7

MDI Install Error 0x80070643 Windows Server 2019

Install the Microsoft Defender for Identity (MDI) sensor onto a newly built DC?  Easy you say, and that should only take 5 minutes.   Well, if that was the case there would be no need for this post, and as my Dad would say, there is no such thing as a 5 minute job.

The below is a brand new Windows Server 2019 DC.  It was built, fully patched and then promoted.  Next up is to install the standard Microsoft Defender components, in this case the Microsoft Defender for Identity (MDI) sensor was installed first.  That did not go so well, and we got error 0x80070643.

MDI Sensor Install Fail On Windows Server 2019 DC - Error 0x80070643

The server would show up briefly in the MDI Console, as the sensor tried to install, and then disappear as the install was backed out since it failed.

You can see that in the animated GIF below. Maybe play this song as you watch it?

MDI Sensor Install On Windows Server 2019 DC - Hello Then Goodbye!

Clicking the view logs link in the install screen takes us to the %TEMP% location for my account, since it is running under my context.  The full path is:

C:\Users\%UserName%\AppData\Local\Temp

Where we can see these three log files.

MDI Sensor Install Logs Running In User Context

Error codes were visible, but no real data as to what caused it and a root cause.

For example from the Sensor setup log we can see the error 0x80070643

[19D0:1E80][2022-02-02T14:56:47]i301: Applying execute package: MsiPackage, action: Install, path: C:\ProgramData\Package Cache\{71F587F0-93D5-47EE-A7BE-A47459662585}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi, arguments: ' ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7" ACCESSKEY="*****" InstallationPath="C:\Program Files\Azure Advanced Threat Protection Sensor" InstalledVersion="" PROXYCONFIGURATION="*****" WixBundleOriginalSourceFolder="S:\Source\MDI Install Package\Azure ATP Sensor Setup\"'
[19D0:1E80][2022-02-02T14:57:02]e000: Error 0x80070643: Failed to install MSI package.
[19D0:1E80][2022-02-02T14:57:02]e000: Error 0x80070643: Failed to execute MSI package.
[1854:2214][2022-02-02T14:57:02]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[1854:2214][2022-02-02T14:57:02]i000: 2022-02-02 14:57:02.5752 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]]
[1854:2214][2022-02-02T14:57:02]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None
[1854:2214][2022-02-02T14:57:02]e000: Error 0x80070643: Failed to execute MSI package.

At the end of Deployer Log, an EventLogException Deployer failed message was logged.  A couple of interesting things are highlighted.

Error EventLogException Deployer failed [arguments=ZBCwFTnuF52g2nKKvNKOdQ==]
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at void System.Diagnostics.Eventing.Reader.EventLogException.Throw(int errorCode)
at void System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSaveChannelConfig(EventLogHandle channelConfig, int flags)
at bool Microsoft.Tri.Sensor.Deployment.Deployer.ConfigureVirtualServiceAccountAction.ApplyInternal()
at void Microsoft.Tri.Sensor.Common.DeploymentAction.Apply(bool suppressFailure)
at void Microsoft.Tri.Sensor.Common.DeploymentActionGroup.Apply(bool suppressFailure)
at int Microsoft.Tri.Sensor.Deployment.Deployer.Program.Main(string[] commandLineArguments)

 

This is interesting as it is an unauthourized access statement. If your audit policy is set to include failures, you will see an audit failure associated to the install.  The Event log shows an Audit Failure getting the “Act as part of the operating system” (SeTcbPrivilege) privilege

 

The account running this is a full EA.  Why?

Well this is a known issue on Windows Server 2019 with KB 5009557 installed.

The Windows update broke event viewer permissions to standard admin accounts.

The current workaround is to install the sensor in system context using either:

  • PsExec -s to execute in system context
  • Scheduled task set to run as LocalSystem

 

In the example below we will use PsExec.

 

Adding All The Permissions

This is an example of where the Sysinternals tools can be useful (yet again!).

To elevate to system context we can use PSExc.exe from the Sysinternals suite.  Personally I prefer the https://live.sysinternals.com site to just grab what is needed.

PSExec was downloaded onto the system and it could be used as a one-liner or interactively.

Since we are installing using the command line, the Defender for Identity Silent option was used.

The syntax is:

"Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>"

In the example below, note that the AccessKey is redacted.  It was also changed prior to publishing this post.

Using PsExec To Install MDI Sensor In LocalSystem Context On Windows Server 2019

If you would prefer to run the command in an interactive manner, just launch a new cmd.exe process using PsExec as shown below.

Spawn System Context CMD Prompt Using PsExec

The spawned CMD window will launch, and to prove that we are in system context, a WhoAmI was used prior to running setup.

Using PsExec To Install MDI Sensor In LocalSystem Context On Windows Server 2019 - Interactive Using Previously Spawned CMD Prompt

Now that the sensor is finally installed, we can see it on the dashboard.

MDI Sensor Installed On Windows Server 2019 DC - Yay!

Assorted Troubleshooting Things

This post focusses on a particular issue with MDI and Windows Server 2019, but this is not the first time that error code has surfaced.  There are multiple issues which may cause an error code such as this.

Some of the other MDI troubleshooting steps that I've used on other cases include:

  • Elevated cmd prompt - to mitigate UAC issues
  • Verified gMSA - ensure new DC has access to the credential
  • Clear kerberos ticket cache if new machine added to gMSA
  • Chckdsk & SFCScan – ran full check and scan
  • Eliminate CBS corruption – DISM scan performed
  • .NET Framework – Repair performed
  • PCAP – manually installed.  Same issue
  • Re-Downloaded install package – install package not a corrupt download
  • Access key is correct

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

7 Comments

  1. Hi,
    I was having the same problem and was reading your article for solutions.

    When ever I try to run the Silent option command " "Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="" ",
    I get the following message: "Azure ATP sensor Setup.exe"' is not recognized as an internal or external command, operable program or batch file.

    Do you have any idea why this occured by any chance?

    Thank you in advance,

      • Hi,
        I used CMD when this happened
        However, I retried again and the installation went fine without using the script. (error 0x80070643 didnt pop up)

        Not sure what the cause was..

        Not sure what the problem was..

        • I suspect that would likely be a path issue, where it is not finding the package. SysInternals process monitor should show that, but since its good no need to worry this time.

          PowerShell has the requirement to always fully qualify the path which is why I asked about that. Even if you change to the folder with the package you need to use the .\ prefix.

          Cheers,
          Rhoderick

  2. Thank you very much, i have installed the agent as per your guide and the installation completed successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *