Install/Upgrade of Endpoint Protection Manager with SQL Express database fails with PowerShell script cannot be loaded error
Article ID: 222073
Updated On:
Products
Issue/Introduction
Following message appears in Management server configuration wizard (MSCW) when upgrading/installing Symantec Endpoint Protection Manager (SEPM) 14.3 RU1 and above with SQL Express database:
Verify that the Windows Update service is running and click on Continue.
Scenario 1: During an upgrade, it failed with the below error:
ERROR : The SQL Server Express database installation failed. Failed to enable the database TCP Port.
From the install_log.err (\\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\install_log.err)
Aug 19, 2021 1:53:42 AM STDERR: Port 2638 is available.
Aug 19, 2021 1:55:55 AM STDERR: MainFrame> prepareDatabase>> Creating database failed. ErrorCode = 386727936. Error message is = Failed to enable database TCP port!
Aug 19, 2021 1:55:55 AM STDERR: com.sygate.scm.server.util.ServerException: Failed to enable database TCP port!
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.server.db.util2.SQLExpressDbHelper.setInstanceTcpPort(SQLExpressDbHelper.java:670)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.server.db.util2.SQLExpressDbHelper.installSQLExpressEx(SQLExpressDbHelper.java:368)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.install.ui.MainFrame.createEmbeddedDB(MainFrame.java:7952)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.install.ui.MainFrame.prepareDatabase(MainFrame.java:7771)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.install.ui.MainFrame.configureDB(MainFrame.java:1269)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.install.ui.MainFrame.nextBtnActionPerformed(MainFrame.java:4902)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.install.ui.MainFrame$5$1.construct(MainFrame.java:4431)
Aug 19, 2021 1:55:55 AM STDERR: at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:151)
Aug 19, 2021 1:55:55 AM STDERR: at java.base/java.lang.Thread.run(Thread.java:834)
Aug 19, 2021 1:56:11 AM STDERR: com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host <HostName>, port 2638 has failed. Error: "Connection refused: connect. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.".
Aug 19, 2021 1:56:11 AM STDERR: at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:234)
Aug 19, 2021 1:56:11 AM STDERR: at com.microsoft.sqlserver.jdbc.SQLServerException.ConvertConnectExceptionToSQLServerException(SQLServerException.java:285)
Aug 19, 2021 1:56:11 AM STDERR: at com.microsoft.sqlserver.jdbc.SocketFinder.findSocket(IOBuffer.java:2462)
From ConfigurationWizard-0.log (\\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\install_log.err) match the time stamp:
Error Output:
2021-08-19 01:55:53.069 THREAD 42 WARNING: SQLExpressDbHelper>>uninstallSQLExpressByCommands, successfully deleted file: D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SymcInstanceUninstallCmd
2021-08-19 01:55:53.069 THREAD 42 WARNING: SQLExpressDbHelper>>uninstallSQLExpressByCommands, done! Cost(seconds)2
2021-08-19 01:55:53.069 THREAD 42 SEVERE: installSQLExpressEx -> InterruptedException, Failed to enable database TCP port!
2021-08-19 01:55:57.288 THREAD 42 INFO: getDatabaseConnectionWithNTLMv2Retry, jdbcURL: jdbc:sqlserver://<HostName>:2638;instanceName=SQLEXPRESSSYMC;integratedSecurity=false;encrypt=true;trustServerCertificate=true, user: DBA
2021-08-19 01:56:11.726 THREAD 42 SEVERE: exception retrieving connection
2021-08-19 01:56:11.726 THREAD 42 SEVERE: exception retrieving connection
-----------
Powershell script is run by the SEP installer and it cannot run due to limitations through GPO:
Error we can see in ConfigurationWizard-0.log is as follows:
2021-08-19 01:55:49.866 THREAD 42 WARNING: SQLExpressDbHelper>>executePowshellCommand processing:
args[0]: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
args[1]: -ExecutionPolicy
args[2]: Bypass
args[3]: -File
args[4]: C:\Users\SEPMADMINISTRATOR\AppData\Local\Temp\2\BD05C7C9C0A86B650040D14911A90725.ps1
2021-08-19 01:55:50.350 THREAD 42 WARNING: SQLExpressDbHelper>>executePowshellCommand processing result: 1
2021-08-19 01:55:50.350 THREAD 42 WARNING: DbUtil>>executePowshellCommand standard output:
Error Output:
File C:\Users\SEPMADMINISTRATOR\AppData\Local\Temp\2\BD05C7C9C0A86B650040D14911A90725.ps1 cannot be loaded. The file
C:\Users\SEPMADMINISTRATOR\AppData\Local\Temp\2\BD05C7C9C0A86B650040D14911A90725.ps1 is not digitally signed. You cannot run
this script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
----------
Scenario 2: During a new install MSCW fails with an error (same as SEPM Installation issues with the SQL Server Express database):
The SQL Server Express database installation failed. Unknown SQL Server Express installation error!
Following error found in 'ConfigurationWizard-0.log':
Error Output:
File C:\Users\***\AppData\Local\Temp\34EAC79A6479154F1F970A2A72CC2684.ps1 cannot be loaded. The file
C:\Users\***\AppData\Local\Temp\34EAC79A6479154F1F970A2A72CC2684.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see
about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
Environment
SEPM 14.3 RU1 and above with SQL Express database
Cause
PowerShell is blocked.
Resolution
Scenario 1: Allowing the PowerShell script to run resolves the issue. Windows/AD Administrator need to perform the task.
In Scenario 2: The computer was in Workgroup, checked the execution policies with below command in PowerShell:
Get-ExecutionPolicy -List
The result was as follows:
Scope ExecutionPolicy
----- ---------------
MachinePolicy AllSigned
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
Tried to set Unrestricted/Bypass for MachicePolicy but got the below error :
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of RemoteSigned. Type “Get-ExecutionPolicy -List” to view your execution policy settings. For more information please see “Get-Help Set-ExecutionPolicy”.
Tried to change only the MachinePolicy to 'Unrestricted' with below command:
Set-ExecutionPolicy -Scope MachinePolicy Unrestricted
Got an error like this:
Set-ExecutionPolicy : Cannot set execution policy. Execution policies at the MachinePolicy or UserPolicy scopes must be set through Group Policy.
Changed the MachinePolcy Execution Policy through Registry Editor:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell
Set the ExecutionPolicy value from "AllSigned" to "ByPass".
Open Local Group Policy Editor (gpedit.msc through Run Window).
Got to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
Changed the "Turn on Script Execution" setting from "Allow only signed scripts" to "Allow all scripts"
Then ran the MSCW and it got completed successfully now.
Windows PowerShell> Turn on Script Execution can be reverted to "Allow only signed scripts" after the installation is completed.
Additional Information
Feedback
