Golden Image problems

Hi Dennis,

Thanks for reaching out to us. 

Could you check the following log file to see if there are any 403 errors? 
- C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log

There is an ongoing issue that is being actively investigated. You can track the latest updates using the following link. 
- New installations fail with HTTP Error 403

As your Gold Image system has been created very recently, the child images will be up to date for now. The issue is being actively investigated, and the child images will update normally once the issue is resolved. 

Hi,
yes........403 errors in the log:

2022-05-11T00:52:35.919Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:52:36.038Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:52:36.296Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 2 of 5)
2022-05-11T00:52:36.410Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:52:37.421Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 3 of 5)
2022-05-11T00:52:37.541Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:52:42.551Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 4 of 5)
2022-05-11T00:52:42.675Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:12.689Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 5 of 5)
2022-05-11T00:53:12.723Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:12.725Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:12.756Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:13.017Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 2 of 5)
2022-05-11T00:53:13.147Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:14.158Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 3 of 5)
2022-05-11T00:53:14.191Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:19.206Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 4 of 5)
2022-05-11T00:53:19.333Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:49.349Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080 (try 5 of 5)
2022-05-11T00:53:49.468Z [ 7820:10532] I 403 from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: 192.168.11.1:8080
2022-05-11T00:53:49.470Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>
2022-05-11T00:54:52.553Z [ 7820:10532] W Error from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
2022-05-11T00:54:52.816Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy> (try 2 of 5)
2022-05-11T00:55:55.913Z [ 7820:10532] W Error from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
2022-05-11T00:55:56.926Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy> (try 3 of 5)
2022-05-11T00:57:00.024Z [ 7820:10532] W Error from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
2022-05-11T00:57:05.027Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy> (try 4 of 5)
2022-05-11T00:58:08.103Z [ 7820:10532] W Error from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
2022-05-11T00:58:38.107Z [ 7820:10532] I Trying update service url sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy> (try 5 of 5)
2022-05-11T00:59:41.195Z [ 7820:10532] W Error from sus.sophosupd.com/.../329c65b5-9cef-4f3f-aaa5-176b4a44a670 with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
2022-05-11T00:59:41.196Z [ 7820:10532] W Error refreshing service config: will sync using stale SUS config: No reachable update service locations
2022-05-11T00:59:41.197Z [ 7820:10532] E No reachable update service locations

Like described in the article of the knowledgebase the problem is solved.
I have newly installed Sophos on my Golden Image but the problem still occur :-(

If you use the command line option:

--traillogging

...to the Central Installer as mentioned here:
Installer command-line options for Windows - Sophos Central Partner
Then run the installer it will have a little more information in the installer log. Maybe you can share the log?

The good news is, looking at the command line options for the installer, there appears to be 2 new options:

• goldimage
• goldimagetimeout

Apparently it needs the new MCS version which is starting rollout very soon, but this automates all the steps in the gold image article.  So that will be a nice addition.

Thanks.....i have installed ophos with the parameter and attached all logs i have found.Temp.zip

Sorry I think I misunderstood slightly. So the issues you have are with existing installed computers rather than new installs.

If new installs are working for fresh computers, the --traillogging switch to SophosSetup.ee, which will log more info to the Sophos Central installer log, found here:

%ProgramData%\Sophos\CloudInstaller\Logs\SophosCloudInstaller_[date]_[time].log

May not help but it is useful for failing new installs.

If there are deployed clients with issues, the problem might lie with the file "Endpoint.jwt" under: "C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist\"

Note: Tamper will need to be disabled to browse to that location in Explorer if UAC is on, you can navigate to the location with an admin prompt if Tamper is still enabled.

This jwt file is used by AutoUpdate to update and needs a valid tenant ID and the endpoint id should be that of the client.

So part of identity strip steps so "childs" of the image, that file should ideally be removed I suspect so when MCS requests a new jwt the endpoint id is correct.

So the MCSClient.log might be of most interest here, you did provide one which shows:

\Logs\McsClient.log

Line 43: 2022-05-17T08:06:25.153Z [ 8548: 8580] E Authentication token file is invalid, error: No such node (features)

Line 51: 2022-05-17T08:06:25.916Z [ 8548: 8656] I POST mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/.../endpoint

Line 56: 2022-05-17T08:06:26.258Z [ 8548: 8656] I Authentication token expires at 2022-05-18T08:05:26Z

The first time the jwt was checked by mcsclient.exe the token didn't have any features, these would be required that would cause a problem as you are seeing.

I think you should see at least every hour, lines:
Authentication token expires
in the mcsclient.log as the new jwt is requested as they only last 24 hours.

I would try initially:
1. disable Tamper on a failing client.
2. delete the .jwt file.
3. restart the MCS client service.
4. hopefully a new jwt file is created.
5. try "update now", do you still get the 403 errors?

If so I suspect there is something wrong with the contents of the jwt, either the features are wrong or the endpoint id doesn't match.  

Thanks.
Yesterday i deleted all my terminalserver from the Sophos console and after that i reinstalled Sophos on my Gold Image CTXVABDF-Maint.
After the installation the status of the Gold Image was green. Then i run the Gold Image skript.....
Today i have the following:
Some terminalservers are ok, some not. All servers bootet from the same Gold Image via provisioning.

Errors:

Thanks.
Yesterday i deleted all my terminalserver from the Sophos console and after that i reinstalled Sophos on my Gold Image CTXVABDF-Maint.
After the installation the status of the Gold Image was green. Then i run the Gold Image skript.....
Today i have the following:
Some terminalservers are ok, some not. All servers bootet from the same Gold Image via provisioning.

Errors: