GPO 推送安装失败,错误代码为 1603

GPO 推送安装失败,错误代码为 1603

我是 GPO 推送安装的新手。我刚刚配置了组策略来为域中的机器推送安装软件。但是,它失败了,错误代码为 1603。

以下是客户端上的日志appmgmt。

07-27 17:14:16:775 
Software installation extension has been called for foreground synchronous policy refresh.
The following policies are to be applied, flags are 1.
    SecureAge Distribute (unique identifier {AE19597D-CBD3-42EF-AEE8-09FBBFA13171})
        System volume path = \\dev.sa.com\SysVol\dev.sa.com\Policies\{AE19597D-CBD3-42EF-AEE8-09FBBFA13171}\Machine
        Active Directory path = LDAP://CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com
Set the Active Directory path to LDAP://CN=Class Store,CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com;.
Enumerating applications in the Active Directory for computer CHENBOXPSP3X32 with flags 5.
CSTORE: Retrieving class store path for the system account.
CSTORE: Retrieved 1 class stores for the user or machine.
CSTORE: Attempting to bind to class store 0 with path LDAP://CN=Class Store,CN=Machine,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com.
CSTORE: Bind attempt returned error code 0.
CSTORE: Enumerating packages with search filter (&(objectclass=packageRegistration)(|(|(msiScriptName=*A*)(&(canUpgradeScript=*)(msiScriptName=*P*)))(!(msiScriptName=*)))) and flags ce00000.
CSTORE: Examining retrieved package SecureAge.
The following applications were found in policy SecureAge Distribute.
    Assigned application SecureAge (flags a0004c70).
Found 1 applications in policy SecureAge Distribute.
Enumerating the managed applications which are currently applied to this user.
No managed applications are currently applied to this user.
Found 0 applications locally that are not included in the set of applications from the Active Directory.
Application SecureAge from policy SecureAge Distribute is set for installation because it is assigned to this computer policy.
Assigning application SecureAge from policy SecureAge Distribute.
Calling the Windows Installer to advertise application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas with flags 69.
Windows Installer cannot advertise application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas, error 1603..
The assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : %1603

Removing application SecureAge from the software installation database.
Calling Windows Installer to remove application advertisement for application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas.
Windows Installer cannot remove application advertisement for application SecureAge from script C:\WINDOWS\system32\appmgmt\MACHINE\{e7b03277-41c7-41b4-8863-cffe4d61237e}.aas, error 1603.
The removal of the assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : %1603

Policy Logging for Software Management is attempting to log application SecureAge from policy SecureAge Distribute.
Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : %1603

Software installation extension returning with final error code 1603.
07-27 17:14:25:665 
Software installation extension has been called for foreground synchronous policy refresh.
The following policies are to be applied, flags are 80.
    SecureAge Distribute (unique identifier {AE19597D-CBD3-42EF-AEE8-09FBBFA13171})
        System volume path = \\dev.sa.com\SysVol\dev.sa.com\Policies\{AE19597D-CBD3-42EF-AEE8-09FBBFA13171}\User
        Active Directory path = LDAP://CN=User,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com
Set the Active Directory path to LDAP://CN=Class Store,CN=User,cn={AE19597D-CBD3-42EF-AEE8-09FBBFA13171},cn=policies,cn=system,DC=dev,DC=sa,DC=com;.
Policy has not changed.  Only assigned applications will be advertised.
Enumerating the managed applications which are currently applied to this user.
No managed applications are currently applied to this user.
Found 0 applications locally that are not included in the set of applications from the Active Directory.
Software installation extension returning with final error code 0.

我尝试搜索诸如“Windows Installer 无法从脚本宣传应用程序...”之类的内容,但没有得到任何提示。

此外,%temp% 文件夹中没有 msi 安装日志。

编辑:应用程序事件中的事件信息如下:

Event ID: 101 (error)
The assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : Fatal error during installation. 

Event ID: 103 (error)
The removal of the assignment of application SecureAge from policy SecureAge Distribute failed.  The error was : Fatal error during installation. 

Event ID: 108 (error)
Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : Fatal error during installation. 

Event ID: 1085 (error)
The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

我点击此链接设置了组策略,因为我是新手,所以无法发布屏幕截图。 http://support.microsoft.com/kb/816102

此问题在 Windows XP 和 Windows 7 32 位主机上均有发生。主机在 VMWare 中运行。

编辑 2:我尝试使用启动脚本来安装软件包,它适用于 Windows 7 客户端。在 Windows 7 客户端的启动阶段,会弹出“交互式服务检测”窗口,显示已安装的软件想要显示一些消息。除此之外,安装工作正常,安装过程中无需输入任何内容。请注意,手动安装 msi 会显示一条消息,提示安装后需要重新启动。

启动脚本如下:

Set WshShell = CreateObject("WScript.Shell")
Set objFso = CreateObject("Scripting.FileSystemObject")
If Not objFso.FileExists("C:\Program Files\SecureAge\bin\SecureAge.exe") Then
    WshShell.Run "\\192.168.0.145\DPoint\SecureAge.msi"
End If 

注意:启动脚本安装仅适用于Windows 7,不适用于Windows XP。

编辑3:组策略的屏幕截图:

在此处输入图片描述

谁能帮我解决这个问题?

感谢致敬

答案1

1603 致命错误通常由以下两种情况之一引起:执行安装的帐户无法写入需要写入的位置,或者安装包已损坏。由于您已通过执行安装排除了 #2,因此我假设它是 #1。

当您使用基于计算机的软件安装 GPO 时,您所做的就是以 SYSTEM 帐户身份安装软件。某些软件安装程序行为不当,要求将数据写入安装用户的配置文件。SYSTEM 帐户没有像其他用户帐户那样的传统配置文件,这给人一种所需目录不存在的错觉。这可以解释为什么登录脚本或手动安装有效 - 两者都不以 SYSTEM 身份运行。

我会咨询您的软件供应商,并确保该软件可以按照您尝试的方式部署,因为所有迹象都表明软件安装程序本身是罪魁祸首。

答案2

请尝试以下操作:

  1. 请检查您托管此 msi 的共享是否具有以下共享和 NTFS 安全权限:组“域计算机”具有读取权限。

    权限输入窗口

  2. 仔细检查脚本中 MSI 文件的路径是否使用了 UNC 路径。例如\\dataserver1\msis\msi_installer.msi rather than e:\msis\msi_installer.msi

  3. 检查软件包是否兼容通过 GPO 安装。为了兼容,它需要能够在没有用户交互的情况下安装,要测试此操作,请登录到未安装它的计算机,将 msi 文件复制到本地某个位置(例如 C:\ 驱动器的根目录)并键入“msiexec /i C:\path_to_msi.msi /quiet”。如果安装正确,则兼容,否则需要重新打包

答案3

补充一点;如果您尝试将软件部署到使用 Bitlocker 或类似软件加密的驱动器,您也会收到 1603 错误。

参考这里:https://support.microsoft.com/en-nz/help/834484/you-receive-an-error-1603-a-fatal-error-occurred-during-installation

解决方法是通过用户组策略(直接或作为环回策略)部署软件。只需记住在组策略中的包选项的“部署”选项卡中选中“登录时安装此应用程序”选项!

相关内容