Deployment FireEye 34.28 failed on few machines...

Question

question

DucheminDominique-7551 asked Apr 22, '22 saldana-msft edited 3 days ago

Deployment FireEye 34.28 failed on few machines...

Hello,

I am deploying FireEye 34.28 and getting AppDiscovery.log nothing but an error in AppEnforce.log on 9 machines out of 349...

Operating Systems: 10.0.14393.4704, 10.0.14393.5066 (Windows Server 2016...)

Entering ExecQueryAsync for query "select from CCM_AppDeliveryType where (AppDeliveryTypeId = "ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee" AND Revision = 5)" AppDiscovery 4/19/2022 12:09:00 PM 10032 (0x2730)
Performing detection of app deployment type ISS - Servers - FireEye Endpoint Agent - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, revision 5) for system. AppDiscovery 4/19/2022 12:09:01 PM 10032 (0x2730)
+++ Application not discovered. [AppDT Id: ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, Revision: 5] AppDiscovery 4/19/2022 12:09:02 PM 10032 (0x2730)
+++ Did not detect app deployment type ISS - Servers - FireEye Endpoint Agent - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, revision 5) for system. AppDiscovery 4/19/2022 12:09:02 PM 10032 (0x2730)
ActionType - Install will use Content Id: Content_b610e83d-2966-46be-be76-ee10967b4931 + Content Version: 1 for AppDT "ISS - Servers - FireEye Endpoint Agent - Windows Installer (.msi file)" [ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee], Revision - 5 AppDiscovery 4/19/2022 12:09:05 PM 10032 (0x2730)

==========================================================================

+++ Starting Install enforcement for App DT "ISS - Servers - FireEye Endpoint Agent - Windows Installer (.msi file)" ApplicationDeliveryType - ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, Revision - 5, ContentPath - C:\Windows\ccmcache\a, Execution Context - System
AppEnforce 4/19/2022 12:13:37 PM 5772 (0x168C)
Performing detection of app deployment type ISS - Servers - FireEye Endpoint Agent - Windows Installer (.msi file)(ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, revision 5) for system. AppEnforce 4/19/2022 12:13:37 PM 5772 (0x168C)
+++ Application not discovered. [AppDT Id: ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee, Revision: 5] AppEnforce 4/19/2022 12:13:37 PM 5772 (0x168C)
App enforcement environment:
Context: Machine
Command line: msiexec /i "xagtSetup_34.28.0_universal.msi" /q
Allow user interaction: No
UI mode: 0
User token: null
Session Id: 4294967295
Content path: C:\Windows\ccmcache\a
Working directory: AppEnforce 4/19/2022 12:13:37 PM 5772 (0x168C)
Prepared working directory: C:\Windows\ccmcache\a AppEnforce 4/19/2022 12:13:37 PM 5772 (0x168C)
Found executable file msiexec with complete path C:\Windows\system32\msiexec.exe
Prepared command line: "C:\Windows\system32\msiexec.exe" /i "xagtSetup_34.28.0_universal.msi" /q /qn
Valid MSI Package path = C:\Windows\ccmcache\a\xagtSetup_34.28.0_universal.msi
Advertising MSI package [C:\Windows\ccmcache\a\xagtSetup_34.28.0_universal.msi] to the system.
AdvertisePackage - MsiAdvertiseProduct Failed : 0x80070643 AppEnforce 4/19/2022 12:13:39 PM 5772 (0x168C)
AdvertisePackage failed (0x80070643). AppEnforce 4/19/2022 12:13:39 PM 5772 (0x168C)
Lowright users might fail to install this application if it requires higher privileges
Executing Command line: "C:\Windows\system32\msiexec.exe" /i "xagtSetup_34.28.0_universal.msi" /q /qn with system context
Working directory C:\Windows\ccmcache\a AppEnforce 4/19/2022 12:13:39 PM 5772 (0x168C)
Post install behavior is BasedOnExitCode AppEnforce 4/19/2022 12:13:39 PM 5772 (0x168C)
Waiting for process 1628 to finish. Timeout = 120 minutes. AppEnforce 4/19/2022 12:13:39 PM 5772 (0x168C)
Process 1628 terminated with exitcode: 1603 AppEnforce 4/19/2022 12:14:03 PM 5772 (0x168C)
Looking for exit code 1603 in exit codes table... AppEnforce 4/19/2022 12:14:03 PM 5772 (0x168C)
Unmatched exit code (1603) is considered an execution failure. AppEnforce 4/19/2022 12:14:03 PM 5772 (0x168C)
++++++ App enforcement completed (27 seconds) for App DT "ISS - Servers - FireEye Endpoint Agent - Windows Installer (*.msi file)" [ScopeId_67BB9074-421B-4166-A053-A8090F9523EF/DeploymentType_1751f620-0c2b-48f0-9618-b0efd1e0c5ee], Revision: 5, User SID: ] ++++++ AppEnforce 4/19/2022 12:14:03 PM 5772 (0x168C)

