Fix MSIEXEC returned 1602: Trellix Setup cannot use this account

In this article, we will discuss “(installation cancelled) – Fix MSIEXEC returned 1602: Trellix Setup cannot use this account”. Due to the multiple errors encountered during the re-installation of Trellix ePolicy Orchestrator (ePO) in my Lab. I have therefore decided to show all relevant errors in this blogpost. Also, these are fixes to common Trellix ePolicy Orchestrator Errors that you might encounter during Installation. Please, see how to upgrade Trellix ePolicy Orchestrator.

It’s best to run the Trellix ePO installer and let the Pre-Installation Auditor surface any issues for remediation. For example, enabling FIPS mode isn’t necessary unless FIPS 140-2 compliance is explicitly required. Doing so may break application compatibility.

Also, see how to Fix the “Windows Installer Service Could Not Be Accessed” Error While Installing an Application, and “ePO Server Settings: Trellix ePO AD integration and ENS Agents Installation“.

Other Errors found in the Trellix Installation Log

Below are some errors that might help you to resolving the following issue ‘MSIEXEC returned 1602 (Installation Cancelled). Setup cannot use this account”.

IDS_TLSError = The attempt to establish a test connection with the SQL server "%s" failed. The SQL server used by Trellix ePO must support secure communication with TLS 1.1 or 1.2. For more information, see KB 90222.
Property(C): INSTALLLEVEL = 100

Property(C): GRPermSetName = Global validator
Property(C): IDS_1024BitKeyError = Setup cannot establish a secure connection to SQL server "%s". To resolve this issue, you will need to upgrade your SSL/TLS certificate on the "%s" system. Then try again. Further information can be found in KB 87731.

Property(C): IDS_PrivateKeyLengthError = This server cannot be upgraded due to insufficient private key length for the root CA certificate. Contact Trellix ePO support for assistance.

To resolve these, I used IISCrypto to disable unsupported or deprecated protocols and cipher suites. After unchecking legacy protocols (like SSL 2.0, SSL 3.0, and TLS 1.0), the installation errors were cleared.

This also ensured that the Schannel registry key was correctly present and configured to support strong cryptographic settings

Please, see Why you should not Upgrade Windows on an ePO Server, Trellix ePO On-prem 5.10.0 Service pack 1 Update 3 upgrade, and “ePO Application Server Service (Tomcat) shuts down shortly after starting due to a port conflict“.

Trellix Setup could not run with the specified user Account User Account

Unfortunately, there may not be a straightforward explanation for this error. Despite having installed ePO multiple times before, these particular errors are completely new.

As shown below, the installation history indicates that msiexec returned error code 1602 (installation cancelled).

While the meaning of this error is well understood, it does not point to a specific cause, making it difficult to pinpoint the exact issue. In this guide “Windows Installer Error Messages (for Developers)“, there is no remark.

Installer error codes from 1000 to 1999 represent predefined issues that the developers have explicitly included in the installation package. These error codes correspond to detailed messages stored in the Error table, ensuring users receive clear explanations when these problems occur.

Please, see how to Setup is unable to access the SQL UDP Port 1434 on the specified SQL Server, and how to Install SQL Server Management Studio 21 on Windows Server.

Fix the SQL Server Network Interface could not register the Service Principle Name (SPN)

Considering there were nothing evident in the “EPO Install MSI Log” available in the following location ‘C:\ProgramData\Trellix\ePolicy Orchestrator\InstallLogs”. I had to launch the Windows Event Viewer for further diagnostics.

Then I found the following error ‘Fix the SQL Server Network Interface could not register the Service Principle Name (SPN)’.

Create SPN

When SQL Server starts, it tries to automatically register a Service Principal Name (SPN) in Active Directory. This SPN lets clients use Kerberos authentication to connect securely. However, the service account running SQL Server must have permission to write SPNs in Active Directory. If the account lacks these permissions, SQL Server cannot create the SPN automatically.

Therefore, I attempted the installation with an account that has the desired permission and it went through. Therefore, I cancelled the Trellix ePO installation and manually created the SPN as shown below. This explicitly creates the SPN on behalf of the service account.

setspn -A MSSQLSvc/yourserver.domain.com:1433 DOMAIN\SQLServiceAccount

Note: You could also delegate SPN Registration Rights. you can do this by granting the SQL Server service account the “Write servicePrincipalName” permission on its computer object in Active Directory.

To learn more about SPN. Please, see Service Principal Name: How to add or reset and delete SPNs.

Verify SPN Exists

After creating the SPN, you should verify that it was successfully registered. Additionally, it is important to check for the existence of the SPN before creating it to avoid conflicts. Especially if the SPN is already registered to another account, which can cause authentication failures.

setspn -L DOMAIN\SQLServiceAccount

As you can see below, the Service Principle Name (SPN) exists.

Now you can proceed and flush DNS and Kerberos Tickets with the commands shown below. This is because, the system or service account might still be caching the old auth path.

Please, see “Service Principal Name: How to add, reset and delete SPNs“, and how to fix “Unable to locate the account: Fix call to DsGetDcNameWithAccount failed with return value 0x0000054B“.

Grant Service Account logon Rights

Note: A service account is used to run services or applications on Windows. In our case, SQL Server or any other server processes. For the service to start and operate properly, the account it runs under must have the right to log on to the system.

Ensure that the service account is assigned to run the SQL Server service. You can configure this using SQL Server Configuration Manager or the Services console (services.msc), as demonstrated below

launch the Services Console and Scroll down to find SQL Server (MSSQLSERVER) or your named instance if different.

Right-click the service and select Properties. Go to the Log On tab, and select This account. Then enter the service account name: “DOMAIN\ServiceAccount“. Enter the password and confirm it.

When complete, restart the service.

Please, see how to Install SQL Server Management Studio 21 on Windows Server, and how to Install Windows Server 2025 via iDRAC Virtual Media or PXE.

Add service Account to Local Administrator Group

Some services or applications require elevated privileges to perform certain actions such as accessing protected system resources, modifying registry settings, or installing drivers.

Adding the service account to the Local Administrators group grants it these elevated rights on that specific machine as it was required in this case. Else, the Trellix ePO installation will fail.

To do this, launch Computer Management and navigate to Local Users and Groups. click on Groups and on the right hand side, double click on Administrators. Here you can add the services account.

As you can see, when all of these were done, the Trellix ePO installation succeeded. Here is a guide on Trellix ePolicy Orchestrator Installation on Windows Server.

I hope you found this guide useful on ‘Fix MSIEXEC returned 1602: Trellix Setup cannot use this account”. Please, feel free to leave a comment below.