The Trellix ePolicy Orchestrator (ePO) provides flexible, automated management capabilities that help you rapidly identify, manage, and respond to vulnerabilities, changes in security postures, and known threats from a single console. In this article, we shall discuss the various fixes to Trellix ePolicy Orchestrator Installation Errors. Please see How to install and Update Azure PowerShell on your Windows PC, Windows Defender detects Endpoint Security HipHandlers.dll, and Domain Naming System: Enabling DNS over TLS in Windows 11.
Note: When installing the ePO server, you will run into numerous issues and you will need to fix them before proceeding with the installation. Else, the installation will fail. Some of the Trellix logs are located in %temp%\TrellixLogs\. Here is a page on ePO known Issues.
Please refer to these related articles. If you are having issues with your service account, I would advise test your password by using any of the steps discussed here “Is my AD user account or service account password correct? How to run an App as a different User and switch Users in Windows“.
ePolicy Orchestrator Pre-Installation Auditor
The ePolicy Orchestrator Pre-Installation Auditor (PIA) Auditor Tool was previously known as the installation and upgrade Precheck tool. The tool is a valuable utility that helps ensure a smooth installation or upgrade of the ePolicy Orchestrator (ePO) in your environment.
The ePO PIA tool is bundled with the ePO installer starting in ePO 5.10.0.
Note: For the ePO 5.10.0 installer to use the latest ePO PIA tool, follow the steps below: Download the ePO PIA tool from one of the locations stated above. Unzip the PIA tool and copy the executable to the folder where the ePO installation files are copied.
Various Fixes to Trellix ePolicy Orchestrator Installation Errors
The section below will discuss some of the errors I have encountered. When you run the ePO PIA tool in preparation for an upgrade to a later version of ePO. Or When installing ePO. The Pre-Installation Auditor automatically runs and validates the server condition.
The checks are passed if the server meets all requirements. If the tool flags a warning on a specific issue, you can rectify it and click Rerun. Once all checks have passed, click Finish.
You may want to see How to encrypt Microsoft SQL Server Traffic, and how to fix “An appropriate resource file could not be found for the file: The system can not find the file specified“.
Error 1: Pending File Rename
During the installation of ePO server in my case, the PIA flags an issue with a pending file rename. This tool looks at the following registry key below to see if anything is present. If the key has any values, it means one or more files have been flagged for a rename.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Solution
A simple restart fixes this issue on the ePO server. This action removes any values from the PendingFileRenameOperations registry key.
Error 2: 8.3 Compliance
The ePO installation will be blocked when the installation path contains extended characters. The Installation Auditor tool will flag the ePO server as having the 8.3 naming convention disabled as shown below.
Note: ePO no longer requires the 8.3 naming convention to function properly; but, many managed product extensions still use 8.3 paths.
Note: Before moving to the resolution, it is paramount to point out that the installation to a path that failed before 8.3 naming was enabled still fails to that same path. Point the installation to a new directory path because 8.3 naming support is added to that path by default when enabled.
Running the below command when ePO is installed on another drive did not work. For example the “Z:\Drive”: fsutil.exe 8dot3name set d: 0
Solution
Here is the solution that worked for me. To enable the 8.3 naming convention on the Z or C:\ Drive. Click Start, Run, type regedit, and click OK. Navigate to, and select, the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystemRight-click NtfsDisable8dot3Name
Right-click NtfsDisable8dot3NameCreation, and select Properties or Modify (depending on your version of Windows).Modify the Value data from 1 to 0.NOTE: On Windows Server 2008, the default value is 2. You must change it to 0.
Restart your computer. Now, you can install ePO to a new directory.
To verify that the 8.3 naming convention is enabled on the drive. Click Start, Run, type cmd, and click OK. Type the following command and press Enter:
dir /xYou see that folders now have a column for short names, for example, Progra~1 for Program Files. Type exit and press Enter.
Supported TLS Protocols
Transport Layer Security (TLS) is a cryptographic protocol for secure communication. Several known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of Transport Layer Security (TLS).
Trellix (formerly McAfee) recommends that you enable TLS 1.1 and TLS 1.2 for secure communication. For information about enabling TLS 1.2 on a Microsoft SQL Server.
Note: If you disable TLS 1.2, you would run into issues and will not be able to connect via RDP to the SQL Server.
Solution
The easiest method to enable TLS 1.1 or 1.2 on an operating system is to use IIS Crypto. The IIS Crypto tool is a free tool that allows you to make changes related to TLS and Ciphers on a Microsoft operating system.
You can use the IISCrypto tool to determine which TLS and SSL client and server protocols are enabled and how to modify them. This tool also lets you enable or disable various cipher suites. However, doing this incorrectly can break existing applications in the environment as mentioned above.
Note: You may want to back up the Windows Registry before proceeding. Here is how to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO“
Download IIS Crypto
Please proceed to the following website to download this tool.
