Installation could not be started - Error code 80072afc

https://docs.sophos.com/esg/enterprise-console/tools/deployment_guide/en-us/index.html is one source of information that may help you.

The account you specify in the SEC Deployment Wizard needs to be an admin on the client.  I.e if you're using a user which is a member of domain admins, then domain admins group should be a member of the local administrators group on the client.  Does this all resolve as a basic test.

Other tests include:

1. Is the Remote Registry Service running on the client?

Running Regedit.exe as the deployment user say on the SEC server should be able to connect to the client and you should be able to access keys under say, HKLM\software\

2. Is the Task scheduler service running on the client?

3. Logged on to a client (preferably the SEC server as the deployment user) can you browse to:
\\remoteclient\C$\
Can you access the administrative shares?

4. Firewall considerations at the client side should also be considered but the above tests check most of the requirements.  Aside from allowing TCP 8194 incoming on the client for RMS, but that is all post setup.exe running.

Out of interest, is a pull, i.e. running setup.exe with the switches an option as opposed to a push?

Regards,

Jak

jak said:

https://docs.sophos.com/esg/enterprise-console/tools/deployment_guide/en-us/index.html is one source of information that may help you.

The account you specify in the SEC Deployment Wizard needs to be an admin on the client.  I.e if you're using a user which is a member of domain admins, then domain admins group should be a member of the local administrators group on the client.  Does this all resolve as a basic test.

Other tests include:

1. Is the Remote Registry Service running on the client?

Running Regedit.exe as the deployment user say on the SEC server should be able to connect to the client and you should be able to access keys under say, HKLM\software\

2. Is the Task scheduler service running on the client?

3. Logged on to a client (preferably the SEC server as the deployment user) can you browse to:
\\remoteclient\C$\
Can you access the administrative shares?

4. Firewall considerations at the client side should also be considered but the above tests check most of the requirements.  Aside from allowing TCP 8194 incoming on the client for RMS, but that is all post setup.exe running.

Out of interest, is a pull, i.e. running setup.exe with the switches an option as opposed to a push?

Regards,

Jak

 

 

Hi,

Thanks for the reply, here is what I have found.

To push Sophos, we specify an AD account called Sophos, the account is active and the password has not expired, I am able to login to the server using this account. It is a member of the domain admins group. I have checked on the local computer and the Domain Admins group is under the local admins group on the machine.

1. I have gone onto the server which is working as the Sophos Server and ran regedit under the sophos admin user. I connected remotley to the PC I am attempting to push Sophos to and I am able to browse to HKLM\Software\XXX

2. Task Scheduler is started and running on the client and is set to Automatic.

3. I can browse to the C drive as remote client without issues from the server logged in as the sophos deploy user.

4. The windows firewall has been switched off on the client and disabled for testing, so I don't think this would get in the way?

Thanks for the update, does the scheduled task get created on the client following the protect from SEC?

I'm not at a Window client at the moment but I assume with the MMC snap-in for the task scheduler you can connect to a remote computer, do you see the Sophos Install task get created? If it exists, does the history or exit code help?

You should also see it appear under:

\\client\C$\Windows\tasks\

It's the mgntsvc.exe process on the management server that connects to the remote client to create the task.  It might be worth restarting the Sophos Management Service just to ensure it's not in an odd state.  Note: This will disconnect the console but you can reconnect.  

It may also be worth following: https://community.sophos.com/kb/en-us/112246 to see if the management service throws any more useful messages.

So I went to try and push the install again to the client and I was checking in the task scheduler, it did appear to show a Sophos install task.

Much to my amazement it has actually installed too. It is showing in the console as fully up to date, I have tried clicking update from the client and that works too, no errors....

I have not changed anything at all, but it seems to be working now, I am very confused.... 

Tomorrow I will reimage again and try the same again and see what happens, I will let you know the outcome on this.

Your help on this has been much appreciated so far :) 

Well that's something.  

As a tip, when you see the scheduled task get created on the endpoint, it's worth copying out the command line from the scheduled task as created by the management server.  

It will have all the switches you need to deploy.  You can supplement with the -G switch as well if needed.  Details here:

https://community.sophos.com/kb/en-us/12570

At least with this you can create a simple batch file for the future which can install the endpoint silently with all the required parameters.

Regards,

Jak

OK, so I tried to image again this morning. After completion, the PC is in a domained state, it can login, updated GPO's and everything works without issues with the PC itself.

I can see the PC name has appeared in the Enterprise console. But it is greyed out, if I right click the "protect computers" is greyed out.

If I double click on it, it shows that it knows it is Windows 7, and it knows the computer name, all other fields (IP address etc) are empty. On other machines that work most fields are populated.

I went to Discover Computers and tried that way, but that did not make a difference, technically the computer is in the list, but I cannot do anything with it :(

Again, UAC disabled and firewall off etc for testing.

Thanks again in advance

I figured out that issue, I needed to wait for the sync to take place with AD, it is set to every 60 mins...

So back to the original issue :)

I tried to hit protect computers and tried to look at the task scheduler to see what was going on, I kept hitting refresh to see if the Sophos task came up, but I didn't see it appear. It took about 20 seconds to fail with the same error on the console. 

I went into C:\Windows\Tasks and there is a task there called Sophos_InstTask.JOB just sitting there now.

But again, I am unable to add Sophos to the machine.

Again, if I look against other machines in the console and double click, it shows all the details as below

Where as, the new machine I am trying to deploy is only showing the following:

You can see there is a bunch of stuff missing...Not sure if that helps with what could be causing this?

The missing details would be expected at this stage.  That is filled in when the computer becomes managed by the RMS component and sends in the first status message.  Typically 20 seconds after install of RMS.

The code 80072afc, in this case,  translates to:

2afc = 11004

https://msdn.microsoft.com/en-us/library/windows/desktop/ms740668%28v=vs.85%29.aspx

WSANO_DATA
Valid name, no data record of requested type.
The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. The usual example for this is a host name-to-address translation attempt (using gethostbyname or WSAAsyncGetHostByName) which uses the DNS (Domain Name Server). An MX record is returned but no A record—indicating the host itself exists, but is not directly reachable.

Could it be that the address in the defined updating policy cannot be resolved?  I.e. it creates the task, the task has a command line back to run setup.exe from the server share.  This path comes from the updating policy linked to the group the computer resides in.

By default this would be send back from the Update Manager to the management server as just the NetBIOS form, e.g. \\server\sophosupdate.

Is it that initially out of the blocks, it can't resolve this form?  Things to try might include:

1. Create a new test updating policy and change the initial install path to be \\ip\sophosupdate.

2. Ensure that the DNS suffix for your domain is configured in the clients interface, so that "domain.local" or whatever is appended to "server", making the FQDN form.

3. As per point 1, change the initial instal path to be the FQDN.

I hope this helps.

Regards,

Jak

I will give this a go and let you know the result.

On another note, is there an MSI for installing Sophos ? So that I can push it as part of the OS deployment? 

We tick the boxes usually as follows (so the MSI would need to do the same)

I will give this a go and let you know the result.

On another note, is there an MSI for installing Sophos ? So that I can push it as part of the OS deployment? 

We tick the boxes usually as follows (so the MSI would need to do the same)

There is no MSI to install.  

The easiest way to generate the single command line to install is to deploy to one computer as you would and copy the details from the created scheduled task.  You can then optionally add the -G switch I mentioned before if you want new computer to arrive in a specific SEC group for a initial set of policies.