Forum Discussion
Error Installing ATP sensor on DC
Hi, Installing on Windows server 2019 DC Worked on one DC and failed on the second one. It says its about proxy or SSL incpection but using the same network configuration for both DC..... Only...
EliOfek
Microsoft
Microsoft.net 4.8 is fully supported and should not have any negative effect on deployment.
make sure you have all the correct root certs deployed according to the docs, and if it's still does not work, I suggest to open supports case.
I would also try to take a network trace from a working deployment vs a non working and try to compare.
make sure you have all the correct root certs deployed according to the docs, and if it's still does not work, I suggest to open supports case.
I would also try to take a network trace from a working deployment vs a non working and try to compare.
Hi, got my problem fixed.
The issue was still .NET framework, adding these registry keys fixed the problem:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
The issue was still .NET framework, adding these registry keys fixed the problem:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
- I have the same issue trying to get the sensor installed on multiple machines. DC and an ADFS machine. I receive the same error on both 0x80070643. Ive read through these replies and everything is the way it should be. Im not sure what to try next....
- EliOfek
Shaun848 The error code alone is not enough to pinpoint the problem.
You need to check the deployment logs and search for the error that caused the failure.
https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs- My apologies:
=== Verbose logging started: 8/10/2023 8:51:39 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Users\ADM~1.SHE\AppData\Local\Temp\3\{2B0E2C72-99B3-4FF9-910C-2941D4E56C1A}\.be\Azure ATP Sensor Setup.exe ===
MSI (c) (18:64) [08:51:39:310]: Resetting cached policy values
MSI (c) (18:64) [08:51:39:310]: Machine policy value 'Debug' is 0
MSI (c) (18:64) [08:51:39:310]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (c) (18:64) [08:51:39:326]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (18:64) [08:51:39:326]: Grabbed execution mutex.
MSI (c) (18:64) [08:51:39:529]: Cloaking enabled.
MSI (c) (18:64) [08:51:39:529]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (18:64) [08:51:39:545]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:CC) [08:51:39:576]: Running installation inside multi-package transaction C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (24:CC) [08:51:39:576]: Grabbed execution mutex.
MSI (s) (24:F0) [08:51:39:576]: Resetting cached policy values
MSI (s) (24:F0) [08:51:39:576]: Machine policy value 'Debug' is 0
MSI (s) (24:F0) [08:51:39:576]: ******* RunEngine:
******* Product: C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi
******* Action:
******* CommandLine: **********
MSI (s) (24:F0) [08:51:39:592]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (24:F0) [08:51:39:592]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:F0) [08:51:39:592]: SRSetRestorePoint skipped for this transaction.
MSI (s) (24:F0) [08:51:39:607]: File will have security applied from OpCode.
MSI (s) (24:F0) [08:51:39:857]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi' against software restriction policy
MSI (s) (24:F0) [08:51:39:857]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi has a digital signature
MSI (s) (24:F0) [08:51:40:076]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:F0) [08:51:40:076]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (24:F0) [08:51:40:076]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (24:F0) [08:51:40:092]: MSCOREE not loaded loading copy from system32
MSI (s) (24:F0) [08:51:40:107]: End dialog not enabled
MSI (s) (24:F0) [08:51:40:107]: Original package ==> C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi
MSI (s) (24:F0) [08:51:40:107]: Package we're running from ==> C:\Windows\Installer\23fb6c0.msi
MSI (s) (24:F0) [08:51:40:107]: APPCOMPAT: Compatibility mode property overrides found.
MSI (s) (24:F0) [08:51:40:107]: APPCOMPAT: looking for appcompat database entry with ProductCode '{D851E1CD-9114-4C42-B10E-BCB9352A0D54}'.
MSI (s) (24:F0) [08:51:40:107]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'TransformsSecure' is 1
MSI (s) (24:F0) [08:51:40:123]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'DisablePatch' is 0
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (24:F0) [08:51:40:123]: APPCOMPAT: looking for appcompat database entry with ProductCode '{D851E1CD-9114-4C42-B10E-BCB9352A0D54}'.
MSI (s) (24:F0) [08:51:40:123]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (24:F0) [08:51:40:123]: Transforms are not secure.
MSI (s) (24:F0) [08:51:40:123]: Note: 1: 2205 2: 3: Control
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\ADM~1.SHE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20230810085029_000_MsiPackage.log'.
MSI (s) (24:F0) [08:51:40:123]: Command Line: ARPSYSTEMCOMPONENT=1 MSIFASTINSTALL=7 ACCESSKEY=********** DelayedUpdate= InstallationPath=C:\Program Files\Azure Advanced Threat Protection Sensor InstalledVersion= LogsPath= PROXYCONFIGURATION=********** WixBundleOriginalSourceFolder=C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup\ REBOOT=ReallySuppress CURRENTDIRECTORY=C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup CLIENTUILEVEL=3 MSICLIENTUSESEXTERNALUI=1 CLIENTPROCESSID=7192
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{48329C40-2261-4F81-836A-1A5EDCD291E8}'.
MSI (s) (24:F0) [08:51:40:123]: Product Code passed to Engine.Initialize: ''
MSI (s) (24:F0) [08:51:40:123]: Product Code from property table before transforms: '{D851E1CD-9114-4C42-B10E-BCB9352A0D54}'
MSI (s) (24:F0) [08:51:40:123]: Product Code from property table after transforms: '{D851E1CD-9114-4C42-B10E-BCB9352A0D54}'
MSI (s) (24:F0) [08:51:40:123]: Product not registered: beginning first-time install
MSI (s) (24:F0) [08:51:40:123]: Product {D851E1CD-9114-4C42-B10E-BCB9352A0D54} is not managed.
MSI (s) (24:F0) [08:51:40:123]: MSI_LUA: Credential prompt not required, user is an admin
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (24:F0) [08:51:40:123]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (24:F0) [08:51:40:123]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (24:F0) [08:51:40:123]: Adding new sources is allowed.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:123]: Package name extracted from package path: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (24:F0) [08:51:40:123]: Package to be registered: 'Microsoft.Tri.Sensor.Deployment.Package.msi'
MSI (s) (24:F0) [08:51:40:123]: Note: 1: 2205 2: 3: Error
MSI (s) (24:F0) [08:51:40:123]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'DisableMsi' is 1
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (24:F0) [08:51:40:123]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (24:F0) [08:51:40:123]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (24:F0) [08:51:40:123]: Running product '{D851E1CD-9114-4C42-B10E-BCB9352A0D54}' with elevated privileges: Product is assigned.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding ARPSYSTEMCOMPONENT property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding MSIFASTINSTALL property. Its value is '7'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding ACCESSKEY property. Its value is '**********'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding INSTALLATIONPATH property. Its value is 'C:\Program Files\Azure Advanced Threat Protection Sensor'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding WIXBUNDLEORIGINALSOURCEFOLDER property. Its value is 'C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup\'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding MSICLIENTUSESEXTERNALUI property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:123]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '7192'.
MSI (s) (24:F0) [08:51:40:123]: Machine policy value 'DisableAutomaticApplicationShutdown' is 0
MSI (s) (24:F0) [08:51:40:139]: PROPERTY CHANGE: Adding MsiRestartManagerSessionKey property. Its value is 'c2b7754b76d6684fa6fede1bbe083d2b'.
MSI (s) (24:F0) [08:51:40:139]: RESTART MANAGER: Session opened.
MSI (s) (24:F0) [08:51:40:139]: PROPERTY CHANGE: Adding MsiSystemRebootPending property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:139]: TRANSFORMS property is now:
MSI (s) (24:F0) [08:51:40:139]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '500'.
MSI (s) (24:F0) [08:51:40:139]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming
MSI (s) (24:F0) [08:51:40:139]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\Favorites
MSI (s) (24:F0) [08:51:40:139]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Network Shortcuts
MSI (s) (24:F0) [08:51:40:139]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\Documents
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Recent
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\SendTo
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Templates
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\ProgramData
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Local
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\Pictures
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (24:F0) [08:51:40:154]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (24:F0) [08:51:40:310]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Start Menu
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\Users\adm.shealy\Desktop
MSI (s) (24:F0) [08:51:40:326]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
MSI (s) (24:F0) [08:51:40:342]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (24:F0) [08:51:40:342]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\Windows\Installer\23fb6c0.msi'.
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi'.
