"The WSS Agent Setup Wizard ended prematurely" error installing or / and uninstalling WSS agent
search cancel

"The WSS Agent Setup Wizard ended prematurely" error installing or / and uninstalling WSS agent

book

Article ID: 210484

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Cannot install WSS Agent successfully on Windows machines

When installing using the Windows installer WSS Agent GUI, users saw the following message displayed:

 

 

 

Environment

Windows WSS  Agent

Windows Powershell scripts executed during installation

Cause

Beginning in WSSA 7.1.1, the WSS agent is leveraging functionality within Advanced Installer to sign the inline PowerShell scripts.  The signature will be checked automatically by the operating system against the list of allowed certificates found in the Trusted Publishers certificate store.  If the machine has enabled signed PowerShell execution policy, the signature validation will fail unless you import the Broadcom Inc code signing certificate to that store.

 

Microsoft allows an administrator to require all PowerShell and other scripts to be signed and trusted prior to execution.  See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies for details. This policy will cause problems for WSS Agent installation and uninstallation, due to its usage of PowerShell scripts

There are three or four instances (depending on Windows WSS Agent version) where PowerShell scripts are used within the installation to properly install and uninstall the agent.

1. we use the following PowerShell script to check if the user is installing WSS Agent on a supported platform: Installation Support Check Expand source
2. we use the following PowerShell script to prompt the user for the uninstall token if one is set and they are uninstalling from the control panel: Uninstall Token Prompt Expand source
3. in version 7.2.1 and 7.3.x, we use Powershell to cleanly shut down the notifier process (and remove the icon from the system tray):
4. in version 7.4.1 and greater, PowerShell execution no longer required to install WSS Agent. PowerShell is only required to prompt the user for an uninstall token (if one is set) when the user tries to uninstall from the Control Panel.  If PowerShell is disabled on a machine that has an uninstall token, the dialog to prompt for uninstall token will not be displayed when attempting to uninstall from the Control Panel.  To provide the uninstall token to the uninstaller, you MUST uninstall via the command line.

 

Resolution

For versions up to 7.4.1, import the attached signing certificate (from broadcom-inc-wssa-signing-cert.zip) into the "Trusted Publishers" certificate store.

 

For versions 7.4.1 and greater, the following procedure outlines how to extract the code signing certificate: 

  • Right-click the installer, and select properties
  • Go to "Digital Signatures", click Details
  • Click "View Certificate", then click "Install Certificate".  
  • Install it into the user store and then export it to whatever format they like for distribution to other machines.
  • Apply to all WSS Agent hosts running that version

If we are trying to accept signed powershell scripts, we need to use the SAME certificate that the installer is signed with - even if that certificate is expired.  As long as the file was signed during the time the certificate was valid, the signature is valid...and for the powershell execution policy to work, it needs to be the same certificate that the installer is signed with.  

 

Additional Information

When troubleshooting installation issues, one can run the installer with the following parameters to generate an installation log.

c:\path\to\installer.msi /L*V \path\to\output.log

In the above failing case, the failure to import the signing certificate will result in the installer ending prematurely, and an installation log with the following entry:

--> PowerShell Script Execution log:
AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) , ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess
MSI (c) (6C:8C) [14:55:11:709]: PROPERTY CHANGE: Adding POWERSHELL_EXECUTION_LOG property. Its value is 'AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess'.

The key indicator for this scenario is the lack of the message "You cannot run this script on the current system".  The script is trying to run, but is not authorized because the certificate is not imported into the Trusted Publishers certificate store.

 

Attachments

1615806869258__broadcom-inc-wssa-signing-cert.zip get_app