Sophos Upgrade from 5.5.0 to 5.5.2

Hi,

I have recently upgraded from the Sophos Enterprise Console 5.5.0 to 5.5.2 and I got an error Unable to install Sophos Credential Store Service and failed to upgrade to 5.5.2.

The SEC 5.5.0 is still there. The Under Programs and Features I find the Sophos Management Console and Sophos Management Server are still with version 5.5.0.

Could you please let me know how to fix this error and what I will do next to complete an upgrade to 5.5.2

Your assistance on this request would be extremely appreciated.

Thank you.

Kind regards,

T Doan

 

  • Hi,

    Are installing on a DC or Members Server?

  • In reply to moosey:

    Sorry are you upgrading SEC on a DC or Members Server? 

  • Hello Accounts Payable1,

    how to fix this error
    the Sophos_CredStoremsi ....log in %ProgramData%\Sophos\Management Installer\ should have a more detailed description of this Unable to install.

    Christian

  • The most common reason I've heard of this happening here is due to the "Logon as a service" rights being defined within your local or domain security policy.  The Credential Store creates a new service account and attempts to start the service using that account as part of the installation process.  If the local or domain security policy does not include "NT SERVICES\ALL SERVICES", the Credential Store service may fail to start.

  • In reply to moosey:

    Hi Moosey,

    Thank you for your response.

    I used Domain Control to install (i.e: Domain Name\Administrator). Because I am working from home, so I used remote desktop to log in to our server to upgrade. Do you think there is any problems with this?

    Thank you and look forward to your response.

    Regards

    T Doan (Accounts Payable1)

     

     

  • In reply to QC:

    Hi Christian,

    Thank you for your response.

    I also checked the Sophos_CredStoremsi log file as shown below.

    .....

    MSI (s) (68:9C) [12:31:24:268]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
    Set ACL for 'C:\Program Files (x86)\Sophos\Credential Store\'
    MSI (s) (68:9C) [12:31:24:268]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
    MSI (s) (68:9C) [12:31:24:268]: Executing op: ServiceControl(,Name=Sophos.Credential.Store.Service,Action=1,Wait=1,)
    MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2205 2: 3: Error
    MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1920
    MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2205 2: 3: Error
    MSI (s) (68:9C) [12:31:54:654]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709
    MSI (s) (68:9C) [12:31:54:654]: Product: Sophos Credential Store -- Error 1920. Service 'Sophos Credential Store' (Sophos.Credential.Store.Service) failed to start. Verify that you have sufficient privileges to start system services.

    Please let me know how to fix it and what I can do next to complete an upgrade.

    Thank you and look forward to your response.

     

    Kind regards,

    Accounts Payable1

  • In reply to MEric:

    Hi MEric,

     

    Thank you for your response.

    As I couldn't install the Credential Store service while upgrading and it terminated/stopped straight away from there. Please let me know how to fix this and what I can do next to complete an upgrade.

    Thank you and look forward to your response.

     

    Kind regards,

    Accounts Payable1

     

  • In reply to Accounts Payable1:

    Hello T Doan,

    1920 is a rather generic error, the timestamps suggest that the service start command timed out. Perhaps the Windows Event log has more information why the service didn't start.

    I assume the installer has performed a rolleback. Has the Sophos Credential Store been removed or is it still there? Dunno to what extent the installer mops up, maybe it left the %ProgramData%\Sophos\Credential Store\ folder and the store.log behind.

    Christian

  • In reply to Accounts Payable1:

    Does NT SERVICES/ALL SERVICES exist if you run the following in an administrative command prompt?  What you are looking for in the report is under Settings > Policies > Windows Settings > Security Settings > Local Policies User Rights Assignment > Log on as a service.
    gpresult /h C:\Windows\Temp\report.htm
    C:\Windows\Temp\report.htm

    If this setting has been specified and NT SERVICES\ALL SERVICES is not listed, you will need to add it in.  Open up Group Policy Management on your DC and modify the group policy applied to your SEC server. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Log on as a service.  When adding the user, type in NT SERVICES/ALL SERVICES and click "OK", not Browse.  Save this policy.

    After saving, force the SEC server to retrieve this new policy by running gpupdate /force.  Verify that NT SERVICES/ALL SERVICES now exists under the report by running the gpresult command mentioned at the start.  If so attempt to run the installer again.

  • In reply to QC:

    Hi Christian,

    Thank you Christian.

    After I got an error I checked the Sophos Credential Store has been removed and also the %ProgramData%\Sophos\Credential Store\ folder and the store.log was empty.

     

    Kind regards,

    T Doan

     

  • In reply to MEric:

    Hii MEric,

     

    Thank you for your response.

    Yes I will follow your instructions to add  NT SERVICES\ALL SERVICES to Group Policy Management. I would like to ask you I can run setup.exe file from the sec_552 install folder to continue upgrading to 5.5.2 (As I see Sophos Management Database version 5.5.2 has been installed the under Programs and Features) or I have to run sec_552_sfx.exe to start from the beginning to complete an upgrade 5.5.2

    Please advise...

    Thank you.

     

    Kind regards,

    T Doan

     

     

  • In reply to Accounts Payable1:

    Hello T Doan,

    I can run setup.exe file from the sec_552 install folder
    yes, for subsequent attempts this is the right choice. the sfx does nothing more than extracting the archive to sec_552 and calling setup.exe.

    Sophos Management Database version 5.5.2 has been installed
    you'll run into the problem described in Installer has detected different versions of the components installed. This would be Scenario 1 in the article. Uninstall the Database component, re-run the Installer, it will offer to upgrade the other components (the Database will be greyed out). Do not forget to reinstall the Database component with the CREATE_DATABASES=0 argument even though there will be no future upgrades - if for whatever reason you re-run the Installer again it would otherwise let you (or someone else) tick the Database component, attempt to install it but fail. Might cause confusion.

    Christian

  • In reply to Accounts Payable1:

    Hi,

    Thank you for the update. 

    1 Question is the SEC 550 installed on a Domain Controller?

  • In reply to QC:

    Hi Christian,

     

    Thank you for the update.

    I will do as what you mentioned and let you know the result after upgrading.

     

    Kind regards,

    T Doan

     

     

  • In reply to moosey:

    Hi Moosey,

    Thank you.

    Yes it is installed on our Domain Controller.

    Kind regards,

    Thuy Doan