SOLVED

Sensor failing to install on all DCs

Microsoft

Has anyone seen any of these errors?  Trying to install the sensor, but it is failing on both VMWare and HyperV DC.  .NET 4.8 is installed and it doesn't matter if NPCap is installed or not.  Traffic appears to be getting through the firewall.

 

2021-08-26 18:53:48.8640 Error EventLogException Deployer failed [arguments=IwODjlqAqQaXxJYpF4fBCw==]
System.Diagnostics.Eventing.Reader.EventLogInvalidDataException: The data is invalid
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)
at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)

 

[0F20:18C0][2021-08-26T11:53:50]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[0F20:18C0][2021-08-26T11:53:50]i000: 2021-08-26 18:53:50.1290 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]

 

MSI (s) (54:8C) [11:53:49:943]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

12 Replies
The deployment fails when it tries to give the sensor read access to read logs from the local security event log, either there is a corruption or the machien was hardened to block it...
The server has been hardened so what do I need to give access to the read logs? Would that be the gMSA that we setup?
No,
The deployment needs permissions to modify the ACL on this log.
Try to give modify ACL permissions to the account running the deployment.

Hello,

 

I'm facing the same issue. Running an "out of the box" WS2019 domain controller (no specific GPOs applied). I'm running the installation using a domain admin account and npcap 1.0 is installed.

I checked the security log and domain admins have Full control on this event log.

 

Any idea?

 

Laurent

@Laurent_Cardon We're having the exact same issue with out out-of-the-box Server 2019 Domain Controller as well. Were you able to resolve this yourself? I'll poke at the above suggestion for ACLs.

I strongly advise to open a support ticket for this. the current workaround is running the deployment as SYSTEM (psexec -s ), but it's important to open a case to get this issue tracked correctly.
We have an existing ticket with MS Support. They diagnosed the issue as a corrupt .NET framework... I was in the process of updating that ticket when I check in on this thread. I'll inform our SWAT team that the current onboarding process for MDI sensors is not functional.

I will run the package installer as system. Thank you!
best response confirmed by Laurent_Cardon (Microsoft)
Solution
same issue here, last week a server 2019 domain controller installation went fine, now it gives exit code 0x80070643. install via .cmd file with quiet parameter and starting via psexec -s worked for me.

@bobbybregman2490 

 

me too - psexec -s -i "c:\atp instahlur\Azure ATP Sensor Setup.exe"

Yes, it worked for me too

@Laurent_Cardon @LisaMelone @kentain @bobbybregman2490 @MRedbourne 

 

https://docs.microsoft.com/en-us/defender-for-identity/whats-new#defender-for-identity-release-2173

We've released the updated installation package. Please note it may take a couple of days to reach your sensor download page.

So I have been pulling out my hair for days with this issue. Went through countless posts and solutions and nothing worked. If I tried installing it via the executable in Windows it would fail with a error code 0x80070643. If I tried as suggested here to install with PSExec with the -s -i switches it would fail with a error code 1602 or 1603. After lots of trial and error I found the command line string that finally worked (not using psexec). I suspect it's because I am installing it on a DC running Server 2022.

Here is the string that worked:
"Azure ATP sensor Setup.exe" /quiet ProxyUrl="Insert your proxy with port here" AccessKey="insert your access key from the security portal here"

Hopefully it works for others and save them from trolling the internet for days like I did.

Ofcourse you need to change directory in CMD to the local folder you copied the Identity installation files to
1 best response

Accepted Solutions
best response confirmed by Laurent_Cardon (Microsoft)
Solution
same issue here, last week a server 2019 domain controller installation went fine, now it gives exit code 0x80070643. install via .cmd file with quiet parameter and starting via psexec -s worked for me.

View solution in original post