Giters

microsoft / mdefordownlevelserver

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Install script hangs with no log output on Server 2016

PeteT42 opened this issue · comments

commented

Hi,
Am having real issues getting the script to run on Server 2016. Have followed the guidance to deploy via GPO, with the following arguments for the scheduled task that invokes powershell:

-ExecutionPolicy RemoteSigned -file "\[UNCPath]\install.ps1" -Passive -OnboardingScript "\[UNCPath]\windowsdefenderatponboardingscript.cmd"

The UNC path uses the server's fqdn as advised; and Install.ps1, m34ws.msi and the WindowsDefenderATPOnboardingScript.cmd file are all in the same directory.
I've granted modify rights on the folder to an AD security group containing the servers concerned.
I can see that the scheduled task is created on the server, but it just sits in a 'running' state and doesn't complete.
No log file is generated, so I have nothing to go on to indicate why it's failing.

I've tried disabling UAC on the server, and running powershell in 'bypass' mode instead of remotesigned.
I've also tried disabling logging using the NoETL and NoMSILog switches.

If I manually install the msi, and then run the onboarding script from the UNC path it works fine - so I'm pretty sure that it's the powershell script that's getting stuck.
Have attached a screengrab of the final event in the powershell log. After that it just sits there.

All help much appreciated,

Pete
Last Powershell event

commented

FYI, After much investigation I discovered that the script was failing for two reasons:

  1. It was unable to download the updateplatform.exe file from https://go.microsoft.com/fwlink/?linkid=870379&arch=x64
  2. It was prompting to allow an 'untrusted' script to run, due to the fact that the certificate provided as part of the package is only the cert authority used to sign the code signing certificate, not the actual code signing certificate itself.

I've managed to resolve this by doing the following:

  1. Save a copy of the UpdatePlatform.exe to the same folder the script runs from (from https://go.microsoft.com/fwlink/?linkid=870379&arch=x64)

  2. Roll out the actual code signing cert to all 2012/2016 servers. This can be done as follows:

  • Right click install.ps1 and select the Digital Signatures tab
  • Click Details > View Certificate > Install Certificate, and install it to the Personal store in your local computer store.
  • Open the local computer certificate store (via mmc snap-in). Then find, right-click and export the certificate, accepting the defaults.
    This gives you a copy of the actual certificate used to sign the script.
  • Push out the certificate (alongside the provided interCA.cer) to all 2012/2016 servers via Computer GPO, under Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers

The script now runs without getting stuck; installing MDE, setting it to passive mode, and onboarding as designed. It also produces the expected log files etc.

Hope this helps someone else! :o]