Error code 1603 when upgrading from SEC 5.0 to 5.1

Question

Hi, I'm currently trying to upgrade an existing SEC 5.0 installation to 5.1, but it's failing with an error 1603 message "Unable to install Management Server - The MSI terminated unexpectedly".  I've followed the steps on http://www.sophos.com/en-us/support/knowledgebase/114627.aspx and also had a look through another post here ( /search?q= 22257 ) but haven't yet found a definite solution. The Sophos_bootstrapper... log file has the following at the end: 31/05/2012 12:57:30, INFO : Ended installing Database32.msi
31/05/2012 12:57:32, INFO : Installation of Database succeeded
31/05/2012 12:57:32, INFO : Verifying files in folder
31/05/2012 12:57:34, INFO : Target folder verification completed successfully
31/05/2012 12:57:34, INFO : About to install Server32.msi
31/05/2012 13:06:18, INFO : Processing INSTALLMESSAGE_ERROR or INSTALLMESSAGE_FATALEXIT message from MSI
31/05/2012 13:06:18, INFO : Deactivate state: Installing
31/05/2012 13:06:18, INFO : Activate state: Failing
31/05/2012 13:07:03, INFO : Installation of Server32.msi failed with error code: 1603
31/05/2012 13:07:03, INFO : Ended installing Server32.msi
31/05/2012 13:07:05, INFO : Installation failed with error code: 1603
31/05/2012 13:07:05, INFO : Deactivate state: Failing
31/05/2012 13:07:05, INFO : Activate state: Failed
31/05/2012 13:07:05, INFO : Entered Installation failed page.
31/05/2012 13:07:27, INFO : Opening logs folder: C:\Documents and Settings\All Users\Application Data\Sophos\Management Installer
31/05/2012 13:07:27, ERROR : Could not open temp folder. ShellExecute() returned error: 33 - The process cannot access the file because another process has locked a portion of the file. which seems odd because nothing else is running on the server (logged in as domain administrator for the installation, and log files are being created in the temp folder).  Additionally, the Sophos_Server32msi... log file contains the following: MSI (s) (38:9C) [13:05:51:981]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI8E.tmp, Entrypoint: InitializeDatabaseAndImportCertificates
SFXCA: Extracting custom action to temporary directory: C:\WINDOWS\Installer\MSI8E.tmp-SFXCA: Binding to CLR version v2.0.50727
Calling custom action EncryptionCustomActions!EncryptionCustomActions.CustomAction.InitializeDatabaseAndImportCertificates
InitializeDatabaseAndImportCertificates
About to call: Initialize
Succeeded: Initialize
Calling API function: CreateMiscClassInstance().
Completed API function: CreateMiscClassInstance().
About to call: Initialize
Succeeded: Initialize
About to call: InitializeDatabaseEx
Succeeded: InitializeDatabaseEx
About to call: AuthenticateOfficer
MSI (s) (38!64) [13:06:18:308]: Product: Sophos Management Server -- 1: You do not have sufficient rights to perform the action. Access is denied.

Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> EncryptionCustomActions.SgnApiException: You do not have sufficient rights to perform the action. Access is denied.
 at EncryptionCustomActions.CustomAction.CallFunction(String functionName, Func`1 function, Session session, Base baseObject)
 at EncryptionCustomActions.CustomAction.InitializeDatabaseAndImportCertificates(Session session)
 --- End of inner exception stack trace ---
 at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
 at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
 at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
 at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
 at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
MSI (s) (38:00) [13:06:20:418]: User policy value 'DisableRollback' is 0
MSI (s) (38:00) [13:06:20:418]: Machine policy value 'DisableRollback' is 0
Action ended 13:06:20: InstallFinalize. Return value 3. which looks like there's a problem with importing the Safeguard certificate(???).  I don't have Safeguard Enterprise, just the standard version, but I do have a message in Enterprise Console saying my licence has been updated to the Data Protection Suite and have verified that the certificate passwords are entered correctly. I suppose the obvious thing to try is to just forget about the encryption, but I'd really rather have it managed from the same console if possible - ideally importing the already encrypted machines. Does anyone have any idea if I'm doing something wrong here?  Previous upgrades of both Safeguard Policy Editor and SEC have always gone without any problems until now. Thanks in advance for any advice! :25389

EMK · Accepted Answer

Hi All, 
 Thank you for starting the thread. 
 Firstly installations of the Policy Editor are not compatible with the SEC Server on the same computer. The option to display the Encryption workflow in the Enterprise Console 5.1 installation should have been prevented on detection of the installed Policy Editor. 
 The current installer (setup.exe) only checks for the upgrade code: {D4667A84-D 6 44-40DA-8344-F1D9839C1BB4}, the version of the Policy editor you must have is identifiable by the upgrade code: {D4667A84-D F 44-40DA-8344-F1D9839C1BB4}. Note the one character difference. 
 @RBGE: 
 Enterprise Console does not take over the data from the Safeguard DB. You would need to do the following to make the transition using the same server: 
 1. Install the Policy Editor on another computer and connect it to the existing SafeGuard DB. 
 2. Verify that the newly installed Policy Editor is working. 
 3. Uninstall the Policy Editor from the SEC Server (this does not delete the SafeGuard DB and the newly installed Policy Editor still keeps working - This way you can continue managing his clients during the transition period). 
 4. Upgrade SEC including the encryption feature + import the existing certificates. In SEC define Full Disk Encryption policies and assign them to the appropriate groups (they only take effect when doing the next step: protect computers) 5.From SEC use the protect computers wizard to deploy a new encryption agent and make the agents to connect to SEC (the clients stay encrypted and are sending their key backup and status data to SEC). This should be first done with a single test client and then continued step-by-step for a group of clients (the other clients can be still managed from the Policy Editor during the transition period). The following guide should help: http://www.sophos.com/en-us/medialibrary/PDFs/migration/encag_561_lmgeng.pdf

@John_S: I would suggest that you log a case with support including a Diagnose log ( http://www.sophos.com/en-us/support/knowledgebase/33533.aspx) so they can investigate the cause of the error message you see. I would also suggest ensuring that the file "EncryptionFEService.log" is included, this can be found here: C:\Documents and Settings\All Users\Application Data\Sophos\ManagementServer\log. or under C:\ProgramData\ depending on your OS.

Regards :25487