Installation Problem Windows 10 Enterprise

Christian, 

Output from ALUpdate trace logs from 3 examples (That I submitted to Sophos support) 

2x Win 10 laptops, and 1x windows server

Trace(2018-Aug-30 12:41:59): UpdateCoordinator::UpdateNow: current platform is WIN_10_X64 reelase: 1803

and another..

Trace(2018-Aug-30 08:55:13): UpdateCoordinator::UpdateNow: current platform is WIN_10_X64 reelase: 1703

and the server..

Trace(2018-Aug-30 08:28:09): UpdateCoordinator::UpdateNow: current platform is WIN_2008_R2_SVR_X64 reelase: 

The number of endpoints experiencing this has NOT increased since this began.

Via the EC, I opened 14 random endpoints experiencing the (software cannot be installed on the OS) error, and each endpoint is showing Patch Agent 1.0.311.1

Hello Eric Breen,

thanks. The others have Patch 1.0.312+ I assume. Platform is one property that ALUpdate determines and considers. Dunno if reelease is deliberate or a type but apparently it's not the Redstone . I was asking because perhaps the platform was incorrect or unavailable. Just an idea.
Another idea was the AutoUpdate version, 5.11 on 10.8.1, 5.12 on 10.8.2 Preview, and 5.14 on 18.0.2 Recommended. But as AutoUpdate updates itself as last component it can't be 5.14. So there's not yet a pattern and it's seemingly random but hard.

BTW: I opened 14 random endpoints - you get the patch agent version information for a list of or all endpoints using the Patch tab in the console. No need to view their details.

Christian

QC said:

So there's not yet a pattern and it's seemingly random but hard.

BTW: I opened 14 random endpoints - you get the patch agent version information for a list of or all endpoints using the Patch tab in the console. No need to view their details.

Christian

I dont see a pattern either, nor does my supervisor. Its not minimizing our concern though, because we are way out of compliance, for almost 2 weeks now.

Thanks for the heads up. I was doing it the hard way. 

Hello Eric Breen,

important things first:
way out of compliance
because? Because Patch fails to update? Or because endpoints show updating errors (even though in the Status tab they show as Up to date: Yes)? Compliance is a ***, sometimes, or: more often than desired. In spirit it's a good thing, in practice it can be irrational. Depends on your internal or external auditors.

IMO it's not yet a serious non-compliance for the following reasons:

• the update to Patch is a minor one (1.0.311 to 1.0.312.7), unlikely that it changes anything of major importance
• Patch is "just" an assessment tool. An endpoint's correct results generated with up to date data by an up to date Patch Agent give you its patch status w.r.t. the data feed. If compliance is based on the results but the quality of the feed has not been assessed - how significant is it?
• the slightly backlevel Patch does not diminish protection on the endpoint
• last but not least: As new versions are rolled out to customers over a longer period (10.8.2 Recommended is not yet available for me, nor is Preview yet on 10.8.2.2) the next to last version should be as good as the very latest one in terms of compliance

If it's only the error message that your auditors don't like you could downgrade the affected endpoints to the Previous Recommended 10.8.1. This is not to say that the issue should be investigated (and resolved).

Some (hopefully minor) errors on my side:
* should have read more carefully - it's definitely a typo as it says reelase, e and l switched (the additional output of release/reelase has been introduced in AutoUpdate 5.12)
* AutoUpdate is not the last component updated by AutoUpdate, Patch and SSP come later in the cycle
* nevertheless whether AU is updated before Patch or not shouldn't have an effect as ALUpdate.exe isn't restarted in the cycle,

The Patch install should have been attempted by ALUpdate 5.11 and it seems whatever bug or glitch is causing this already existed  before 10.8.2/5.14 - or it's the Setup.dll that comes with Patch.

Thinking about it - I was carried away by the screenshot with the OS errors you provided and concentrated on Patch. You said the AV agent in services was missing. So the Patch update error was just one of the errors on these endpoints and other components (particularly SAV) also failed (on all the 40+ machines)?

Christian

QC said:

If it's only the error message that your auditors don't like you could downgrade the affected endpoints to the Previous Recommended 10.8.1. This is not to say that the issue should be investigated (and resolved).

• Assuming a downgrade would work.

Some (hopefully minor) errors on my side:
* should have read more carefully - it's definitely a typo as it says reelase, e and l switched (the additional output of release/reelase has been introduced in AutoUpdate 5.12)

• I noticed this typo as well, but this was the syntax right from the log. It was not edited.

The Patch install should have been attempted by ALUpdate 5.11 and it seems whatever bug or glitch is causing this already existed  before 10.8.2/5.14 - or it's the Setup.dll that comes with Patch.

Thinking about it - I was carried away by the screenshot with the OS errors you provided and concentrated on Patch. You said the AV agent in services was missing. So the Patch update error was just one of the errors on these endpoints and other components (particularly SAV) also failed (on all the 40+ machines)?

• The AV service was missing from the server that I had easy access too. I have no evidence at this time that other (currently affected) endpoints would/are displaying the same problem. I felt it was strange enough to mention it, as it was throwing the same error as all the others. I just had easy access to it, so I was able to spend time investigating the problem on this box. Its easier than taking a laptop from an end user, despite the difference in OS architecture. I dont think this is OS specific, althought I still havent ruled out a Windows update (or several causing this)

Furthermore, I am unaware if you are an employee of the company or not. It really doesnt matter, as you have been assisting none the less. I just wanted to reiterate that I have an open ticket and the latest reply from the vendor is that they are still investigating (what sounds like) a "known" problem. I am anticipating escalation, though nothing has been confirmed yet.

As far as your comments regarding compliance, They are company policies that I didnt author, I just follow them.

That storm is being weathered by me.

Hello Eric Breen,

I'm not Sophos and not a Partner, just a customer's representative.

still investigating
thought as much. Normally you won't hear how far up it already is or some estimate how long it will take (if it's already possible to tell). There have been changes to the updating architecture and as far as I can see there are more to come.

Haven't been of much help so far unless at least one of my suggestions works [:)]. 

Christian

Hi Eric,

I was out last week, I apologize for the delay in response.  I have reviewed your ticket, and noticed that it has been escalated it to the highest support level / Dev team for assistance. There is also DEV issue created for it (WINEP-15674), which is currently under investigation. 

Please let me know if you have any questions at this time.

Thank you,

Thank you, Barb.

We have been notified of this as well and are waiting for instruction and/or direction.

Why is it that when I dial Toll Free: 1-888-SOPHOS-9 (1-888-767-4679) I get to listen to 10 minutes of ads before the system tells me that the number has changed to another number, then when I call that number its another ad system??

This is a joke right?

What is your support number, please. The one for paying customers.

Thank You

Hi Eric Breen,

I am very sorry for the inconvenience. The different ways to contact support can be found in this link 

I will update your exiting ticket requesting that an engineer contact you as soon as possible (I cannot provide you an ETA on their behalf). 

Once again, I apologies for the delay and any inconveniences this may have caused.

Regards,