MSI (s) (24:F0) [08:51:40:342]: Machine policy value 'MsiDisableEmbeddedUI' is 0
MSI (s) (24:F0) [08:51:40:342]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
MSI (s) (24:F0) [08:51:40:342]: EEUI - Disabling MsiEmbeddedUI for service because it's not a quiet/basic install
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (24:F0) [08:51:40:342]: Machine policy value 'DisableRollback' is 0
MSI (s) (24:F0) [08:51:40:342]: User policy value 'DisableRollback' is 0
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
=== Logging started: 8/10/2023 8:51:40 ===
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:F0) [08:51:40:342]: APPCOMPAT: [DetectVersionLaunchCondition] Launch condition already passes.
MSI (s) (24:F0) [08:51:40:342]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (24:F0) [08:51:40:342]: Doing action: INSTALL
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 2205 2: 3: ActionText
Action start 8:51:40: INSTALL.
MSI (s) (24:F0) [08:51:40:342]: Running ExecuteSequence
MSI (s) (24:F0) [08:51:40:342]: Doing action: FindRelatedProducts
MSI (s) (24:F0) [08:51:40:342]: Note: 1: 2205 2: 3: ActionText
Action start 8:51:40: FindRelatedProducts.
MSI (s) (24:F0) [08:51:40:357]: Doing action: LaunchConditions
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: FindRelatedProducts. Return value 1.
Action start 8:51:40: LaunchConditions.
MSI (s) (24:F0) [08:51:40:357]: Doing action: ValidateProductID
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: LaunchConditions. Return value 1.
Action start 8:51:40: ValidateProductID.
MSI (s) (24:F0) [08:51:40:357]: Doing action: CostInitialize
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: ValidateProductID. Return value 1.
MSI (s) (24:F0) [08:51:40:357]: Machine policy value 'MaxPatchCacheSize' is 10
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding ROOTDRIVE property. Its value is 'C:\'.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding CostingComplete property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: Patch
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: MsiPatchHeaders
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: __MsiPatchFileList
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2228 2: 3: PatchPackage 4: SELECT `DiskId`, `PatchId`, `LastSequence` FROM `Media`, `PatchPackage` WHERE `Media`.`DiskId`=`PatchPackage`.`Media_` ORDER BY `DiskId`
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: Patch
Action start 8:51:40: CostInitialize.
MSI (s) (24:F0) [08:51:40:357]: Doing action: FileCost
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: CostInitialize. Return value 1.
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: MsiAssembly
Action start 8:51:40: FileCost.
MSI (s) (24:F0) [08:51:40:357]: Doing action: CostFinalize
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: FileCost. Return value 1.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding OutOfDiskSpace property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding OutOfNoRbDiskSpace property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceAvailable property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRequired property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding PrimaryVolumeSpaceRemaining property. Its value is '0'.
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: Patch
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: Condition
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding TARGETDIR property. Its value is 'C:\'.
MSI (s) (24:F0) [08:51:40:357]: Target path resolution complete. Dumping Directory table...
MSI (s) (24:F0) [08:51:40:357]: Note: target paths subject to change (via custom actions or browsing)
MSI (s) (24:F0) [08:51:40:357]: Dir (target): Key: TARGETDIR , Object: C:\
MSI (s) (24:F0) [08:51:40:357]: PROPERTY CHANGE: Adding INSTALLLEVEL property. Its value is '1'.
MSI (s) (24:F0) [08:51:40:357]: Note: 1: 2205 2: 3: MsiAssembly
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2228 2: 3: MsiAssembly 4: SELECT `MsiAssembly`.`Attributes`, `MsiAssembly`.`File_Application`, `MsiAssembly`.`File_Manifest`, `Component`.`KeyPath` FROM `MsiAssembly`, `Component` WHERE `MsiAssembly`.`Component_` = `Component`.`Component` AND `MsiAssembly`.`Component_` = ?
Action start 8:51:40: CostFinalize.
MSI (s) (24:F0) [08:51:40:373]: Doing action: MigrateFeatureStates
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: CostFinalize. Return value 1.
Action start 8:51:40: MigrateFeatureStates.
MSI (s) (24:F0) [08:51:40:373]: Doing action: InstallValidate
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: MigrateFeatureStates. Return value 0.
MSI (s) (24:F0) [08:51:40:373]: PROPERTY CHANGE: Deleting MsiRestartManagerSessionKey property. Its current value is 'c2b7754b76d6684fa6fede1bbe083d2b'.