I will download the IIS Crypto Tool with the UI.
Click to apply Best practices and when prompted click Ok. You can also select to reboot immediately upon using the Apply button.
As recommended by Trellix, I will also disable TLS 1.0 to avoid the use of this protocol which can cause other issues and security issues as well.
Enable TLS 1.2
Since the installation failed I had to check the registry and found TLS 1.1 enabled correctly but TLS 1.2 was not. I had to set this correctly using the Registry key below.
As you can see below, we have enabled TLs 1.2 for our server.
If you have your Windows Firewall temporarily disabled, you can proceed with the ePO installation as the PIA checks are fine. You have to install the MSSQL first.
Just ensure that the Pre-Installation Auditor flags are fixed. The checks are passed if the server meets all requirements. If the tool flags warning on a specific issue, you can rectify them and click Rerun. Once all checks have passed, click Finish.
Disable Windows Firewall
If you do not disable your firewall, you will run into numerous issues as some dynamic ports will not be opened that are needed during the ePO installation. Below is an error message showing the cleaning up of the install package when there are port/firewall issues.
Produkt: Trellix ePolicy Orchestrator (Service Pack 1) -- Installation fehlgeschlagen.
Windows Installer installed the product. Product Name: Trellix ePolicy Orchestrator (Service Pack 1). Product Version: 5.10.0. Product Language: 1031. Manufacturer: Musarubra US LLC.. Installation success or error status: 1603.
MSI (c) (C8:94): Grabbed execution mutex.
MSI (c) (C8:94): Cleaning up uninstalled install packages, if any exist
MSI (c) (C8:94): MainEngineThread is returning 1603
=== Verbose logging stopped: ===
Cleaning up the installed package is also referred to as rollback. Rolling back action during installation refers to the process of undoing the changes made by the installation in case of an error or a cancellation.
Note: If the installation uses a custom action that makes system changes, a corresponding rollback action should be created. A rollback action is executed only during an installation rollback
More on Installation failing and rolling back
for the install logs, take a look at this location C:\ProgramData\Trellix\ePolicy Orchestrator\InstallLogs. A 1603 error is a generic Microsoft MSI error code that appears during an installation or upgrade of any product.
The 1603 code on its own can’t determine the cause. Other logs and symptoms can help investigate and resolve the issue. This error is particularly tricky, and require a great deal of effort to troubleshoot and resolve.
Here are a few reasons why you may be getting Error 1603 in Windows:
- The program already exists on the PC. If the program you are trying to install is already on the PC, you may receive Error 1603, especially on MSI.
- Missing permissions: Often, the folder where the program is to be saved is missing access permissions, and the files can’t be installed.
- The target folder is encrypted: In some cases, users later realized that the folder where the program files were to be saved was encrypted, which triggered Error 1603.
- Security software blocking the installation: Antivirus or other similar security software may prevent the program’s installation. You need to disable or uninstall the software to fix this.
- Failed installation can leave traces of files which can result in this error
As mentioned above, disable your 3rd party Antivirus solution and (Windows firewall) temporarily to get passed this installation error. You may find in the log a similar error “ePO Application Server Service (Tomcat) shuts down shortly after starting due to a port conflict“. But since we do not have the ePO running, this solution cannot help us.
Arithmetic Enabled
You can ignore this error and restart if this is a new installation as there is no ePO database yet. If there is an ePO database already, follow the instructions to fix it.
Default database
Note: The default database for the account used to access SQL is not required by ePO for anything. But, the install process tries to open it to test connectivity. Make sure the default database for the account used to access SQL is correct and accessible.
Open SQL Management Studio.
- Expand Security, Logins, and locate the account being used by ePO.
- Right-click the account and select Properties.
NOTE: The default database setting is defined in the bottom of the General page.
If the default database setting is blank, no default database is defined. Open the drop-down list and select a default database, for example Master in my case.
If a default database is defined for the account:
- Verify that the database is available and accessible, and the logon account has permissions to access it.
FAQs relating to Fixes to Trellix ePolicy Orchestrator Installation Errors
SQL Server 2019 has the same level of support as SQL Server 2016 and SQL Server 2017, and SQL Server 2019 supports older versions of TLS. SQL Server 2019 RTM is shipped with TLS 1.2 support, and no other update or fix is required to enable TLS 1.2 support.
Yes. SQL Server encrypts the username and password during login even if a secure communication channel isn’t used. This update is required for all SQL Server instances that don’t use secure communications and that have all other protocols except TLS 1.2 disabled on the server.
no known vulnerabilities have been reported for the Microsoft TDS implementation. Because several standards-enforcement organizations are mandating the use of TLS 1.2 for encrypted communication channels, Microsoft is releasing support for TLS 1.2 for the widespread SQL Server installation base.
I hope you found this article discussing the “‘various Fixes to Trellix ePolicy Orchestrator Installation Errors” very useful. Please feel free to leave a comment below.