We are installing a forwarder to new workstations using the command below;

*msiexec /i "splunkforwarder-7.0.0-c8a78efdd40f-x64-release.msi" /qn /l*v %windir%\temp\INSTALL_Splunk.log AGREETOLICENSE=Yes LOGON_USERNAME="domain\Splunk" LOGON_PASSWORD="mypassword" DEPLOYMENT_SERVER="192.168.0.1:8089" WINEVENTLOG_APP_ENABLE=1  WINEVENTLOG_SYS_ENABLE=1 SPLUNKPASSWORD=splunkpassword*

• I can make this command line work correctly using cmd and PowerShell on my own local machine, however
• when using SCCM to push out it appears to act like, it has no permissions. it appears to hang while doing something in the registry. This will apparently need to use "system" account, but following the flags on docs.splunk webpage (http://docs.splunk.com/Documentation/Forwarder/7.1.1/Forwarder/InstallaWindowsuniversalforwarderfrom...) shows that the username/login is needed.

The error message in msi log is like below;

*MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=RollbackGroupAndRightsFromReg,ActionType=3329,Source=BinaryData,Target=RemoveGroupAndRightsFromRegCA,CustomActionData=SplunkSvcName=SplunkForwarder;FailCA=)
MSI (s) (50:5C) [12:54:19:999]: Executing op: ActionStart(Name=SaveGroupAndRightsToRegistry,,)
MSI (s) (50:5C) [12:54:19:999]: Executing op: CustomActionSchedule(Action=SaveGroupAndRightsToRegistry,ActionType=3073,Source=BinaryData,Target=SaveGroupAndRightsToRegistryCA,CustomActionData=SplunkSvcName=SplunkForwarder;UserName=ODOT\SplunkUF;SetAdminUser=1;FailCA=)
MSI (s) (50:20) [12:54:19:999]: Invoking remote custom action. DLL: C:\windows\Installer\MSI6294.tmp, Entrypoint: SaveGroupAndRightsToRegistryCA
SaveGroupAndRightsToRegistry: Warning: Invalid property ignored: FailCA=.
SaveGroupAndRightsToRegistry: Error: cannot SaveGroupAndRightsToRegistry.
SaveGroupAndRightsToRegistry: Error 0x80004005: Cannot save rights to registry.
CustomAction SaveGroupAndRightsToRegistry returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)*