GPO push install fails with error code 1603

Question

I am new to GPO push install. I just configured a group policy to push install a software for machines in the domain. However, it fails with error code 1603.

The following is the log appmgmt on the client.

07-27 17:14:16:775 
Software installation extension has been called for foreground synchronous policy refresh.
The following policies are to be applied, flags are 1.
    SecureAge Distribute (unique identifier {AE19597D-CBD3-42EF-AEE8-09FBBFA13171})
        System volume path = \\dev.sa.com\SysVol\dev.sa.com\Policies\{AE19597D-CBD3-42EF-AEE8-09FBBFA13171}\Machine
        Active Directory path = LDAP://CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com
Set the Active Directory path to LDAP://CN=Class Store,CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com;.
Enumerating applications in the Active Directory for computer CHENBOXPSP3X32 with flags 5.
CSTORE: Retrieving class store path for the system account.
CSTORE: Retrieved 1 class stores for the user or machine.
CSTORE: Attempting to bind to class store 0 with path LDAP://CN=Class Store,CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com.
CSTORE: Bind attempt returned error code 0.
CSTORE: Enumerating packages with search filter (&(objectclass=packageRegistration)(|(|(msiScriptName=*A*)(&(canUpgradeScript=*)(msiScriptName=*P*)))(!(msiScriptName=*)))) and flags ce00000.
CSTORE: Examining retrieved package SecureAge.
The following applications were found in policy SecureAge Distribute.
    Assigned application SecureAge (flags a0004c70).
Found 1 applications in policy SecureAge Distribute.
Enumerating the managed applications which are currently applied to this user.
No managed applications are currently applied to this user.
Found 0 applications locally that are not included in the set of applications from the Active Directory.
Application SecureAge from policy SecureAge Distribute is set for installation because it is assigned to this computer policy.
Assigning application SecureAge from policy SecureAge Distribute.
Calling the Windows Installer to advertise application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas with flags 69.
Windows Installer cannot advertise application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas, error 1603..
The assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : %1603

And

Removing application SecureAge from the software installation database.
Calling Windows Installer to remove application advertisement for application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas.
Windows Installer cannot remove application advertisement for application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas, error 1603.
The removal of the assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : %1603

Policy Logging for Software Management is attempting to log application SecureAge from policy SecureAge Distribute.
Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : %1603

And

Software installation extension returning with final error code 1603.
07-27 17:14:25:665 
Software installation extension has been called for foreground synchronous policy refresh.
The following policies are to be applied, flags are 80.
    SecureAge Distribute (unique identifier {AE19597D-CBD3-42EF-AEE8-09FBBFA13171})
        System volume path = \\dev.sa.com\SysVol\dev.sa.com\Policies\{AE19597D-CBD3-42EF-AEE8-09FBBFA13171}\User
        Active Directory path = LDAP://CN=User,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com
Set the Active Directory path to LDAP://CN=Class Store,CN=User,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com;.
Policy has not changed.  Only assigned applications will be advertised.
Enumerating the managed applications which are currently applied to this user.
No managed applications are currently applied to this user.
Found 0 applications locally that are not included in the set of applications from the Active Directory.
Software installation extension returning with final error code 0.

I tried to search things like "Windows Installer cannot advertise application ... from script ...", but get no hint.

Also, there is no log for the msi installation in the %temp% folder.

Edit: The event information in the application event is the following:

Event ID: 101 (error)
The assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : Fatal error during installation. 

Event ID: 103 (error)
The removal of the assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : Fatal error during installation. 

Event ID: 108 (error)
Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : Fatal error during installation. 

Event ID: 1085 (error)
The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

I followed this link to setup the group policy as I cannot post the screenshot since I am new. http://support.microsoft.com/kb/816102

The problem happens for both windows XP and 7 32bit hosts. The hosts run in VMWare.

Edit 2: I tried to use startup script to install the package, it works for Windows 7 client. During the startup phase in Windows 7 client, a pop-up of Interactive Services Detection window shows the installed software wants to show some message. Other than that, the installation works fine, no input is required during the installation process. Note that manual installation of the msi shows a message that restart is required after the installation.

The startup script is the following:

Set WshShell = CreateObject("WScript.Shell")
Set objFso = CreateObject("Scripting.FileSystemObject")
If Not objFso.FileExists("C:\Program Files\SecureAge\bin\SecureAge.exe") Then
    WshShell.Run "\\192.168.0.145\DPoint\SecureAge.msi"
End If

Note: the startup script installation only works in Windows 7, but not in Windows XP.

Edit 3: the screenshot of the group policy:

enter image description here

Can anyone please help me with the issue.

Thanks and regards

Hi Chen, do you get any group policy errors on the client too? Please list all Event IDs etc first in a list, then the errors below, I find your post quite hard on the eyes! What package are you trying to push, and to what client OS? — Alex Berry, Jul 27 '12 at 09:44
Thanks Alex. I am trying to push our own msi installer to Windows XP and 7 machine. The local installation of the msi works fine. The event ids and the errors are added to the questions. — Chen Bo, Jul 27 '12 at 09:51
Ok.. Could you please provide screen shots of the settings in group policy so they can be verified, either that or list all the steps you went through. Add all this info in to your original question, including the detail concerning Windows XP and Windows 7, so that others can see this readily. — Alex Berry, Jul 27 '12 at 09:53
Could you also specify whether all your clients are 32 bit, 64 bit or mixed, and whether the issue affects all clients or just one version. — Alex Berry, Jul 27 '12 at 09:56
Yeah, that GPO screenshot or info is kind of important. Type it out, or failing that, screenshot it and post a link to it on some image hosting site. A user with more privileges can edit it into your post. It might also be helpful to try installing this via a GPO, with a startup script to narrow down where the problem is. Maybe the .msi is damaged or something. — HopelessN00b, Jul 28 '12 at 16:51
HI HopeLessN00b, the link to the image is http://postimage.org/image/90krvmjcb/ . I tried to install the msi with a GPO startup script. It works in Window 7. — Chen Bo, Jul 30 '12 at 07:52

score 4 · Accepted Answer · answered Jul 30 '12 at 13:21

4

1603 fatal errors usually are caused by one of two things: the account doing the installation can't write where it needs to, or the installation package is corrupted. Since you've ruled out #2 by doing an install with it, I'll assume it's #1.

When you use a computer-based software installation GPO, what you're doing is installing the software as the SYSTEM account. Some software installers misbehave and require that data be written to the installing user's profile. The SYSTEM account doesn't have a traditional profile like other user accounts do, which gives the illusion that required directories do not exist. This could explain why a logon script or manual install works - neither run as SYSTEM.

I'd check with your software vendor and make sure that this software can be deployed the way that you are trying, since all signs point to the software installer itself being the culprit.

answered Jul 30 '12 at 13:21

MDMarra

100,734
32
197
329

MDMarra, thanks for the help. However, it works in Windows 7 when the startup script installs the msi package which also use SYSTEM account. (But it does not work in XP) Please see Edit 2 in the question. – Chen Bo Jul 31 '12 at 02:50
Ah, I missed that. Maybe the GPO is corrupt? Have you tried deleting it and creating a new one? – MDMarra Jul 31 '12 at 10:48
I created a new one, but still does not work. The same error message. – Chen Bo Aug 01 '12 at 03:27
Does the msi install in XP if run manually? – Alex Berry Aug 01 '12 at 11:14
Yes, it installs in XP manually. The problem of startup script with XP is it pops up RUNAS window which requires user input to install. If the correct RUNAS is selected (say System), it also installs correctly with startup script. But because of this user input, I consider it not work in XP since user can cancel the install. – Chen Bo Aug 02 '12 at 06:40
It turns out to be a problem with the software installer. After I get a new installer, it works. – Chen Bo Aug 28 '12 at 09:37

score 0 · Answer 2 · edited Jun 11 '20 at 10:02

0

Please try the following:

Please check that the share in which you are hosting this msi has the following share and NTFS security permissions: Group "Domain Computers" has read rights.
Double check is that the path to the MSI file in the script uses a UNC path. E.G. \\dataserver1\msis\msi_installer.msi rather than e:\msis\msi_installer.msi
Check that the package is compatible with installing via GPO. In order for it to be compatible it needs to be able to install with no user interaction, to test this log on to a computer where it is not installed, copy the msi file to somewhere local such as the root of the C:\ drive and type "msiexec /i C:\path_to_msi.msi /quiet". If it installs correctly it is compatible, if not it will need to be repackaged