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Dialog
MSI (s) (24:F0) [08:51:40:373]: Feature: ProductFeature; Installed: Absent; Request: Local; Action: Local
MSI (s) (24:F0) [08:51:40:373]: Component: ProductComponent; Installed: Absent; Request: Local; Action: Local
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Registry
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: BindImage
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: ProgId
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Extension
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Font
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Class
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: Icon
MSI (s) (24:F0) [08:51:40:373]: Note: 1: 2205 2: 3: TypeLib
Action start 8:51:40: InstallValidate.
MSI (s) (24:F0) [08:51:40:389]: Note: 1: 2205 2: 3: _RemoveFilePath
MSI (s) (24:F0) [08:51:40:389]: Note: 1: 2205 2: 3: MsiFileHash
MSI (s) (24:F0) [08:51:40:404]: PROPERTY CHANGE: Modifying CostingComplete property. Its current value is '0'. Its new value: '1'.
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Registry
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: BindImage
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: ProgId
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: PublishComponent
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: SelfReg
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Extension
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Font
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Shortcut
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Class
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: Icon
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: TypeLib
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2727 2:
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2205 2: 3: FilesInUse
MSI (s) (24:F0) [08:51:40:404]: Note: 1: 2727 2:
MSI (s) (24:F0) [08:51:40:420]: Doing action: InstallInitialize
MSI (s) (24:F0) [08:51:40:420]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: InstallValidate. Return value 1.
MSI (s) (24:F0) [08:51:40:420]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (24:F0) [08:51:40:420]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (24:F0) [08:51:40:420]: BeginTransaction: Locking Server
MSI (s) (24:F0) [08:51:40:420]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:F0) [08:51:40:420]: SRSetRestorePoint skipped for this transaction.
MSI (s) (24:F0) [08:51:40:420]: Note: 1: 2203 2: C:\Windows\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:F0) [08:51:40:420]: Server not locked: locking for product {D851E1CD-9114-4C42-B10E-BCB9352A0D54}
Action start 8:51:40: InstallInitialize.
MSI (s) (24:F0) [08:51:40:451]: Doing action: InstallCustomAction
MSI (s) (24:F0) [08:51:40:451]: Note: 1: 2205 2: 3: ActionText
Action ended 8:51:40: InstallInitialize. Return value 1.
MSI (s) (24:90) [08:51:40:685]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIBA1B.tmp, Entrypoint: Install
MSI (s) (24:FC) [08:51:40:701]: Generating random cookie.
MSI (s) (24:FC) [08:51:40:701]: Created Custom Action Server with PID 7532 (0x1D6C).
MSI (s) (24:24) [08:51:40:826]: Running as a service.
MSI (s) (24:24) [08:51:40:842]: Hello, I'm your 64bit Impersonated custom action server.
Action start 8:51:40: InstallCustomAction.
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSIBA1B.tmp-\
SFXCA: Binding to CLR version v4.0.30319
Calling custom action Microsoft.Tri.Sensor.Deployment.Package.Actions!Microsoft.Tri.Sensor.Deployment.Package.Actions.CustomActions.Install
2023-08-10 12:51:57.2172 Debug CustomActions RunActionGroup InstallActionGroup started
2023-08-10 12:51:57.2484 Debug InstallActionGroup Apply started
2023-08-10 12:51:57.2484 Debug CreateDirectoryDeploymentAction Apply started [suppressFailure=False]
2023-08-10 12:51:57.2484 Debug CreateDirectoryDeploymentAction Apply finished
2023-08-10 12:51:57.2484 Debug DownloadMinorDeploymentPackageBytesAction Apply started [suppressFailure=False]
CustomAction InstallCustomAction returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (24:F0) [08:51:58:076]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (24:F0) [08:51:58:076]: Machine policy value 'DisableRollback' is 0
MSI (s) (24:F0) [08:51:58:076]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
Action ended 8:51:58: InstallCustomAction. Return value 3.
MSI (s) (24:F0) [08:51:58:076]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:F0) [08:51:58:076]: No System Restore sequence number for this installation.
MSI (s) (24:F0) [08:51:58:076]: Unlocking Server
Action ended 8:51:58: INSTALL. Return value 3.
