-21 15:53:55.1013 Debug CreateSensorAction Apply finished
      2024-10-21 15:53:55.1013 Debug TestCertificateAndProxyAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.2997 Debug TestCertificateAndProxyAction Apply finished
      2024-10-21 15:53:55.2997 Debug SaveSensorMandatoryConfigurationAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.3619 Debug SaveSensorMandatoryConfigurationAction Apply finished
      2024-10-21 15:53:55.3619 Debug CreateServicesActionGroup Apply started
      2024-10-21 15:53:55.3619 Debug CreateServiceAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.3775 Debug CreateServiceAction Apply finished
      2024-10-21 15:53:55.3775 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.4713 Debug SetServiceDescriptionAction Apply finished
      2024-10-21 15:53:55.4713 Debug ConfigureServiceAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.5497 Debug ConfigureServiceAction Apply finished
      2024-10-21 15:53:55.5497 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.6434 Debug SetServicePreshutdownTimeoutAction Apply finished
      2024-10-21 15:53:55.6434 Debug CreateServiceAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.6434 Debug CreateServiceAction Apply finished
      2024-10-21 15:53:55.6434 Debug SetServiceDescriptionAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.7283 Debug SetServiceDescriptionAction Apply finished
      2024-10-21 15:53:55.7283 Debug ConfigureServiceAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.8064 Debug ConfigureServiceAction Apply finished
      2024-10-21 15:53:55.8064 Debug SetServicePreshutdownTimeoutAction Apply started [suppressFailure=False]
      2024-10-21 15:53:55.9002 Debug SetServicePreshutdownTimeoutAction Apply finished
      2024-10-21 15:53:55.9002 Debug CreateServicesActionGroup Apply finished
      2024-10-21 15:53:55.9002 Debug ConfigureVirtualServiceAccountAction Apply started [suppressFailure=False]
      2024-10-21 15:53:56.0877 Debug ConfigureVirtualServiceAccountAction Apply finished
      2024-10-21 15:53:56.0877 Debug RegisterCrashDumpsAction Apply started [suppressFailure=False]
      2024-10-21 15:53:56.0877 Debug RegisterCrashDumpsAction Apply finished
      2024-10-21 15:53:56.0877 Debug EnableTls12Action Apply started [suppressFailure=False]
      2024-10-21 15:53:56.0877 Debug EnableTls12Action Apply finished
      2024-10-21 15:53:56.0877 Debug CopyServiceLogsOnRevertAction Apply started [suppressFailure=False]
      2024-10-21 15:53:56.0877 Debug CopyServiceLogsOnRevertAction Apply finished
      2024-10-21 15:53:56.0877 Debug StartServiceAction Apply started [suppressFailure=False]
      2024-10-21 15:54:56.8514 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
      at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
      at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
      2024-10-21 15:55:58.6528 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
      at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
      at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
      2024-10-21 15:57:00.8093 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
      at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
      at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
      2024-10-21 15:58:02.4864 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
      at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
      at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
      2024-10-21 15:59:03.6600 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensorUpdater status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
      at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
      at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
      2024-10-21 15:59:03.6620 Debug InstallActionGroup Revert started
      2024-10-21 15:59:03.6620 Warn InstallActionGroup Revert reverting [rollbackAction=CopyServiceLogsOnRevertAction index=0 count=9]
      2024-10-21 15:59:03.6620 Debug CopyServiceLogsOnRevertAction Revert started
      2024-10-21 15:59:03.6953 Debug CopyServiceLogsOnRevertAction Revert finished
      2024-10-21 15:59:03.6953 Warn InstallActionGroup Revert reverting [rollbackAction=EnableTls12Action index=1 count=9]
      2024-10-21 15:59:03.6953 Debug EnableTls12Action Revert started
      2024-10-21 15:59:03.6953 Debug EnableTls12Action Revert finished
      2024-10-21 15:59:03.6953 Warn InstallActionGroup Revert reverting [rollbackAction=RegisterCrashDumpsAction index=2 count=9]
      2024-10-21 15:59:03.6953 Debug RegisterCrashDumpsAction Revert started
      2024-10-21 15:59:03.6953 Debug RegisterCrashDumpsAction Revert finished
      2024-10-21 15:59:03.6953 Warn InstallActionGroup Revert reverting [rollbackAction=ConfigureVirtualServiceAccountAction index=3 count=9]
      2024-10-21 15:59:03.6953 Debug ConfigureVirtualServiceAccountAction Revert started
      2024-10-21 15:59:03.6953 Debug ConfigureVirtualServiceAccountAction Revert finished
      2024-10-21 15:59:03.6953 Warn InstallActionGroup Revert reverting [rollbackAction=CreateServicesActionGroup index=4 count=9]
      2024-10-21 15:59:03.6953 Debug CreateServicesActionGroup Revert started
      2024-10-21 15:59:03.6953 Warn CreateServicesActionGroup Revert reverting [rollbackAction=SetServicePreshutdownTimeoutAction index=0 count=8]
      2024-10-21 15:59:03.6953 Debug SetServicePreshutdownTimeoutAction Revert started
      2024-10-21 15:59:03.6953 Debug SetServicePreshutdownTimeoutAction Revert finished
      2024-10-21 15:59:03.6953 Warn CreateServicesActionGroup Revert reverting [rollbackAction=ConfigureServiceAction index=1 count=8]
      2024-10-21 15:59:03.6953 Debug ConfigureServiceAction Revert started
      2024-10-21 15:59:03.6953 Debug ConfigureServiceAction Revert finished
      2024-10-21 15:59:03.6953 Warn CreateServicesActionGroup Revert reverting [rollbackAction=SetServiceDescriptionAction index=2 count=8]
      2024-10-21 15:59:03.6953 Debug SetServiceDescriptionAction Revert started
      2024-10-21 15:59:03.6953 Debug SetServiceDescriptionAction Revert finished
      2024-10-21 15:59:03.6953 Warn CreateServicesActionGroup Revert reverting [rollbackAction=CreateServiceAction index=3 count=8]
      2024-10-21 15:59:03.6953 Debug CreateServiceAction Revert started
      2024-10-21 15:59:03.9297 Debug ServiceControllerExtension DeleteService succeeded [name=AATPSensor]
      2024-10-21 15:59:03.9297 Debug CreateServiceAction Revert finished
      2024-10-21 15:59:03.9297 Warn CreateServicesActionGroup Revert reverting [rollbackAction=SetServicePreshutdownTimeoutAction index=4 count=8]
      2024-10-21 15:59:03.9297 Debug SetServicePreshutdownTimeoutAction Revert started
      2024-10-21 15:59:03.9297 Debug SetServicePreshutdownTimeoutAction Revert finished
      2024-10-21 15:59:03.9297 Warn CreateServicesActionGroup Revert reverting [rollbackAction=ConfigureServiceAction index=5 count=8]
      2024-10-21 15:59:03.9297 Debug ConfigureServiceAction Revert started
      2024-10-21 15:59:03.9297 Debug ConfigureServiceAction Revert finished
      2024-10-21 15:59:03.9297 Warn CreateServicesActionGroup Revert reverting [rollbackAction=SetServiceDescriptionAction index=6 count=8]
      2024-10-21 15:59:03.9297 Debug SetServiceDescriptionAction Revert started
      2024-10-21 15:59:03.9297 Debug SetServiceDescriptionAction Revert finished
      2024-10-21 15:59:03.9297 Warn CreateServicesActionGroup Revert reverting [rollbackAction=CreateServiceAction index=7 count=8]
      2024-10-21 15:59:03.9297 Debug CreateServiceAction Revert started
      2024-10-21 15:59:04.1641 Debug ServiceControllerExtension DeleteService succeeded [name=AATPSensorUpdater]
      2024-10-21 15:59:04.1641 Debug CreateServiceAction Revert finished
      2024-10-21 15:59:04.1641 Debug CreateServicesActionGroup Revert finished
      2024-10-21 15:59:04.1641 Warn InstallActionGroup Revert reverting [rollbackAction=SaveSensorMandatoryConfigurationAction index=5 count=9]
      2024-10-21 15:59:04.1641 Debug SaveSensorMandatoryConfigurationAction Revert started
      2024-10-21 15:59:04.1641 Debug SaveSensorMandatoryConfigurationAction Revert finished
      2024-10-21 15:59:04.1641 Warn InstallActionGroup Revert reverting [rollbackAction=TestCertificateAndProxyAction index=6 count=9]
      2024-10-21 15:59:04.1641 Debug TestCertificateAndProxyAction Revert started
      2024-10-21 15:59:04.1641 Debug TestCertificateAndProxyAction Revert finished
      2024-10-21 15:59:04.1641 Warn InstallActionGroup Revert reverting [rollbackAction=CreateSensorAction index=7 count=9]
      2024-10-21 15:59:04.1641 Debug CreateSensorAction Revert started
      2024-10-21 15:59:04.5187 Debug CreateSensorAction Revert finished
      2024-10-21 15:59:04.5187 Warn InstallActionGroup Revert reverting [rollbackAction=CreateCertificateAction index=8 count=9]
      2024-10-21 15:59:04.5187 Debug CreateCertificateAction Revert started
      2024-10-21 15:59:04.5187 Debug CreateCertificateAction Revert finished
      2024-10-21 15:59:04.5187 Debug InstallActionGroup Revert finished
      2024-10-21 15:59:04.6124 Error DeploymentAction Deployer failed [arguments=T4sYPoIz64FeLb4UnM4vNA==]
      Microsoft.Tri.Infrastructure.ExtendedException: Apply failed [Type=StartServiceAction]
      at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
      at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
      at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)
      • bboggs's avatar
        bboggs
        Copper Contributor
        My logs are showing this same thing, hopefully someone can help the both of us!
  • RyanP1895's avatar
    RyanP1895
    Copper Contributor

    Here are my Sensor logs. Thanks in advance for your help:

     

    [33B4:0FD4][2024-11-06T07:38:31]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\<username>.admin\AppData\Local\Temp\12\{62FFBA84-2319-4871-9784-B5BB33199284}\.cr\Azure ATP Sensor Setup.exe
    [33B4:0FD4][2024-11-06T07:38:31]i000: Initializing hidden variable 'AccessKey'
    [33B4:0FD4][2024-11-06T07:38:31]i000: Initializing hidden variable 'ProxyConfiguration'
    [33B4:0FD4][2024-11-06T07:38:31]i000: Initializing hidden variable 'ProxyUserPassword'
    [33B4:0FD4][2024-11-06T07:38:31]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
    [33B4:0FD4][2024-11-06T07:38:31]i009: Command Line: '"-burn.clean.room=C:\Temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=484 -burn.filehandle.self=496'
    [33B4:0FD4][2024-11-06T07:38:31]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe'
    [33B4:0FD4][2024-11-06T07:38:31]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Temp\Azure ATP Sensor Setup\'
    [33B4:0FD4][2024-11-06T07:38:33]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\<username>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241106073833.log'
    [33B4:0FD4][2024-11-06T07:38:33]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
    [33B4:0FD4][2024-11-06T07:38:33]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
    [33B4:0FD4][2024-11-06T07:38:33]i000: Loading managed bootstrapper application.
    [33B4:0FD4][2024-11-06T07:38:33]i000: Creating BA thread to run asynchronously.
    [33B4:0FD4][2024-11-06T07:38:34]i100: Detect begin, 5 packages
    [33B4:0FD4][2024-11-06T07:38:34]i000: 2024-11-06 12:38:34.9321 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
    [33B4:0FD4][2024-11-06T07:38:34]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
    [33B4:0FD4][2024-11-06T07:38:34]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
    [33B4:0FD4][2024-11-06T07:38:34]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
    [33B4:0FD4][2024-11-06T07:38:34]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
    [33B4:0FD4][2024-11-06T07:38:34]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049'
    [33B4:0FD4][2024-11-06T07:38:34]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
    [33B4:0FD4][2024-11-06T07:38:34]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
    [33B4:0FD4][2024-11-06T07:38:34]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
    [33B4:0FD4][2024-11-06T07:38:34]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
    [33B4:0FD4][2024-11-06T07:38:34]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
    [33B4:0FD4][2024-11-06T07:38:34]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
    [33B4:0FD4][2024-11-06T07:38:34]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
    [33B4:0FD4][2024-11-06T07:38:34]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
    [33B4:0FD4][2024-11-06T07:38:34]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
    [33B4:0FD4][2024-11-06T07:38:34]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
    [33B4:0FD4][2024-11-06T07:38:34]i101: Detected package: MsiPackage, state: Absent, cached: None
    [33B4:0FD4][2024-11-06T07:38:34]i199: Detect complete, result: 0x0
    [33B4:2B28][2024-11-06T07:38:34]i000: 2024-11-06 12:38:34.9634 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
    [33B4:2B28][2024-11-06T07:38:35]i000: 2024-11-06 12:38:35.1651 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
    [33B4:2B28][2024-11-06T07:39:14]i000: 2024-11-06 12:39:14.2484 Info  Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
    [33B4:2B28][2024-11-06T07:39:14]i000: Setting string variable 'IsConfigured' to value 'True'
    [33B4:2B28][2024-11-06T07:39:14]i000: Setting hidden variable 'AccessKey'
    [33B4:2B28][2024-11-06T07:39:14]i000: Unsetting variable 'DelayedUpdate'
    [33B4:2B28][2024-11-06T07:39:14]i000: Unsetting variable 'LogsPath'
    [33B4:2B28][2024-11-06T07:39:14]i000: Setting hidden variable 'ProxyConfiguration'
    [33B4:2B28][2024-11-06T07:39:14]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
    [33B4:0FD4][2024-11-06T07:39:14]i200: Plan begin, 5 packages, action: Install
    [33B4:0FD4][2024-11-06T07:39:14]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
    [33B4:0FD4][2024-11-06T07:39:14]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
    [33B4:0FD4][2024-11-06T07:39:14]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
    [33B4:0FD4][2024-11-06T07:39:14]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
    [33B4:0FD4][2024-11-06T07:39:14]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
    [33B4:0FD4][2024-11-06T07:39:14]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
    [33B4:0FD4][2024-11-06T07:39:14]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
    [33B4:0FD4][2024-11-06T07:39:14]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
    [33B4:0FD4][2024-11-06T07:39:14]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Users\<username>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241106073833_000_MsiPackage_rollback.log'
    [33B4:0FD4][2024-11-06T07:39:14]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Users\<username>.admin\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20241106073833_000_MsiPackage.log'
    [33B4:0FD4][2024-11-06T07:39:14]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [33B4:0FD4][2024-11-06T07:39:14]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [33B4:0FD4][2024-11-06T07:39:14]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [33B4:0FD4][2024-11-06T07:39:14]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
    [33B4:0FD4][2024-11-06T07:39:14]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
    [33B4:0FD4][2024-11-06T07:39:14]i299: Plan complete, result: 0x0
    [33B4:0FD4][2024-11-06T07:39:14]i300: Apply begin
    [33B4:0FD4][2024-11-06T07:39:14]i010: Launching elevated engine process.
    [33B4:0FD4][2024-11-06T07:39:18]i011: Launched elevated engine process.
    [33B4:0FD4][2024-11-06T07:39:18]i012: Connected to elevated engine.
    [1A3C:22B4][2024-11-06T07:39:18]i358: Pausing automatic updates.
    [1A3C:22B4][2024-11-06T07:39:18]i359: Paused automatic updates.
    [1A3C:22B4][2024-11-06T07:39:18]i360: Creating a system restore point.
    [1A3C:22B4][2024-11-06T07:39:18]i362: System restore disabled, system restore point not created.
    [1A3C:22B4][2024-11-06T07:39:18]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{be359e01-d4fe-4480-a4d8-5d2e68694edd}, options: 0x7, disable resume: No
    [1A3C:22B4][2024-11-06T07:39:18]i000: Caching bundle from: 'C:\Users\<username>.admin\AppData\Local\Temp\12\{19CE23F5-1413-432D-9924-FCEADF62B20D}\.be\Azure ATP Sensor Setup.exe' to: 'C:\ProgramData\Package Cache\{be359e01-d4fe-4480-a4d8-5d2e68694edd}\Azure ATP Sensor Setup.exe'
    [1A3C:22B4][2024-11-06T07:39:18]i320: Registering bundle dependency provider: {be359e01-d4fe-4480-a4d8-5d2e68694edd}, version: 2.240.18288.55492
    [1A3C:22B4][2024-11-06T07:39:18]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{be359e01-d4fe-4480-a4d8-5d2e68694edd}, resume: Active, restart initiated: No, disable resume: No
    [1A3C:0BF4][2024-11-06T07:39:20]i305: Verified acquired payload: MsiPackage at path: C:\ProgramData\Package Cache\.unverified\MsiPackage, moving to: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi.
    [1A3C:0BF4][2024-11-06T07:39:20]i305: Verified acquired payload: cab9C68882706A1052319FE6C1B5DE23439 at path: C:\ProgramData\Package Cache\.unverified\cab9C68882706A1052319FE6C1B5DE23439, moving to: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\1.
    [1A3C:22B4][2024-11-06T07:39:20]i323: Registering package dependency provider: {3725E0BC-A942-4D76-A0AC-0BF7197CCD26}, version: 2.240.18288.55492, package: MsiPackage
    [1A3C:22B4][2024-11-06T07:39:21]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" DelayedUpdate="" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" LogsPath="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="C:\Temp\Azure ATP Sensor Setup\"'
    [1A3C:22B4][2024-11-06T07:44:58]e000: Error 0x80070643: Failed to install MSI package.
    [1A3C:22B4][2024-11-06T07:44:58]e000: Error 0x80070643: Failed to execute MSI package.
    [33B4:0FD4][2024-11-06T07:44:58]e000: Error 0x80070643: Failed to configure per-machine MSI package.
    [33B4:0FD4][2024-11-06T07:44:58]i000: 2024-11-06 12:44:58.4738 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
    [33B4:0FD4][2024-11-06T07:44:58]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
    [33B4:0FD4][2024-11-06T07:44:58]e000: Error 0x80070643: Failed to execute MSI package.
    [1A3C:22B4][2024-11-06T07:44:58]i318: Skipped rollback of package: MsiPackage, action: Uninstall, already: Absent
    [33B4:0FD4][2024-11-06T07:44:58]i319: Applied rollback package: MsiPackage, result: 0x0, restart: None
    [1A3C:22B4][2024-11-06T07:44:58]i329: Removed package dependency provider: {3725E0BC-A942-4D76-A0AC-0BF7197CCD26}, package: MsiPackage
    [1A3C:22B4][2024-11-06T07:44:58]i351: Removing cached package: MsiPackage, from path: C:\ProgramData\Package Cache\{3725E0BC-A942-4D76-A0AC-0BF7197CCD26}v2.240.18288.55492\
    [1A3C:22B4][2024-11-06T07:44:58]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{be359e01-d4fe-4480-a4d8-5d2e68694edd}, resume: None, restart: None, disable resume: No
    [1A3C:22B4][2024-11-06T07:44:58]i330: Removed bundle dependency provider: {be359e01-d4fe-4480-a4d8-5d2e68694edd}
    [1A3C:22B4][2024-11-06T07:44:58]i352: Removing cached bundle: {be359e01-d4fe-4480-a4d8-5d2e68694edd}, from path: C:\ProgramData\Package Cache\{be359e01-d4fe-4480-a4d8-5d2e68694edd}\
    [1A3C:22B4][2024-11-06T07:44:58]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{be359e01-d4fe-4480-a4d8-5d2e68694edd}, resume: None, restart initiated: No, disable resume: No
    [33B4:0FD4][2024-11-06T07:44:58]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart:  No
    [33B4:202C][2024-11-06T14:31:20]i400: Received system request to shut down the process: critical: Yes, elevated: No, allowed: Yes