edited Jun 11 '20 at 10:02

Community

1

answered Jul 27 '12 at 10:49

Alex Berry

2,307
13
23

Yes, everyone has read and execute rights. But, it did not work. – Chen Bo Jul 30 '12 at 07:52
Also one thing to double check is that the path to the MSI file in the script uses a UNC path. E.G. \\dataserver1\msis\msi_installer.msi rather than e:\msis\msi_installer.msi. – Alex Berry Jul 30 '12 at 08:08
Thanks for the quick reply. Yes, it uses a UNC path: \\192.168.0.145\DPoint\SecureAge.msi – Chen Bo Jul 30 '12 at 08:27
Can you use the the FQDN rather than IP address? You may run in to authentication problems if you only use IP address. – Alex Berry Jul 30 '12 at 08:38
I changed to FQDN, but the error still exists. – Chen Bo Jul 30 '12 at 09:02
Strange... Well one thing to check is that the package is compatible with installing via GPO. In order for it to be compatible it needs to be able to install with no user interaction, to test this log on to a computer where it is not installed, copy the msi file to somewhere local such as the root of the C:\ drive and type "msiexec /i C:\path_to_msi.msi /quiet". If it installs correctly it is compatible, if not it will need to be repackaged. – Alex Berry Jul 30 '12 at 09:16
I followed the msiexec command with logging option. The program is not install onto the computer, but the log says success as "Product: SecureAge -- Installation operation completed successfully." Is this a incompatible package? By the way, if I use startup script to install the msi in Window 7, it works. – Chen Bo Jul 30 '12 at 10:19
Please post the contents of your startup script and explain what you see on the screen when the script is run. This may well be an incompatible package, however depending on the contents of the installer it may be possible to repackage. – Alex Berry Jul 30 '12 at 10:50
Who has downvoted this, and why? All points are quite valid. – Alex Berry Jul 30 '12 at 11:29
2

There's absolutely no reason to give Everyone access to the share. The minimum required is "Domain Computers - Read" for GPO computer installation and "Authenticated Users - Read" for user-based software deployment. Giving the Everyone group permission to anything is usually always not recommended. Not to mention that you didn't specify anything about the underlying NTFS permissions, which are the ones that actually matter. – MDMarra Jul 30 '12 at 12:47
I had said "the following share and security permissions", and next time you could post a comment along with the down-vote, it is of no assistance if you know the answer and don't post it up here. Either way it won't be the cause of his issues, it would guarantee access and amounts to the same thing, unless they have guests on their internal network, which is another kettle of fish altogether. – Alex Berry Jul 30 '12 at 12:53
1

Comments aren't required to downvote. And I downvoted because, although your answer may point the OP in the right direction, it is potentially dangerous. It's like telling someone to chmod -R 777 a directory to make something work. You just don't do it. – MDMarra Jul 30 '12 at 12:56
Then explain your reasoning, there's no requirement but it isn't in any way helpful, it just shows you didn't agree but couldn't be bothered provide input. Regardless I have since modified my post to reflect your input, had you either commented or edited yourself your downvote wouldn't have been necessary or at least would have been reasonable. And it's not quite the same, if I had said give everyone full permission it would have been a valid parallel. – Alex Berry Jul 30 '12 at 12:59
2

Also, your edit is **still** incorrect. It's safe to assume that this is computer-based GPO deployment, which would generate access denied with the current ACLs. Luckily for me, I don't have to do **anything** that you're demanding. :) There's a reason that voting is anonymous. If you have a problem you can post it on [meta] or discuss it in [chat] – MDMarra Jul 30 '12 at 13:00
And oh, you don't have to, it just shows you're not very community spirited ;) – Alex Berry Jul 30 '12 at 13:03
2

Apparently you have a reading comprehension problem. Read through my comment again and you'll see that I say the minimum required ACE for computer-based deployment is "Domain Computers - Read". Like I said, feel free to join [chat] if you'd like to discuss it further. – MDMarra Jul 30 '12 at 13:05
Nah no need mate, keep on being helpful. – Alex Berry Jul 30 '12 at 13:17
Alex, please see the Edit 2 in the question on the startup script and the display when the startup script is running. – Chen Bo Jul 31 '12 at 02:17

score 0 · Answer 3 · answered Jan 14 '20 at 06:04

Just to add to this; you will also get a 1603 error if you are trying to deploy software to a drive which is encrypted with Bitlocker or similar.

Reference is here: https://support.microsoft.com/en-nz/help/834484/you-receive-an-error-1603-a-fatal-error-occurred-during-installation

The workaround is to deploy the software via a USER Group Policy (either directly or as a loopback policy). Just remember to check the 'Install this application at logon' option in the 'Deployment' tab of the package options in the Group Policy!

GPO push install fails with error code 1603

3 Answers3

Linked