Property(S): UpgradeCode = {EDFB49E0-16FA-4535-B268-BD1B81B15DC2}
Property(S): TARGETDIR = C:\
Property(S): ALLUSERS = 1
Property(S): Manufacturer = Microsoft Corporation
Property(S): ProductCode = {D851E1CD-9114-4C42-B10E-BCB9352A0D54}
Property(S): ProductLanguage = 1033
Property(S): ProductName = Azure Advanced Threat Protection Sensor
Property(S): ProductVersion = 2.208.16822.55278
Property(S): SecureCustomProperties = WIX_DOWNGRADE_DETECTED;WIX_UPGRADE_DETECTED
Property(S): MsiHiddenProperties = ACCESSKEY;PROXYCONFIGURATION
Property(S): MsiLogFileLocation = C:\Users\ADM~1.SHE\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20230810085029_000_MsiPackage.log
Property(S): PackageCode = {48329C40-2261-4F81-836A-1A5EDCD291E8}
Property(S): ProductState = -1
Property(S): PackagecodeChanging = 1
Property(S): ARPSYSTEMCOMPONENT = 1
Property(S): MSIFASTINSTALL = 7
Property(S): ACCESSKEY = **********
Property(S): INSTALLATIONPATH = C:\Program Files\Azure Advanced Threat Protection Sensor
Property(S): WIXBUNDLEORIGINALSOURCEFOLDER = C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup\
Property(S): REBOOT = ReallySuppress
Property(S): CURRENTDIRECTORY = C:\Users\adm.shealy\Desktop\Azure ATP Sensor Setup
Property(S): CLIENTUILEVEL = 3
Property(S): MSICLIENTUSESEXTERNALUI = 1
Property(S): CLIENTPROCESSID = 7192
Property(S): MsiSystemRebootPending = 1
Property(S): VersionDatabase = 500
Property(S): VersionMsi = 5.00
Property(S): VersionNT = 603
Property(S): VersionNT64 = 603
Property(S): WindowsBuild = 9600
Property(S): ServicePackLevel = 0
Property(S): ServicePackLevelMinor = 0
Property(S): MsiNTProductType = 3
Property(S): MsiNTSuiteDataCenter = 1
Property(S): WindowsFolder = C:\Windows\
Property(S): WindowsVolume = C:\
Property(S): System64Folder = C:\Windows\system32\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): RemoteAdminTS = 1
Property(S): TempFolder = C:\Users\ADM~1.SHE\AppData\Local\Temp\
Property(S): ProgramFilesFolder = C:\Program Files (x86)\
Property(S): CommonFilesFolder = C:\Program Files (x86)\Common Files\
Property(S): ProgramFiles64Folder = C:\Program Files\
Property(S): CommonFiles64Folder = C:\Program Files\Common Files\
Property(S): AppDataFolder = C:\Users\adm.shealy\AppData\Roaming\
Property(S): FavoritesFolder = C:\Users\adm.shealy\Favorites\
Property(S): NetHoodFolder = C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Network Shortcuts\
Property(S): PersonalFolder = C:\Users\adm.shealy\Documents\
Property(S): PrintHoodFolder = C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\
Property(S): RecentFolder = C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\Recent\
Property(S): SendToFolder = C:\Users\adm.shealy\AppData\Roaming\Microsoft\Windows\SendTo\
Property(S): TemplateFolder = C:\ProgramData\Microsoft\Windows\Templates\
Property(S): CommonAppDataFolder = C:\ProgramData\
Property(S): LocalAppDataFolder = C:\Users\adm.shealy\AppData\Local\
Property(S): MyPicturesFolder = C:\Users\adm.shealy\Pictures\
Property(S): AdminToolsFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\
Property(S): StartupFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Property(S): ProgramMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
Property(S): StartMenuFolder = C:\ProgramData\Microsoft\Windows\Start Menu\
Property(S): DesktopFolder = C:\Users\Public\Desktop\
Property(S): FontsFolder = C:\Windows\Fonts\
Property(S): GPTSupport = 1
Property(S): OLEAdvtSupport = 1
Property(S): ShellAdvtSupport = 1
Property(S): MsiAMD64 = 6
Property(S): Msix64 = 6
Property(S): Intel = 6
Property(S): PhysicalMemory = 8192
Property(S): VirtualMemory = 11709
Property(S): AdminUser = 1
Property(S): MsiTrueAdminUser = 1
Property(S): LogonUser = adm.shealy
Property(S): UserSID = S-1-5-21-2066556833-1054631362-1815244249-36736
Property(S): UserLanguageID = 1033
Property(S): ComputerName = CDSAZADFS01
Property(S): SystemLanguageID = 1033
Property(S): ScreenX = 1024
Property(S): ScreenY = 768
Property(S): CaptionHeight = 44
Property(S): BorderTop = 1
Property(S): BorderSide = 1
Property(S): MsiTabletPC = 1
Property(S): TextHeight = 16
Property(S): TextInternalLeading = 3
Property(S): ColorBits = 32
Property(S): TTCSupport = 1
Property(S): Time = 8:51:58
Property(S): Date = 8/10/2023
Property(S): MsiNetAssemblySupport = 4.7.2053.0
Property(S): MsiWin32AssemblySupport = 6.3.14393.5786
Property(S): RedirectedDllSupport = 2
Property(S): MsiRunningElevated = 1
Property(S): Privileged = 1
Property(S): DATABASE = C:\Windows\Installer\23fb6c0.msi
Property(S): OriginalDatabase = C:\ProgramData\Package Cache\{D851E1CD-9114-4C42-B10E-BCB9352A0D54}v2.208.16822.55278\Microsoft.Tri.Sensor.Deployment.Package.msi
Property(S): UILevel = 2
Property(S): MsiUISourceResOnly = 1
Property(S): ACTION = INSTALL
Property(S): ROOTDRIVE = C:\
Property(S): CostingComplete = 1
Property(S): OutOfDiskSpace = 0
Property(S): OutOfNoRbDiskSpace = 0
Property(S): PrimaryVolumeSpaceAvailable = 0
Property(S): PrimaryVolumeSpaceRequired = 0
Property(S): PrimaryVolumeSpaceRemaining = 0
Property(S): INSTALLLEVEL = 1
MSI (s) (24:F0) [08:51:58:107]: Note: 1: 1708
MSI (s) (24:F0) [08:51:58:107]: Note: 1: 2205 2: 3: Error
MSI (s) (24:F0) [08:51:58:107]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708
MSI (s) (24:F0) [08:51:58:107]: Note: 1: 2205 2: 3: Error
MSI (s) (24:F0) [08:51:58:107]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
MSI (s) (24:F0) [08:51:58:107]: Product: Azure Advanced Threat Protection Sensor -- Installation failed.
MSI (s) (24:F0) [08:51:58:107]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.208.16822.55278. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
MSI (s) (24:F0) [08:51:58:107]: Deferring clean up of packages/files, if any exist
MSI (s) (24:F0) [08:51:58:107]: MainEngineThread is returning 1603
MSI (s) (24:CC) [08:51:58:139]: RESTART MANAGER: Session closed.
MSI (s) (24:CC) [08:51:58:139]: No System Restore sequence number for this installation.
=== Logging stopped: 8/10/2023 8:51:58 ===
MSI (s) (24:CC) [08:51:58:139]: User policy value 'DisableRollback' is 0
MSI (s) (24:CC) [08:51:58:139]: Machine policy value 'DisableRollback' is 0
MSI (s) (24:CC) [08:51:58:139]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:CC) [08:51:58:139]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:CC) [08:51:58:154]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:CC) [08:51:58:154]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (24:CC) [08:51:58:154]: Destroying RemoteAPI object.
MSI (s) (24:FC) [08:51:58:154]: Custom Action Manager thread ending.
MSI (c) (18:64) [08:51:58:170]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (18:64) [08:51:58:170]: MainEngineThread is returning 1603
=== Verbose logging stopped: 8/10/2023 8:51:58 ===
Im fairly new to the sensor process so I apologize if I missed something blatant.
- Martin_Schvartzman
SanderCYBR
Thank you. It's now also documented here https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#applyinternal-failed-two-way-ssl-connection-to-service-error- We encounter the exact same issue and added the Reg-Keys. But only for .NETFramework\v4.0.30319 and not for .NETFramework\v2.0.50727.
It is still not working. Is required to also change for v2.0.50727?
Does changing these keys require a reboot?- Martin_Schvartzman
No. It's not required for .NET v2.0. But you may be encountering a different issue.
Did you install the sensor with the proxyUrl switch, or are you using a transparent proxy? It (the proxy) might be doing SSL inspection and it's breaking the sensor's communication.
