"The WSS Agent Setup Wizard ended prematurely" error installing or / and uninstalling WSS agent

book

Article ID: 210484

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Cannot install WSS Agent successfully on Windows machines

When installing using the Windows installer WSS Agent GUI, users saw the following message displayed:

 

 

 

Cause

Beginning in WSSA 7.1.1, the WSS agent is leveraging functionality within Advanced Installer to sign the inline PowerShell scripts.  The signature will be checked automatically by the operating system against the list of allowed certificates found in the Trusted Publishers certificate store.  If the machine has enabled signed PowerShell execution policy, the signature validation will fail unless you import the Broadcom Inc code signing certificate to that store.

 

Microsoft allows an administrator to require all PowerShell and other scripts to be signed and trusted prior to execution.  See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies for details. This policy will cause problems for WSS Agent installation and uninstallation, due to its usage of PowerShell scripts

There are two or three instances (depending on Windows WSS Agent version) where PowerShell scripts are used within the installation to properly install and uninstall the agent.

1. we use the following PowerShell script to check if the user is installing WSS Agent on a supported platform: Installation Support Check Expand source
2. we use the following PowerShell script to prompt the user for the uninstall token if one is set and they are uninstalling from the control panel: Uninstall Token Prompt Expand source
3. in version 7.2.1 and later, we use powershell to cleanly shut down the notifier process (and remove the icon from the system tray):

 

Environment

Windows WSS  Agent

Windows Powershell scripts executed during installation

Resolution

Import the attached signing certificate (from broadcom-inc-wssa-signing-cert.zip) into the "Trusted Publishers" certificate store 

 

Additional Information

When troubleshooting installation issues, one can run the installer with the following parameters to generate an installation log.

c:\path\to\installer.msi /L*V \path\to\output.log

In the above failing case, the failure to import the signing certificate will result in the installer ending prematurely, and an installation log with the following entry:

--> PowerShell Script Execution log:
AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) , ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess
MSI (c) (6C:8C) [14:55:11:709]: PROPERTY CHANGE: Adding POWERSHELL_EXECUTION_LOG property. Its value is 'AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess'.

The key indicator for this scenario is the lack of the message "You cannot run this script on the current system".  The script is trying to run, but is not authorized because the certificate is not imported into the Trusted Publishers certificate store.

 

Attachments

1615806869258__broadcom-inc-wssa-signing-cert.zip get_app