Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

ATP sensor installation failed

Copper Contributor

Hi all, 

 

having trouble with installing the Azure ATP sensor on a Windows Server 2012 R2 x64. Proxy can be reached and sensor even shows up in the console but then installation fails and rollback gets initiated. 

 

Exit Code is: 0x80070643,

 

There's no AV installed and no other security policy that affects on that machine. 

 

[19F0:137C][2018-07-04T11:33:42]i410: Variable: AccessKey = *****
[19F0:137C][2018-07-04T11:33:42]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor
[19F0:137C][2018-07-04T11:33:42]i410: Variable: IsConfigured = True
[19F0:137C][2018-07-04T11:33:42]i410: Variable: Kb4019990Windows2008R2Exists = 0
[19F0:137C][2018-07-04T11:33:42]i410: Variable: Kb4019990Windows2012Exists = 0
[19F0:137C][2018-07-04T11:33:42]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[19F0:137C][2018-07-04T11:33:42]i410: Variable: NetFrameworkRegistryValue = 460805
[19F0:137C][2018-07-04T11:33:42]i410: Variable: RebootPending = 0
[19F0:137C][2018-07-04T11:33:42]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[19F0:137C][2018-07-04T11:33:42]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1
[19F0:137C][2018-07-04T11:33:42]i410: Variable: VersionNT64 = 6.3.0.0
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleAction = 5
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleElevated = 1
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleLog = C:\Users\xxxx\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20180704112648.log
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleLog_MsiPackage = C:\Users\xxxxx\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20180704112648_000_MsiPackage.log
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleOriginalSource = C:\Temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleOriginalSourceFolder = C:\Temp\Azure ATP Sensor Setup\
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleProviderKey = {b50da163-5fe8-40cc-9bfc-8373ab225867}
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Users\xxxxx\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20180704112648_000_MsiPackage_rollback.log
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleSourceProcessFolder = C:\Temp\Azure ATP Sensor Setup\
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleSourceProcessPath = C:\Temp\Azure ATP Sensor Setup\Azure ATP Sensor Setup.exe
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleTag =
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleUILevel = 4
[19F0:137C][2018-07-04T11:33:42]i410: Variable: WixBundleVersion = 2.0.0.0
[19F0:137C][2018-07-04T11:33:42]i007: Exit code: 0x80070643, restarting: No

 

 

 

 

3 Replies

Hi Alexander,

 

First i was thinking it had with DNS issue. 

 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy

 

But i remember also that i had issue because of hardware requirements.

Packets per second* CPU (cores) Memory (GB)

0-1k0.252.50
1k-5k0.756.00
5k-10k1.006.50
10k-20k2.009.00
20k-50k3.509.50
50k-75k3.509.50
75k-100k3.50

9.50

 

I feel like it's hard to troubleshot ATP. I send you issue to another group.

 

Thomas 

Hi Thomas, 
we've tried different server (physical and virtual) with different cpu and ram. I can say that the lack of missing hardware is not the issue. I've furthermore figured out that the installation of the msi itself went trough fine but when the routine tried to register the services there was an issue. Bot services were created fine but it's seems that they couldn't be started. In the meanwhile the server even showed up in the azure atp dashboard. Then the rollback happened....

I Checked little, i comes back with a Proxy issue.

But have you tryed to asked this in Enterprise Mobility + Security forum. It's a own tab for ATP :)

 

Hope it's better help there. If i find out your issue i ping you. 

 

Thomas