Any idea?
The context is SYSTEM...

Checking the two logs in C:\Windows\Temp:
MSI25e95.LOG
MSI26cec.LOG

Some errors:

actions.dll: [ValidateUpgradeTargets]: WIX_UPGRADE_DETECTED shows installed versions: {B0EC6D16-4A31-40B4-AB9A-CFBAB4C49A29};{6B1873F7-707F-462D-87E3-6D2BB362EC2B}.
MSI (s) (C0!E4) [15:58:25:483]: Closing MSIHANDLE (40) of type 790531 for thread 7652
MSI (s) (C0!E4) [15:58:25:486]: Creating MSIHANDLE (41) of type 790531 for thread 7652
actions.dll: [ValidateUpgradeTargets]: Installation aborted - multiple prior product versions have been detected.
MSI (s) (C0!E4) [15:58:25:491]: Closing MSIHANDLE (41) of type 790531 for thread 7652
CustomAction Action.ValidateUpgradeTargets returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (C0:DC) [15:58:25:498]: Closing MSIHANDLE (37) of type 790536 for thread 6464
Action ended 15:58:25: InstallExecute. Return value 3.

and

Action start 15:58:09: Action.BlockAdvertisedInstall.
Advertised installation is not supported.
MSI (s) (C0:AC) [15:58:09:957]: Product: FireEye Endpoint Agent -- Advertised installation is not supported.

Action ended 15:58:09: Action.BlockAdvertisedInstall. Return value 3.
Action ended 15:58:09: ADVERTISE. Return value 3.

What does "Advertised installation is not supported" means?

Thanks,
Dom

mem-cm-general mem-cm-site-deployment

2022-04-21-17-43-11-vitonestaffxxx.png (86.3 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-22T02:15:09.697Z

DucheminDominique-7551 answered Apr 22, '22 DucheminDominique-7551 published Apr 22, '22

MSI (s) (C0:40) [15:58:25:224]: Doing action: InstallExecute
Action start 15:58:25: InstallExecute.
MSI (s) (C0:40) [15:58:25:230]: Running Script: C:\Windows\Installer\MSI9B72.tmp
MSI (s) (C0:40) [15:58:25:232]: PROPERTY CHANGE: Adding UpdateStarted property. Its value is '1'.
MSI (s) (C0:40) [15:58:25:238]: Note: 1: 2265 2: 3: -2147287035
MSI (s) (C0:40) [15:58:25:241]: Machine policy value 'DisableRollback' is 0
MSI (s) (C0:40) [15:58:25:245]: Note: 1: 2318 2:
MSI (s) (C0:40) [15:58:25:250]: Note: 1: 2318 2:
MSI (s) (C0:40) [15:58:25:255]: Note: 1: 1402 2:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (C0:40) [15:58:25:258]: Executing op: Header(Signature=1397708873,Version=500,Timestamp=1419083596,LangId=1033,Platform=0,ScriptType=1,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)
MSI (s) (C0:40) [15:58:25:260]: Executing op: ProductInfo(ProductKey={79AFF87D-803F-4DC9-AEDA-C8638C5F59A2},ProductName=FireEye Endpoint Agent,PackageName=xagtSetup_34.28.0_universal.msi,Language=1033,Version=572260352,Assignment=1,ObsoleteArg=0,ProductIcon=FireEyeIcon,,PackageCode={6D700CD1-ED99-40D6-B440-839EFCAAC7BB},,,InstanceType=0,LUASetting=0,RemoteURTInstalls=0,ProductDeploymentFlags=3)
MSI (s) (C0:40) [15:58:25:263]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (C0:40) [15:58:25:266]: Executing op: DialogInfo(Type=1,Argument=FireEye Agent)
MSI (s) (C0:40) [15:58:25:268]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-04-22T02:32:41.96Z

