Failed to deploy Endpoint on Windows Server 2008 R2 Standard

Hi,

Notes:
Running ELK 7.11.2 Standalone
OS Windows Server 2008 R2 Standard

I am deploying the Elastic Endpoint on several servers. On servers running OS Windows Server 2012 R2 Datacenter and Windows Server 2019 Datacenter, the deployment of the Elastic-Agent and Elastic Endpoint runs fine, without issues.

On the other hand, on servers with OS Windows Server 2008 R2 Standard I can deploy the Elastic-Agent, start its service and confirm it's checking with ELK node, but it is failing to deploy the Elastic Endpoint. Agent shows status "Unhealthy" and message shows "FAILED: operation 'Exec' failed: ", but no logs are being uploaded so I can check them in Fleet/Agents/Agent/Logs.

I went to check the logs in the server and found many error lines. Please check the link below and help me to fix this issue.

The first 120 lines of logs are here.

Thank you in advance

Hi @ManuelF

Thanks for the logs. It looks like you're using a 7.11.2 Elastic Agent. If you upgrade to a 7.12 Elastic Agent when this issue happens you should see additional logging from Endpoint as it tries to install. Would it be possible for you to try that?

Are you by chance running a 32bit version of Agent on a 64bit Windows machine? If so, that will prevent Endpoint from being able to be installed.

Hi @ferullo,

Thank you for taking care of my issue. Unfortunately upgrading to ELK 7.12 it is not an option for now.

Regarding the Endpoint Security installer, the one used was elastic-agent-7.11.2-windows-x86_64, but I will double check the OS running on those servers as soon as I can get access.

Meanwhile, is there anything else I can try to move forward with the deployment?

Thank you

You can try installing Endpoint manually to see logs from when it tries to install.

From within an unzipped Elastic Agent download, enter the downloads directory

cd data\elastic-agent-1d9cce\downloads

Unzip Elastic Endpoint

unzip endpoint-security-7.11.2-windows-x86_64.zip

Install Endpoint manually to see the install logs. Make sure to do this from an Administrator prompt. If you can't resolve your issue from looking at those logs, please share them so we can help diagnose your issue.

endpoint-security-7.11.2-windows-x86_64\endpoint-security.exe install --resources endpoint-security-7.11.2-windows-x86_64\endpoint-security-resources.zip --log stdout --log-level debug

Make sure to uninstall Endpoint after, running Endpoint without Agent is not supported.

endpoint-security-7.11.2-windows-x86_64\endpoint-security.exe uninstall --log stdout --log-level debug

Hi @ferullo,

I will try the steps provided. Thank you for the step by step tutorial. I was not aware that there was a way to manually install just the Endpoint Security. As exposed before, the Elastic-Agent was successfully installed, the related service is running and the agent is reporting to Fleet. The only thing failing is the Endpoint installation.

I have a couple of questions:

  1. If the Elastic-Agent was successfully deployed, doesn't this mean that the x86_64 version was the right one, according to the OS and then also the Endpoint Security should have been installed without problems, or does the Endpoint installer work differently? I'll try the 32bits installer version anyway.
  2. According to the logs, the Elastic-Agent seems to retry the Endpoint installation every few seconds. Should I stop the Elastic-Agent service before trying manual Endpoint installation, or it does not matter?

Thank you

Hi @ferullo,

I tried to run the manual installation of the Endpoint, but got the error below:

PS C:\Program Files\Elastic\Agent\data\elastic-agent-1d9cce\install\endpoint-security-7.11.2-windows-x86_64> .\endpoint-
security.exe install --resources endpoint-security-7.11.2-windows-x86_6\endpoint-security-resources.zip --log stdout --l
og-level debug
Program 'endpoint-security.exe' failed to execute: Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicio
us software from an unknown source
At line:1 char:24
+ .\endpoint-security.exe <<<<  install --resources endpoint-security-7.11.2-windows-x86_6\endpoint-security-resources.
zip --log stdout --log-level debug.
At line:1 char:1
+  <<<< .\endpoint-security.exe install --resources endpoint-security-7.11.2-windows-x86_6\endpoint-security-resources.
zip --log stdout --log-level debug
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

I have been researching and in order to fix this error, it looks like the “ driver signature enforcement ” must be disabled, involving a server reboot. The servers cannot be rebooted at this time.

Any ideas/workarounds you can share?

Hi @ManuelF. endpoint-security.exe is compiled with /INTEGRITYCHECK, which forces Windows to verify its digital signature upon load. It's signed with SHA256 because Microsoft has deprecated SHA1. If your machine is unable to verify the signature of endpoint-security.exe, then you likely need to apply some Windows Updates. See this Microsoft document for more information.

Hi @gabriel.landau and thank you for joining efforts. I have been researching on my own and I have arrived to the same conclusion. That server may be missing some security updates. Now that you confirmed the installer is digitally signed, I'm pretty sure we are missing updates. I will take care of that as soon as possible this week and then I'll try Endpoint deployment again.

I'll keep you posted.

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.