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft

      Thats the depkoyment bootstapper log, not thr sensor log. There should be a another file...

  • RyanP1895's avatar
    RyanP1895
    Copper Contributor

    Sorry about that. Its difficult to know which log is which. The file name of that log I posted is:

    Azure Advanced Threat Protection Sensor_20241106073833.log

    Thats not the sensor log?

     

    The other logs in that folder are:

    Azure Advanced Threat Protection Sensor_20241106073833_000_MsiPackage.log

    Microsoft.Tri.Sensor.Deployment.Deployer_20241106123941.log

    Microsoft.Tri.Sensor.Updater-Errors.log

    Is one of those the right one?

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft

      Indeed a bit tricky.
      Microsoft.Tri.Sensor.Updater-Errors.log -> we need this one for sure.
      Also, if you find:
      Microsoft.Tri.Sensor-Errors.log or Microsoft.Tri.Sensor.log then get them as well.

      • RyanP1895's avatar
        RyanP1895
        Copper Contributor

        Hi, about the Microsoft.Tri.Sensor.Updater-Errors.log. This site wont let me post it:

        Not sure why. There is nothing about "data" or "test-id" or "h1" in the logs .....

        Can I pm it to you?

         

        About the other logs, I dont see anything under C:\Users\<username>\AppData\Local\Temp. And no install folder because installation fails. Might there be another location? 

  • RyanP1895's avatar
    RyanP1895
    Copper Contributor

    That was it! Thank you!.

    I ran this:

    lodctr /e:Tcpip

     

    And suddenly the sensor install works!

    Much appreciated EliOfek

Resources