DucheminDominique-7551 answered Apr 22, '22 DucheminDominique-7551 rolled back Apr 22, '22

MSI (s) (C0:40) [15:58:25:271]: Executing op: SetBaseline(Baseline=0,)
MSI (s) (C0:40) [15:58:25:273]: Executing op: SetBaseline(Baseline=1,)
MSI (s) (C0:40) [15:58:25:275]: Executing op: ActionStart(Name=Action.ValidateUpgradeTargets,,)
MSI (s) (C0:40) [15:58:25:279]: Executing op: CustomActionSchedule(Action=Action.ValidateUpgradeTargets,ActionType=3073,Source=BinaryData,Target=ValidateUpgradeTargets,CustomActionData={B0EC6D16-4A31-40B4-AB9A-CFBAB4C49A29};{6B1873F7-707F-462D-87E3-6D2BB362EC2B})
MSI (s) (C0:40) [15:58:25:289]: Creating MSIHANDLE (37) of type 790536 for thread 6464
MSI (s) (C0:DC) [15:58:25:445]: Invoking remote custom action. DLL: C:\Windows\Installer\MSIA392.tmp, Entrypoint: ValidateUpgradeTargets

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-04-22T06:24:39.033Z

RahulJindal-2267 answered Apr 22, '22

[ValidateUpgradeTargets]: Installation aborted - multiple prior product versions have been detected.

Looks like the device may have older versions installed which the installer that you are trying to push is not able to upgrade or remove. If this is the case, then you may have to script this to remove the existing installed versions first. Grab the product codes or use wmic to nuke all the existing versions.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 4 · 2022-04-22T16:04:11.05Z

DucheminDominique-7551 answered Apr 22, '22 DucheminDominique-7551 published Apr 22, '22

Hello,

I uninstalled manually the old version.
Rebooted the server.
The new installation failed again with 4 times the "Return value 3."

MSI (s) (D0!6C) [15:06:06:608]: Creating MSIHANDLE (93) of type 790531 for thread 1644
actions.dll: [ExeCmd]: Unable to create process 2
MSI (s) (D0!6C) [15:06:06:608]: Closing MSIHANDLE (93) of type 790531 for thread 1644
MSI (s) (D0!6C) [15:06:06:608]: Creating MSIHANDLE (94) of type 790531 for thread 1644
actions.dll: [InstallPlugin]: Failed to install the plugin from "C:\Program Files (x86)\FireEye\xagt\xagt.exe" -f "C:\ProgramData\FireEye\xagt\exts\PluginSource\AV\install.xml" -l DEBUG --disable-plugins --output C:\Users\rmppqx\AppData\Local\Temp\3\AVModule
MSI (s) (D0!6C) [15:06:06:608]: Closing MSIHANDLE (94) of type 790531 for thread 1644
MSI (s) (D0!6C) [15:06:06:623]: Creating MSIHANDLE (95) of type 790531 for thread 1644
actions.dll: [InstallPlugin]: Finished: 2
MSI (s) (D0!6C) [15:06:06:623]: Closing MSIHANDLE (95) of type 790531 for thread 1644
CustomAction Action.InstallAVPlugin returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (D0:D8) [15:06:06:623]: Closing MSIHANDLE (86) of type 790536 for thread 4208
Action ended 15:06:06: InstallExecute. Return value 3.

Rollback: Action.ValidateUpgradeTargets
MSI (s) (D0:70) [15:06:09:375]: Executing op: ActionStart(Name=Action.ValidateUpgradeTargets,,)
MSI (s) (D0:70) [15:06:09:375]: Executing op: End(Checksum=0,ProgressTotalHDWord=0,ProgressTotalLDWord=0)
MSI (s) (D0:70) [15:06:09:375]: Error in rollback skipped. Return: 5
MSI (s) (D0:70) [15:06:09:375]: Note: 1: 2318 2:
MSI (s) (D0:70) [15:06:09:390]: Note: 1: 2318 2:
MSI (s) (D0:70) [15:06:09:390]: No System Restore sequence number for this installation.
MSI (s) (D0:70) [15:06:09:406]: Unlocking Server
MSI (s) (D0:70) [15:06:09:406]: PROPERTY CHANGE: Deleting UpdateStarted property. Its current value is '1'.
Action ended 15:06:09: INSTALL. Return value 3.

MSI (s) (D0:70) [15:06:09:940]: Closing MSIHANDLE (1) of type 790542 for thread 4208
MSI (s) (D0:70) [15:06:09:940]: MainEngineThread is returning 1603
MSI (s) (D0:18) [15:06:09:956]: No System Restore sequence number for this installation.
MSI (s) (D0:18) [15:06:09:971]: User policy value 'DisableRollback' is 0
MSI (s) (D0:18) [15:06:09:971]: Machine policy value 'DisableRollback' is 0
MSI (s) (D0:18) [15:06:09:971]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (D0:18) [15:06:09:971]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D0:18) [15:06:09:987]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (D0:18) [15:06:09:987]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (s) (D0:18) [15:06:09:987]: Destroying RemoteAPI object.
MSI (s) (D0:BC) [15:06:09:987]: Custom Action Manager thread ending.
MSI (c) (7C:58) [15:06:10:003]: Back from server. Return value: 1603
MSI (c) (7C:58) [15:06:10:003]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (7C:58) [15:06:10:003]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 15:06:10: ExecuteAction. Return value 3.

MSI (c) (7C:58) [15:06:10:003]: Doing action: FatalError
Action 15:06:10: FatalError.
Action start 15:06:10: FatalError.
Action 15:06:10: FatalError. Dialog created
Action ended 15:06:11: FatalError. Return value 2.
Action ended 15:06:11: INSTALL. Return value 3.
MSI (c) (7C:58) [15:06:11:862]: Destroying RemoteAPI object.
MSI (c) (7C:60) [15:06:11:862]: Custom Action Manager thread ending.

=== Logging stopped: 4/22/2022 15:06:12 ===
MSI (c) (7C:58) [15:06:12:311]: Note: 1: 1708
MSI (c) (7C:58) [15:06:12:326]: Product: FireEye Endpoint Agent -- Installation failed.

MSI (c) (7C:58) [15:06:12:326]: Windows Installer installed the product. Product Name: FireEye Endpoint Agent. Product Version: 34.28.0. Product Language: 1033. Manufacturer: FireEye. Installation success or error status: 1603.

MSI (c) (7C:58) [15:06:12:326]: Grabbed execution mutex.
MSI (c) (7C:58) [15:06:12:326]: Cleaning up uninstalled install packages, if any exist
MSI (c) (7C:58) [15:06:12:326]: MainEngineThread is returning 1603
=== Verbose logging stopped: 4/22/2022 15:06:12 ===

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2022-05-28T04:46:45.08Z

DucheminDominique-7551 answered May 28, '22

Hello,

Still trying to find a resolution...
Even running the msi by itself locally on the machine failed... not sure where are the logs!!!

Log Name: Application
Source: MsiInstaller
Date: 5/27/2022 9:40:57 PM
Event ID: 11708
Task Category: None
Level: Information
Keywords: Classic
User: AD\user
Computer: VITONESTAFFAP1.ad
Description:
Product: FireEye Endpoint Agent -- Installation failed.

Any idea?

Thanks,
Dom

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 6 · 2022-05-28T10:07:48.89Z

Garth answered May 28, '22

Did you add the command to create the log file? If this is failing when you run it manually then you need to contact the vendor and ask them for help.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question