Hey @jho-splunk,

I enabled logging and saw there was an error with my password complexity and I needed to run as admin, upon doing so it still doesn't seem to work.

Hi @jmancyber,

Oh dear.  Is this an upgrade?  Does this file exist: C:\IntunePacker\SourceSplunk\splunkforwarder.msi?

Cheers,

 - Jo.

Oh nope it's  a completely fresh install, just testing for future deployment and that was the folder I have it in. The msi is a file straight off of the splunk download page and I am running straight from file the msi is found in.

Hi @jmancyber,

Well, it looks like msiexec.exe doesn't think it exists.  Are you maybe assuming something about the current working directory that may not be true?

Cheers,

 - Jo.

Hey @jmancyber,

Oh, that's a great find.  Thanks for reporting back, it's always helpful!

Cheers,

 - Jo.

Hey @jho-splunk,

So upon looking at those logs I saw that I had to run as admin and my password complexity needed to be more robust. After fixing this it still doesn't seem to work and I get the following after the command runs(deleted most of the cached product context logs for character limits sake):

=== Verbose logging started: 5/25/2023 9:15:43 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (C0:90) [09:15:43:676]: Resetting cached policy values
MSI (c) (C0:90) [09:15:43:676]: Machine policy value 'Debug' is 0
MSI (c) (C0:90) [09:15:43:676]: ******* RunEngine:
******* Product: splunkforwarder.msi
******* Action:
******* CommandLine: **********
MSI (c) (C0:90) [09:15:43:676]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (C0:90) [09:15:43:676]: Grabbed execution mutex.
MSI (c) (C0:90) [09:15:43:692]: Cloaking enabled.
MSI (c) (C0:90) [09:15:43:692]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (C0:90) [09:15:43:692]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:692]: Running installation inside multi-package transaction C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (1C:58) [09:15:43:692]: Grabbed execution mutex.
MSI (s) (1C:14) [09:15:43:692]: Resetting cached policy values
MSI (s) (1C:14) [09:15:43:692]: Machine policy value 'Debug' is 0
MSI (s) (1C:14) [09:15:43:692]: ******* RunEngine:
******* Product: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
******* Action:
******* CommandLine: **********
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: F60730A4A66673047777F5728467D401
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FC5DAE63FE44FCF4B81E9DC684537D4A
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FC5DAE63FE44FCF4B81E9DC684537D4A
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FD59EB73A00F35141B2F80DB1735642E
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FD59EB73A00F35141B2F80DB1735642E
MSI (s) (1C:14) [09:15:43:708]: Setting cached product context: machine assigned for product: FE2CADEB2ABD52B458A7D73F58AF46E5
MSI (s) (1C:14) [09:15:43:708]: Using cached product context: machine assigned for product: FE2CADEB2ABD52B458A7D73F58AF46E5
MSI (s) (1C:14) [09:15:43:708]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (1C:14) [09:15:43:708]: SRSetRestorePoint skipped for this transaction.
MSI (s) (1C:14) [09:15:43:708]: Note: 1: 1309 2: 5 3: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (1C:14) [09:15:43:708]: MainEngineThread is returning 110
MSI (s) (1C:58) [09:15:43:723]: No System Restore sequence number for this installation.
The system cannot open the device or file specified.
MSI (s) (1C:58) [09:15:43:723]: User policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Machine policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/25/2023 9:15:43 ===

MSI (s) (1C:58) [09:15:43:723]: Machine policy value 'DisableRollback' is 0
MSI (s) (1C:58) [09:15:43:723]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (1C:58) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (C0:90) [09:15:43:723]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/25/2023 9:15:43 ===

Hey @jho-splunk,

So as I was looking at the logs, I saw there was an error with both password complexity and I wasn't running from an admin powershell. Here is what I now get after the large  block of "cached product context" logs

MSI (s) (54:10) [19:15:44:938]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (54:10) [19:15:44:938]: SRSetRestorePoint skipped for this transaction.
MSI (s) (54:10) [19:15:44:947]: Note: 1: 1309 2: 5 3: C:\IntunePacker\SourceSplunk\splunkforwarder.msi
MSI (s) (54:10) [19:15:44:947]: MainEngineThread is returning 110
MSI (s) (54:20) [19:15:44:947]: No System Restore sequence number for this installation.
The system cannot open the device or file specified.
MSI (s) (54:20) [19:15:44:947]: User policy value 'DisableRollback' is 0
MSI (s) (54:20) [19:15:44:947]: Machine policy value 'DisableRollback' is 0
MSI (s) (54:20) [19:15:44:947]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (54:20) [19:15:44:947]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (54:20) [19:15:44:947]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (54:20) [19:15:44:947]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (4C:6C) [19:15:44:947]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (4C:6C) [19:15:44:947]: MainEngineThread is returning 110
=== Verbose logging stopped: 5/24/2023 19:15:44 ===