Forum Discussion
MicrosoftSensor failing to install on all DCs
Has anyone seen any of these errors? Trying to install the sensor, but it is failing on both VMWare and HyperV DC. .NET 4.8 is installed and it doesn't matter if NPCap is installed or not. Traffic appears to be getting through the firewall.
2021-08-26 18:53:48.8640 Error EventLogException Deployer failed [arguments=IwODjlqAqQaXxJYpF4fBCw==]
System.Diagnostics.Eventing.Reader.EventLogInvalidDataException: The data is invalid
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)
at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)
[0F20:18C0][2021-08-26T11:53:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[0F20:18C0][2021-08-26T11:53:50]i000: 2021-08-26 18:53:50.1290 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
MSI (s) (54:8C) [11:53:49:943]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
- same issue here, last week a server 2019 domain controller installation went fine, now it gives exit code 0x80070643. install via .cmd file with quiet parameter and starting via psexec -s worked for me.
12 Replies
- So I have been pulling out my hair for days with this issue. Went through countless posts and solutions and nothing worked. If I tried installing it via the executable in Windows it would fail with a error code 0x80070643. If I tried as suggested here to install with PSExec with the -s -i switches it would fail with a error code 1602 or 1603. After lots of trial and error I found the command line string that finally worked (not using psexec). I suspect it's because I am installing it on a DC running Server 2022.
Here is the string that worked:
"Azure ATP sensor Setup.exe" /quiet ProxyUrl="Insert your proxy with port here" AccessKey="insert your access key from the security portal here"
Hopefully it works for others and save them from trolling the internet for days like I did.
Ofcourse you need to change directory in CMD to the local folder you copied the Identity installation files to - EliOfekThe deployment fails when it tries to give the sensor read access to read logs from the local security event log, either there is a corruption or the machien was hardened to block it...
LisaMeloneThe server has been hardened so what do I need to give access to the read logs? Would that be the gMSA that we setup?- EliOfekNo,
The deployment needs permissions to modify the ACL on this log.
Try to give modify ACL permissions to the account running the deployment.
