'Sophos Enterprise Console 5.1.0 Installation Failed' message - During an upgrade from 5.0 to 5.1

  • ID dell'articolo: 117710
  • Valutazione:
  • 5 di clienti ha valutato questo articolo 3.2 su 6
  • Aggiornato il: 08 lug 2014


Upgrade from Enterprise Console 5.0 to Enterprise Console 5.1 fails with the message:

Sophos Enterprise Console 5.1.0 Installation Failed

A red warning circle with a white cross is displayed with no text to the right as shown in this screenshot (click for larger image):


The Sophos bootstrap log (\ProgramData\Sophos\Management Installer\) contains the following message:

[Date Time], INFO : Could not get database account information from previous version. Database Page will be displayed

and later on the following text is logged:

[Date Time], INFO : About to install Server[32|64].msi
[Date Time], INFO : Processing INSTALLMESSAGE_TERMINATE message from MSI
[Date Time], INFO : Installation of Server[32|64].msi failed with error code: 1603
[Date Time], INFO : Ended installing Server[32|64].msi
[Date Time], INFO : Installation of Management Server failed with error code: 1603

The MSI log of the Server[32|64].msi contains the following error messages:

MessageQueuingExecuteUninstall: Error 0x80070032: Domain SIDs not supported
MessageQueuingExecuteUninstall: Error 0x80070032: Failed to get SID for account name
MessageQueuingExecuteUninstall: Error 0x80070032: Failed to remove message queue permission
MessageQueuingExecuteUninstall: Error 0x80070032: Failed to remove message queue permissions
CustomAction MessageQueuingExecuteUninstall returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

This results in the following components installed as visible in 'Add or Remove Programs' or 'Programs and Features':
  • Sophos Management Database (5.1)
  • Sophos Management Server (5.0)
  • Sophos Management Console (5.0)
Enterprise Console 5.0 is still operational as previous Sophos databases (as listed in article 17323), in this case SOPHOS50 and SOPHOSPATCH are not dropped (deleted).

First seen in
Enterprise Console 5.1.0


Manual modification of the Enterprise Console 5.0 install to remove/clear the database user registry account details.

See 'Technical details' section below for more information.

What To Do

  1. Close any open consoles.

  2. Add the missing database registry keys back to the installation.  
    To do so launch Regedit.exe and navigate to:
    HKLM\SOFTWARE\[Wow6432node]\Sophos\EE\Management Tools\DatabaseUser The keys that will need to be populated correctly are as follows:
    • DatabaseUserDomain  (REG_SZ)
    • DatabaseUserName   (REG_SZ)
    • DatabaseUserPassword   (REG_SZ)
    • UseClearText  (REG_DWORD)

    The DatabaseUserDomain value should be the short NetBIOS form of the context of the database account. Article 113954 has more information on the accounts requested during installation.  For example, if the database account is a domain account, it should be the short NetBIOS form of the domain name. If the database account is a local account, then it should contain the NetBIOS form of the computer name. E.g. Domain1.

    The DatabaseUserName value should be the unqualified form of the Windows account name, E.g. SophosManagement.  It is important that this is the same account that was used during the installation of Enterprise Console 5.0.

    Tip: The following locations can be checked to confirm the correct account. They should all be the same account.
    • The account the 'Sophos Management Host' service is running as.
    • The account all Sophos Patch services run as.
    • The account listed in the permissions within MSMQ for the following queues: 'sophospatch_report' and 'sophospatch_reportreprocess'.
    • The account the Sophos patch scheduled tasks run as, namely 'Sophos Patch Feed' and 'Sophos Patch Purge'.
    The DatabaseUserPassword value should be the obfuscated form of the password for the Windows database account. In order to generate an obfuscated password, you need to use the command line tool ObfuscationUtil.exe. ObfuscationUtil.exe can be found under the directory: 'C:\sec_5x\Tools\'.

