Elastic Endopint fails deployment v7.12.1

Hi,

Notes:

  • ELK v7.12.1 Standalone
  • OS Win 10 Pro, v20H2, build 19042.928

I recently upgraded to ELK v7.12.1 and have been testing it. Today I tried to update existing agents in Fleet to the most recent version. So far I have not been able to successfully deploy any agent, where the policy assigned includes integration Elastic Endpoint. I even tried unenrolling agents, uninstalling/removing Elastic Agent and Elastic Endpoint from the machine and installing from scratch. Every time the policy was only System or Windows or any other combination but Elastic Endpoint, the deployment completes successfully and stays healthy. If the policy includes Elastic Endpoint it will install the Elastic Agent, but will fail to deploy Elastic Endpoint. I also tried removing the Elastic Agent/Endpoint and rebooting the machine, then install from scratch, but that did not help. I may need to remove some Windows registry entries, but will let you guys advice how to proceed from here. Please see the logs below:

Exceed characters limit, so used external link

Hi Manuel,

I'm sorry you are encountering problems getting the Elastic Endpoint integration to successfully install. Thanks for providing the log files, they were very helpful.

I'm not certain what order of events might have put the machine(s) in this state, but from the logs it appears the Elastic Endpoint installation is discontinuing when it discovers that the ElasticElamDriver service already exists. I was able to produce the same log output you provided by creating a service with that name (ElasticElamDriver) prior to adding the Elastic Endpoint integration.

I was able to resolve the issue and get the Elastic Endpoint integration successfully installed by:

  1. Ensuring Endpoint Security integration was not presently part of the policy assigned to the host, such that there's no chance Agent is presently attempting to install the Endpoint Security integration.
  2. On the host, opening an Administrator Command Prompt and deleting the conflicting service using the command sc delete ElasticElamDriver .

Delete ElasticELAMDriver Service

  1. Adding the Endpoint Security integration back to the policy used on that host.
  2. After a short period of time, I noted Elastic Endpoint had now been successfully installed and was running on the host.

Would you be able to try those steps and see if that resolves the issue?

Thanks,
Ben

1 Like

Hi Ben,

Thank you so much for your prompt response. Your solution worked like a charm. After deleting the ElasticElamDriver, and restarted the Elastic Agent, I was able to successfully deploy the Endpoint and agent changed to Healthy state.

Thank you :smile: :v:

1 Like