After attempting to protect an endpoint computer with Sophos Endpoint Security and Control from the central console the deployment failed.
There are several error codes that can be shown in the console (errors covered in separate articles are linked in the table below).
There are several error messages that can follow the error code. Example:
Could not start installation program on the computer. The network path was not found.
The installation did not start. The computer may have been shut down, renamed or disconnected, or a required service may not be running. It may be running Windows XP Home or Windows Vista, or Windows 2008.
The installation could not be started. The computer may need additional configuration before installation.
The installation could not be started: Access is denied. The computer may need additional configuration before installation. See knowledgebase article 29287.
The installation could not be started: The network name cannot be found.
First seen in
Sophos Enterprise Manager 4.7.0
Sophos Control Center 4.0.0
Enterprise Console 4.0.0
The common causes of these deployment errors are:
- The endpoint computer is switched off or not currently joined to the network.
- The operating system of the remote computer is not supported.
- There is a firewall blocking the installation process.
- A required endpoint service (Task Scheduler, Remote Registry, Windows Installer) is not started or able to start.
- The central share cannot be accessed.
- There is a mismatch in DNS where a new DHCP address is registered against the old name and the forward zone cannot update the record.
What To Do
Note: The table at the beginning of this article that lists the error codes have links to other articles detailing specific troubleshooting steps. Follow the steps in those articles (where available). Otherwise follow the steps below.
Use the following checklist to ensure you can deploy endpoint software to the computer successfully:
- The computer is switched on and connected to the network.
Check you can ping the endpoint computer by its name from the console computer and ensure the IP address is correct. This step is important for computers that may disappear from the network quickly (i.e., laptops). Also, if the ping fails it can show that the Windows firewall has not been re-configured to allow deployment.
Note: You will not be able to ping a computer that is connected to the network if the Windows firewall is blocking echo requests. See article 117837 for further details on allowing ping requests to be returned.
- The operating system of the computer is supported.
You cannot deploy to Macs, Linux/UNIX computers or Windows 9x. Make sure the endpoint computer is running Windows 2000/XP/Vista/7/8/2003/2003 R2/2008/2008 R2/2011/2012 with the latest service pack where available.
- The following services on the endpoint computer can all be started:
- Task Scheduler
- Remote Registry (must remain started and be set to automatic). Note: This endpoint service is only required to be configured for Enterprise Console 5.0 and lower, Enterprise Manager and Sophos Control Center.
- Windows Installer
- If you have Enterprise Console 5.0 or lower installed, Enterprise Manager, or Sophos Control Center ensure User Account Control (UAC) is disabled during the deployment. Note: Enterprise Console 5.1 or higher does not require UAC to be disabled.
- Check on the server that the C:\ProgramData\Sophos\Update Manager\Update Manager folder (default location) is shared and the group 'Everyone' has read access. From the endpoint computer attempt to open the central share in Windows Explorer (Start | Run | Type:
If, for example, the share has only 'administrators' with read access and you push out from the console you may see a permanent ('stuck') orange arrow (pointing down) next to the computer in the console. If you check the endpoint's ALC.log file you may find an error that is caused by the updating account (set in the Updating policy) failing to access the distribution point.
- Refresh the DNS settings on the computer (i.e., from a command prompt run:
- Ensure that the previous steps to create a GPO (for domains) or setting up a computer locally (for workgroups) have not been missed out. Read the configuration instructions in the Sophos endpoint deployment guide and ensure you understand all steps and have correctly followed them.
Note: To understand how the console protects a computer (useful when troubleshooting) see article 12455.
Watch the videos showing how to create Group Policy Objects to allow remote installation
After changing the computer settings with a GPO and then protecting that computer from the console it is important to allow time for the computer to apply the settings. The endpoint computer may require a reboot to reconfigure itself or you can run
gpupdate /force from a run box/command prompt to speed up the process.
Ensure the newly-created GPO(s) is linked and enabled in the Group Policy Management Console on the server (click Start | Run | Type:
gpmc.msc | Press return)...
On the endpoint computer use the 'Resultant Set of Policy' window (Start | Run | Type:
rsop.msc | Press return) to confirm the changes you made central for the Windows services have been implemented on the endpoint...
...and the Windows firewall has been configured to allow creation of the remote scheduled task...