Endpoints Failing to Install New Update

Do you guys use the K1000, K2000, or both?

I'm not seeing the issue with new installs, just with failed updates.  I wouldn't expect to see the issue on a machine new out of the box.

The first "fix" provided by Sophos was to add "Basic Authentication" to the Sophos IIS server.  That seemed to make future updates successful.  The issue however was that the damage was done by the failed update.  It's the machines that were left with only RMS that I'm having trouble getting correct again.

We only use K1000 currently, though we have a K2000.  We use WDS for our imaging.  When I image a machine, with an image that had 10.3.1 on it, it is successfully updating after the "Basic Authentication" IIS fix.

Hm interesting, I will have to look at that.  With our K1000 so far I haven't been able to get it to not install on a new build.  I used our K2000 to push the image, and installed the K1000 agent.  I'm letting the computer update now then I'll try pushing Sophos again just to be on the safe side that it isn't an update.  And I'm with you, the ones with the failed updates are the ones we seem to fight the most too.

We have a K1000 and K2000.  I believe Sophos deploys fine on fresh installs but not the upgrades as you've stated.

Ironically, one of our desktop support people was just troubleshooting deploying a KACE agent on a new laptop that already had Sophos pushed to it.  That could just be a coincidence, though.

The update worked flawlessly on most of our systems (K1000 reports 295), but I still have 68 or so that have some combination of AV, Firewall, and RMS. Yes, RMS is installed on a couple, but it does them no good because they don't have anything else.

Following Sophos support's instructions I uninstalled and reinstalled manually. After manually installing RMS and rebooting I couldn't see the PC on the network and coupldn't get past Please Wait after entering my credentials. The firewall installer failed to start the services, and therefore couldn't install, either. A forced reboot couldn't get me to Ctrl/Alt/Del. Restoring to the point where it installed the Sophos Device Driver Package got me back on the network and logged on. Attempting to do a clean install from the console of course gives the same results. Still no further than everyone else on this thread, though. Been on hold waiting for Sophos support twice today for a total of about 50 minutes. They need more songs!

So this is by no means a solution, but I thought I'd share.

I just uninstalled Sophos manually (for like the 10th time).  Everytime I've tried to uninstall, I got an error on the AutoUpdate about being unable to move folders, but it continues and disappears from add/remove programs.

Once the product was uninstalled I tried to manually delete the Sophos folders located in Program Files and also ProgramData.  I could not delete them due to a permissions issue, nor could I take ownership of them.  This could be related to the fact that i just finished uninstalled and it wanted a reboot.

I rebooted into safe mode and the folders were still there, but I was able to delete them.  I also deleted all the Sophos logs from C:\Windows\Temp and the folder "Sophos temp" from the same directory.  My logic was that maybe something leftover was making the PC/AutoUpdate think that it did not need the RMS component so it wasn't getting installed with a re-protect.

With those folders gone, I rebooted into normal mode and did a push from the console and all of the components installed successfully.

Again, this isn't very practical for those of us with 200+ endpoints not responding properly but I'm hoping I'll be able to isolate it down to remove some files/folders or changing permissions or something which could be automated, then allow for a successful reprotect.  There are definitely some strange permission things going on since it wouldn't even allow me to execute the Sophos Diagnostic Utility without manually giving myself permission to do so.

Hello,

I've not experienced this issue but would using GPO to set permissions on the "broken" directories help?

Also, as another option, could you run cacls to fix it running as system, either via a startup script or by running psexec -s?

Regards,

Jak

Based on so many of us here using Kace I removed the Kace Agent and Sophos, deleted Sophos from HKLM, rebooted, and manually installed from setup.exe. Setup installed the bare minimum so I then pushed the install from the console and everything is installed and working normally! Kace being a factor doesn't make any sense because we have so many systems that didn't have a problem. Now we just have to work out how to push this to so many systems.

I went to an affected machine that was re-protected from the console but missing the RMS piece.  I deleted the RMS folders which gave me no issues so obviously the files were not in use and no services were registered.  I ran a protect again and it reinstalled the AV and AutoUpdate components but no still RMS.  I rebooted the PC and went into C:\ProgramData\Sophos\AutoUpdate\Cache and noticed it started populating it with files and folders.  I went into the RMS folder and tried to manually run "Sophos Remote Management Systems.msi" but it's failing with the error message "Error 1920.Service Sophos Agent (Sophos Agent) failed to start.  Verify that you have sufficient privileges to start system service".  I'm logged in as a domain administrator, but for some reason I'm still running into strange permissions issues.

I am trying to isolate a way to reinstall the RMS component.  If you just re-protect all the computers and reinstall RMS somehow, I think everything would be fine.  For whatever reason, the upgrade cannot create and register these RMS services.  I'm going home for the night but I'll continue testing tomorrow unless Sophos gets back to me with a fix.  I haven't heard from them since my case was escalated either.

OK, one last update.  I just re-ran the "Sophos Remote Management Systems.msi" from an administrator command prompt and it installed successfully, it appeared in add/remove programs and the services are listed and started.  The console seems to be able to see and communicate with the endpoint.

So if you've tried to re-protect computers and you can get the AV & AutoUpdate to install, see if you have a "Sophos Remote Management Systems.msi" in C:\ProgramData\Sophos\AutoUpdate\Cache\rms then try to run it as an administrator and see if fixes your client checking in.  This seems do-able with the script if the file is already pulled down to the clients but not executing properly. 

I am going to do some more tests to confirm.