    Note: Before running the tool, it should be copied to the 'Enterprise Console' directory under Program files. For example: C:\Program Files\Sophos\Enterprise Console\ObfuscationUtil.exe.

    To obfuscate a clear text password an example is below:
    ObfuscationUtil.exe -w --obfuscate clearpass
    an obfuscated string will be displayed. This should be copied into the DatabaseUserPassword registry key.

    UseClearText should be a 0 as the value in DatabaseUserPassword is obfuscated.

  3. Once the registry keys are restored, the 'Sophos Management Service' service should be restarted to ensure it is still able to start.  If this fails, consult article 111898 for details on how to troubleshoot the service failure.

    Note: The above steps will ensure that the uninstall of Enterprise Console 5.0 can be completed successfully as part of any upgrade or uninstall.

From the current state of the installation you have two options:

  1. To upgrade to Enterprise Console version 5.1 see article: 117746.  This is the recommended approach as it carries less risk, due to the existing SOPHOS50 database being retained at all times.
  2. To revert to a working Enterprise Console version 5.0 installation continue with the steps below.  This requires the SOPHOS50 database to be backed up and then restored.

The following steps should be followed to revert back to a working Enterprise Console 5.0:

  1. From 'Add or Remove Programs' or 'Programs and Features', remove version 5.1 of the 'Sophos Management Database' component. 
    Note: This leaves the SOPHOS50 and SOPHOSPATCH databases attached.

  2. Stop the following services:
    • Sophos Message Router
    • Sophos Management Service
    • Sophos Patch Server Communicator

  3. Take a backup of the SOPHOS50 and SOPHOSPATCH databases. To do so run:
    C:\Program Files\Sophos\Enterprise Console\DataBackupRestore.exe -action=backup -subsystem=All -datasourcetype=Database
    You should see a 'Succeeded' message after each database is backed up and a final 'Build Succeeded.' message.
    Note: For more information on DatabackupRestore such as where the databases are backed up to, see article: 114299.

    Important: The following steps will drop (delete) your SOPHOS50 database, it is vital that you confirm the databases were backed up successfully during this step before continuing.  If you have any doubt, please consult with Sophos support before continuing.

  4. Run the Enterprise Console 5.0 installer from:
    Complete a 'modify' adding the 'Database' component when requested.
    With the Sophos management Service stopped, the installer will be able to drop (delete) and create a new SOPHOS50 database.

    Once the installer has completed un-tick 'Start Sophos Enterprise Console' and close the installer by clicking 'Finish'. 

  5. Restore the previously backed up databases by running the command:
    C:\Program Files\Sophos\Enterprise Console\DataBackupRestore.exe -action=restore -subsystem=All -datasourcetype=Database

  6. Ensure that the following Sophos service are started:
    • Sophos Management Host
    • Sophos Patch Server Communicator
    • Sophos Patch Endpoint Orchestrator
    • Sophos Patch Endpoint Communicator

    If they fail to start due to a log-on failure, re-enter the password for the 'database' account in the "Log On" tab of each service. 

  7. Launch Enterprise Console to ensure previous data is available. You have repaired the SEC 5.0 installation in preparation for upgrading to Enterprise Console 5.1.

Technical details

The registry key: HKLM\SOFTWARE\[Wow6432Node]\Sophos\EE\Management Tools\DatabaseUser, contains account information the 'Sophos Management Service' service uses to connect to the Sophos database.  This key should contain the database account details chosen during installation.  Article 113954 has more information on the accounts requested during installation.

During the upgrade to Enterprise Console 5.1 the installer attempts to read the account information back from these keys.  If it fails to obtain the values it displays the database account page for the user to confirm the SQL Server instance and account information.

: This 'database' screen of the installer is not shown during an 'upgrade' workflow and is therefore indicative of the problem.

The upgrade proceeds, however the account information is not available during the uninstall of Enterprise Console 5.0 which leads to the failure.


Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente