SOLVED

Sensor failing to install on all DCs

%3CLINGO-SUB%20id%3D%22lingo-sub-2689577%22%20slang%3D%22en-US%22%3ESensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2689577%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20seen%20any%20of%20these%20errors%3F%26nbsp%3B%20Trying%20to%20install%20the%20sensor%2C%20but%20it%20is%20failing%20on%20both%20VMWare%20and%20HyperV%20DC.%26nbsp%3B%20.NET%204.8%20is%20installed%20and%20it%20doesn't%20matter%20if%20NPCap%20is%20installed%20or%20not.%26nbsp%3B%20Traffic%20appears%20to%20be%20getting%20through%20the%20firewall.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2021-08-26%2018%3A53%3A48.8640%20Error%20EventLogException%20Deployer%20failed%20%5Barguments%3DIwODjlqAqQaXxJYpF4fBCw%3D%3D%5D%3CBR%20%2F%3ESystem.Diagnostics.Eventing.Reader.EventLogInvalidDataException%3A%20The%20data%20is%20invalid%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(int%20errorCode)%3CBR%20%2F%3Eat%20void%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle%20channelConfig%2C%20int%20flags)%3CBR%20%2F%3Eat%20bool%20Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool%20suppressFailure)%3CBR%20%2F%3Eat%20void%20Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool%20suppressFailure)%3CBR%20%2F%3Eat%20int%20Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string%5B%5D%20commandLineArguments)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%5B0F20%3A18C0%5D%5B2021-08-26T11%3A53%3A50%5De000%3A%20Error%200x80070643%3A%20Failed%20to%20configure%20per-machine%20MSI%20package.%3CBR%20%2F%3E%5B0F20%3A18C0%5D%5B2021-08-26T11%3A53%3A50%5Di000%3A%202021-08-26%2018%3A53%3A50.1290%20Error%20Model%20LogError%20%5B%5C%5B%5DmethodName%3DBootstrapperApplication_ExecutePackageComplete%20status%3D-2147023293%20exception%3D%5B%5C%5D%5D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMSI%20(s)%20(54%3A8C)%20%5B11%3A53%3A49%3A943%5D%3A%20Windows%20Installer%20installed%20the%20product.%20Product%20Name%3A%20Azure%20Advanced%20Threat%20Protection%20Sensor.%20Product%20Version%3A%202.0.0.0.%20Product%20Language%3A%201033.%20Manufacturer%3A%20Microsoft%20Corporation.%20Installation%20success%20or%20error%20status%3A%201603.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690082%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690082%22%20slang%3D%22en-US%22%3EThe%20deployment%20fails%20when%20it%20tries%20to%20give%20the%20sensor%20read%20access%20to%20read%20logs%20from%20the%20local%20security%20event%20log%2C%20either%20there%20is%20a%20corruption%20or%20the%20machien%20was%20hardened%20to%20block%20it...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690108%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690108%22%20slang%3D%22en-US%22%3EThe%20server%20has%20been%20hardened%20so%20what%20do%20I%20need%20to%20give%20access%20to%20the%20read%20logs%3F%20Would%20that%20be%20the%20gMSA%20that%20we%20setup%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2690284%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2690284%22%20slang%3D%22en-US%22%3ENo%2C%3CBR%20%2F%3EThe%20deployment%20needs%20permissions%20to%20modify%20the%20ACL%20on%20this%20log.%3CBR%20%2F%3ETry%20to%20give%20modify%20ACL%20permissions%20to%20the%20account%20running%20the%20deployment.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3066793%22%20slang%3D%22en-US%22%3ERe%3A%20Sensor%20failing%20to%20install%20on%20all%20DCs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3066793%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20facing%20the%20same%20issue.%20Running%20an%20%22out%20of%20the%20box%22%20WS2019%20domain%20controller%20(no%20specific%20GPOs%20applied).%20I'm%20running%20the%20installation%20using%20a%20domain%20admin%20account%20and%20npcap%201.0%20is%20installed.%3C%2FP%3E%0A%3CP%3EI%20checked%20the%20security%20log%20and%20domain%20admins%20have%20Full%20control%20on%20this%20event%20log.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20idea%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELaurent%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Has anyone seen any of these errors?  Trying to install the sensor, but it is failing on both VMWare and HyperV DC.  .NET 4.8 is installed and it doesn't matter if NPCap is installed or not.  Traffic appears to be getting through the firewall.

 

2021-08-26 18:53:48.8640 Error EventLogException Deployer failed [arguments=IwODjlqAqQaXxJYpF4fBCw==]
System.Diagnostics.Eventing.Reader.EventLogInvalidDataException: The data is invalid
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)
at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)

 

[0F20:18C0][2021-08-26T11:53:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[0F20:18C0][2021-08-26T11:53:50]i000: 2021-08-26 18:53:50.1290 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]

 

MSI (s) (54:8C) [11:53:49:943]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

11 Replies
The deployment fails when it tries to give the sensor read access to read logs from the local security event log, either there is a corruption or the machien was hardened to block it...
The server has been hardened so what do I need to give access to the read logs? Would that be the gMSA that we setup?
No,
The deployment needs permissions to modify the ACL on this log.
Try to give modify ACL permissions to the account running the deployment.

Hello,

 

I'm facing the same issue. Running an "out of the box" WS2019 domain controller (no specific GPOs applied). I'm running the installation using a domain admin account and npcap 1.0 is installed.

I checked the security log and domain admins have Full control on this event log.

 

Any idea?

 

Laurent

@Laurent_Cardon We're having the exact same issue with out out-of-the-box Server 2019 Domain Controller as well. Were you able to resolve this yourself? I'll poke at the above suggestion for ACLs.

I strongly advise to open a support ticket for this. the current workaround is running the deployment as SYSTEM (psexec -s ), but it's important to open a case to get this issue tracked correctly.
We have an existing ticket with MS Support. They diagnosed the issue as a corrupt .NET framework... I was in the process of updating that ticket when I check in on this thread. I'll inform our SWAT team that the current onboarding process for MDI sensors is not functional.

I will run the package installer as system. Thank you!
best response confirmed by Laurent_Cardon (Microsoft)
Solution
same issue here, last week a server 2019 domain controller installation went fine, now it gives exit code 0x80070643. install via .cmd file with quiet parameter and starting via psexec -s worked for me.

@bobbybregman2490 

 

me too - psexec -s -i "c:\atp instahlur\Azure ATP Sensor Setup.exe"

Yes, it worked for me too

@Laurent_Cardon @LisaMelone @kentain @bobbybregman2490 @MRedbourne 

 

https://docs.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2173

We've released the updated installation package. Please note it may take a couple of days to reach your sensor download page.