Re: Updating Windows UF to 9.2.0.1 via SCCM - 1603...

whar_garbl · ‎03-18-2024

As title. I'm updating to UF 9.2.0.1 via SCCM, but a subset of targets are failing to install the update with the dreaded 1603 return code. The behavior is the same whether or not I run the msi as SYSTEM (i.e., via USE_LOCAL_SYSTEM) or not. All the existing forwarders being updated are newer - 8.2+, but mostly 9.1.x.

Oddly, if I manually run the same msiexec string with a DA account on the local system, the update usually succeeds. It's baking my noodle why it will work one way but not another. I have msiexec debug logging set up, but it's not giving me anything obvious to work with.

I can also usually get it to install if I uninstall the UF and gut the registry of all vestiges of UF, but that's not something I want to do on this many systems.

I've read a bunch of other threads with 1603 errors but none of them have been my issue, as far as I can tell.

Any ideas as to what the deal is?

jho-splunk · ‎08-29-2024

Hi @nmohammed and @goelshruti119 ,

Please see the following reply for instructions on how to troubleshoot: https://community.splunk.com/t5/Installation/Install-issue-on-Server-2016/m-p/540173/highlight/true#...

Cheers,

- Jo.

nmohammed · ‎08-21-2024

What does you msiexec command look like that you're using to install the Splunk UF ?

goelshruti119 · ‎08-21-2024

Were you able to get a solution for this as we are also facing the same issue with multiple builds.

Updating Windows UF to 9.2.0.1 via SCCM - 1603 errors

universal forwarder

upgrade

Windows

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation