Azure ATP Sensor failed to install

Occasional Contributor

I am trying to install the Azure ATP identity sensor and has reached a road block. I've read several past issues and well as the guides but can't seem to move pass. The firewall rules are open to allow the https traffic to go out. However, when I check the status with netstat I see the status as established then  TIME_WAIT.

Any thoughts would be sincerely appreciated. Server is Windows 2012 R2. I also ran with the ran this psexec CMD: psexec -i -s "Azure ATP sensor Setup.exe" /quiet NetFrameworkCommandLineArguments="/q" AccessKey="<Access Key>" but still didn't install.

 

[1080:123C][2022-04-04T19:11:50]i001: Burn v3.11.2.4516, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Windows\Temp\{A997D00E-D611-426B-81BB-307E01305556}\.cr\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'AccessKey'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyConfiguration'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyUserPassword'
[1080:123C][2022-04-04T19:11:50]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1080:123C][2022-04-04T19:11:50]i009: Command Line: '"-burn.clean.room=c:\Utils\ATP\Azure ATP sensor Setup.exe" -burn.filehandle.attached=320 -burn.filehandle.self=328 NetFrameworkCommandLineArguments=/q AccessKey=*****'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSource' to value 'c:\Utils\ATP\Azure ATP sensor Setup.exe'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'c:\Utils\ATP\'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleLog' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152.log'
[1080:123C][2022-04-04T19:11:52]w055: Could not load or read state file: C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}\\state.rsm, error: 0x80070002.
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1080:123C][2022-04-04T19:12:01]i000: Loading managed bootstrapper application.
[1080:123C][2022-04-04T19:12:04]i000: Creating BA thread to run asynchronously.
[1080:123C][2022-04-04T19:12:10]i100: Detect begin, 5 packages
[1080:123C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.5028 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461310'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: MsiPackage, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i199: Detect complete, result: 0x0
[1080:052C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.9559 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[1080:052C][2022-04-04T19:12:12]i000: 2022-04-04 17:12:12.4715 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1080:052C][2022-04-04T19:12:45]i000: 2022-04-04 17:12:45.2534 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'IsConfigured' to value 'True'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'AccessKey'
[1080:052C][2022-04-04T19:12:45]i000: Unsetting variable 'DelayedUpdate'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'ProxyConfiguration'
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:12:45]i200: Plan begin, 5 packages, action: Install
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage_rollback.log'
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage.log'
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[1080:123C][2022-04-04T19:12:45]i299: Plan complete, result: 0x0
[1080:123C][2022-04-04T19:12:45]i300: Apply begin
[1080:123C][2022-04-04T19:12:45]i010: Launching elevated engine process.
[1080:123C][2022-04-04T19:12:45]i011: Launched elevated engine process.
[1080:123C][2022-04-04T19:12:46]i012: Connected to elevated engine.
[0610:0558][2022-04-04T19:12:46]i358: Pausing automatic updates.
[0610:0558][2022-04-04T19:12:46]i359: Paused automatic updates.
[0610:0558][2022-04-04T19:12:46]i360: Creating a system restore point.
[0610:0558][2022-04-04T19:12:46]i362: System restore disabled, system restore point not created.
[0610:0558][2022-04-04T19:12:46]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, options: 0x4, disable resume: No
[0610:0558][2022-04-04T19:12:46]i320: Registering bundle dependency provider: {e87f7178-6183-4f00-a3df-5f320af0ae7e}, version: 2.177.15156.22652
[0610:0558][2022-04-04T19:12:46]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, resume: Active, restart initiated: No, disable resume: No
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to write run key value.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to update resume mode.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session in per-machine process.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to register bundle.
[1080:123C][2022-04-04T19:12:46]i399: Apply complete, result: 0x80070005, restart: None, ba requested restart: No

 

 

13 Replies
This log part is not sufficient to make progress,
Follow
https://docs.microsoft.com/en-us/defender-for-identity/troubleshooting-using-logs#defender-for-ident...
to check the other 2 logs, they might contain more data.

@Eli Ofek I am only seeing the Azure Advanced Threat Protection Sensor_20220404191152 files in both locations. This is another output.

 

 

[1080:123C][2022-04-04T19:11:50]i001: Burn v3.11.2.4516, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Windows\Temp\{A997D00E-D611-426B-81BB-307E01305556}\.cr\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'AccessKey'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyConfiguration'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyUserPassword'
[1080:123C][2022-04-04T19:11:50]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1080:123C][2022-04-04T19:11:50]i009: Command Line: '"-burn.clean.room=c:\Utils\ATP\Azure ATP sensor Setup.exe" -burn.filehandle.attached=320 -burn.filehandle.self=328 NetFrameworkCommandLineArguments=/q AccessKey=*****'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSource' to value 'c:\Utils\ATP\Azure ATP sensor Setup.exe'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'c:\Utils\ATP\'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleLog' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152.log'
[1080:123C][2022-04-04T19:11:52]w055: Could not load or read state file: C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}\\state.rsm, error: 0x80070002.
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1080:123C][2022-04-04T19:12:01]i000: Loading managed bootstrapper application.
[1080:123C][2022-04-04T19:12:04]i000: Creating BA thread to run asynchronously.
[1080:123C][2022-04-04T19:12:10]i100: Detect begin, 5 packages
[1080:123C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.5028 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461310'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: MsiPackage, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i199: Detect complete, result: 0x0
[1080:052C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.9559 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[1080:052C][2022-04-04T19:12:12]i000: 2022-04-04 17:12:12.4715 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1080:052C][2022-04-04T19:12:45]i000: 2022-04-04 17:12:45.2534 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'IsConfigured' to value 'True'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'AccessKey'
[1080:052C][2022-04-04T19:12:45]i000: Unsetting variable 'DelayedUpdate'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'ProxyConfiguration'
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:12:45]i200: Plan begin, 5 packages, action: Install
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage_rollback.log'
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage.log'
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[1080:123C][2022-04-04T19:12:45]i299: Plan complete, result: 0x0
[1080:123C][2022-04-04T19:12:45]i300: Apply begin
[1080:123C][2022-04-04T19:12:45]i010: Launching elevated engine process.
[1080:123C][2022-04-04T19:12:45]i011: Launched elevated engine process.
[1080:123C][2022-04-04T19:12:46]i012: Connected to elevated engine.
[0610:0558][2022-04-04T19:12:46]i358: Pausing automatic updates.
[0610:0558][2022-04-04T19:12:46]i359: Paused automatic updates.
[0610:0558][2022-04-04T19:12:46]i360: Creating a system restore point.
[0610:0558][2022-04-04T19:12:46]i362: System restore disabled, system restore point not created.
[0610:0558][2022-04-04T19:12:46]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, options: 0x4, disable resume: No
[0610:0558][2022-04-04T19:12:46]i320: Registering bundle dependency provider: {e87f7178-6183-4f00-a3df-5f320af0ae7e}, version: 2.177.15156.22652
[0610:0558][2022-04-04T19:12:46]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, resume: Active, restart initiated: No, disable resume: No
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to write run key value.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to update resume mode.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session in per-machine process.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to register bundle.
[1080:123C][2022-04-04T19:12:46]i399: Apply complete, result: 0x80070005, restart: None, ba requested restart: No
[1080:052C][2022-04-04T19:13:11]i000: 2022-04-04 17:13:11.2214 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=-2147024891 isRestartRequired=False[\]]
[1080:123C][2022-04-04T19:13:11]i500: Shutting down, exit code: 0x80070005
[1080:123C][2022-04-04T19:13:11]i410: Variable: AccessKey = *****
[1080:123C][2022-04-04T19:13:11]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor
[1080:123C][2022-04-04T19:13:11]i410: Variable: IsConfigured = True
[1080:123C][2022-04-04T19:13:11]i410: Variable: Kb4019990Windows2008R2Exists = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: Kb4019990Windows2012Exists = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[1080:123C][2022-04-04T19:13:11]i410: Variable: NetFrameworkRegistryValue = 461310
[1080:123C][2022-04-04T19:13:11]i410: Variable: RebootPending = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: VersionNT64 = 6.3.0.0
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleAction = 5
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleElevated = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleLog = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleLog_MsiPackage = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleOriginalSource = c:\Utils\ATP\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleOriginalSourceFolder = c:\Utils\ATP\
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleProviderKey = {e87f7178-6183-4f00-a3df-5f320af0ae7e}
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage_rollback.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleSourceProcessFolder = c:\Utils\ATP\
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleSourceProcessPath = c:\Utils\ATP\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleTag =
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleUILevel = 4
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleVersion = 2.177.15156.22652
[1080:123C][2022-04-04T19:13:11]i007: Exit code: 0x80070005, restarting: No

@Eli Ofek I checked the other locations, but I'm only seeing the file. Azure Advanced Threat Protection Sensor_20220404191152.txt which is shown below:

 

[1080:123C][2022-04-04T19:11:50]i001: Burn v3.11.2.4516, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Windows\Temp\{A997D00E-D611-426B-81BB-307E01305556}\.cr\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'AccessKey'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyConfiguration'
[1080:123C][2022-04-04T19:11:50]i000: Initializing hidden variable 'ProxyUserPassword'
[1080:123C][2022-04-04T19:11:50]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui'
[1080:123C][2022-04-04T19:11:50]i009: Command Line: '"-burn.clean.room=c:\Utils\ATP\Azure ATP sensor Setup.exe" -burn.filehandle.attached=320 -burn.filehandle.self=328 NetFrameworkCommandLineArguments=/q AccessKey=*****'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSource' to value 'c:\Utils\ATP\Azure ATP sensor Setup.exe'
[1080:123C][2022-04-04T19:11:50]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'c:\Utils\ATP\'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleLog' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152.log'
[1080:123C][2022-04-04T19:11:52]w055: Could not load or read state file: C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}\\state.rsm, error: 0x80070002.
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:11:52]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[1080:123C][2022-04-04T19:12:01]i000: Loading managed bootstrapper application.
[1080:123C][2022-04-04T19:12:04]i000: Creating BA thread to run asynchronously.
[1080:123C][2022-04-04T19:12:10]i100: Detect begin, 5 packages
[1080:123C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.5028 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]]
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1'
[1080:123C][2022-04-04T19:12:10]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'NetFrameworkRegistryValue' to value '461310'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1'
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true.
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None
[1080:123C][2022-04-04T19:12:10]i101: Detected package: MsiPackage, state: Absent, cached: None
[1080:123C][2022-04-04T19:12:10]i199: Detect complete, result: 0x0
[1080:052C][2022-04-04T19:12:10]i000: 2022-04-04 17:12:10.9559 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]]
[1080:052C][2022-04-04T19:12:12]i000: 2022-04-04 17:12:12.4715 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]]
[1080:052C][2022-04-04T19:12:45]i000: 2022-04-04 17:12:45.2534 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=Success[\]]
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'IsConfigured' to value 'True'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'AccessKey'
[1080:052C][2022-04-04T19:12:45]i000: Unsetting variable 'DelayedUpdate'
[1080:052C][2022-04-04T19:12:45]i000: Setting hidden variable 'ProxyConfiguration'
[1080:052C][2022-04-04T19:12:45]i000: Setting string variable 'InstallationPath' to value 'C:\Program Files\Azure Advanced Threat Protection Sensor'
[1080:123C][2022-04-04T19:12:45]i200: Plan begin, 5 packages, action: Install
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2008R2Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'VersionNT64 = v6.2' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: Kb4019990Windows2012Package
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue <> 1 OR ServerLevelsServerGuiShellRegistryValue = 1' evaluates to true.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServer
[1080:123C][2022-04-04T19:12:45]i052: Condition 'ServerLevelsServerCoreRegistryValue = 1 AND ServerLevelsServerGuiShellRegistryValue <> 1' evaluates to false.
[1080:123C][2022-04-04T19:12:45]w321: Skipping dependency registration on package with no dependency providers: NetFrameworkPackageServerCore
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleRollbackLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage_rollback.log'
[1080:123C][2022-04-04T19:12:45]i000: Setting string variable 'WixBundleLog_MsiPackage' to value 'C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage.log'
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2008R2Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: Kb4019990Windows2012Package, state: Absent, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServer, state: Present, default requested: Present, ba requested: Present, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: NetFrameworkPackageServerCore, state: Present, default requested: Absent, ba requested: Absent, execute: None, rollback: None, cache: No, uncache: No, dependency: None
[1080:123C][2022-04-04T19:12:45]i201: Planned package: MsiPackage, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[1080:123C][2022-04-04T19:12:45]i299: Plan complete, result: 0x0
[1080:123C][2022-04-04T19:12:45]i300: Apply begin
[1080:123C][2022-04-04T19:12:45]i010: Launching elevated engine process.
[1080:123C][2022-04-04T19:12:45]i011: Launched elevated engine process.
[1080:123C][2022-04-04T19:12:46]i012: Connected to elevated engine.
[0610:0558][2022-04-04T19:12:46]i358: Pausing automatic updates.
[0610:0558][2022-04-04T19:12:46]i359: Paused automatic updates.
[0610:0558][2022-04-04T19:12:46]i360: Creating a system restore point.
[0610:0558][2022-04-04T19:12:46]i362: System restore disabled, system restore point not created.
[0610:0558][2022-04-04T19:12:46]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, options: 0x4, disable resume: No
[0610:0558][2022-04-04T19:12:46]i320: Registering bundle dependency provider: {e87f7178-6183-4f00-a3df-5f320af0ae7e}, version: 2.177.15156.22652
[0610:0558][2022-04-04T19:12:46]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, resume: Active, restart initiated: No, disable resume: No
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to write run key value.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to update resume mode.
[0610:0558][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to begin registration session in per-machine process.
[1080:123C][2022-04-04T19:12:46]e000: Error 0x80070005: Failed to register bundle.
[1080:123C][2022-04-04T19:12:46]i399: Apply complete, result: 0x80070005, restart: None, ba requested restart: No
[1080:052C][2022-04-04T19:13:11]i000: 2022-04-04 17:13:11.2214 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=-2147024891 isRestartRequired=False[\]]
[1080:123C][2022-04-04T19:13:11]i500: Shutting down, exit code: 0x80070005
[1080:123C][2022-04-04T19:13:11]i410: Variable: AccessKey = *****
[1080:123C][2022-04-04T19:13:11]i410: Variable: InstallationPath = C:\Program Files\Azure Advanced Threat Protection Sensor
[1080:123C][2022-04-04T19:13:11]i410: Variable: IsConfigured = True
[1080:123C][2022-04-04T19:13:11]i410: Variable: Kb4019990Windows2008R2Exists = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: Kb4019990Windows2012Exists = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui
[1080:123C][2022-04-04T19:13:11]i410: Variable: NetFrameworkRegistryValue = 461310
[1080:123C][2022-04-04T19:13:11]i410: Variable: RebootPending = 0
[1080:123C][2022-04-04T19:13:11]i410: Variable: ServerLevelsServerCoreRegistryValue = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: VersionNT64 = 6.3.0.0
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleAction = 5
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleElevated = 1
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleLog = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleLog_MsiPackage = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleManufacturer = Microsoft Corporation
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleOriginalSource = c:\Utils\ATP\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleOriginalSourceFolder = c:\Utils\ATP\
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleProviderKey = {e87f7178-6183-4f00-a3df-5f320af0ae7e}
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleRollbackLog_MsiPackage = C:\Windows\TEMP\Azure Advanced Threat Protection Sensor_20220404191152_000_MsiPackage_rollback.log
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleSourceProcessFolder = c:\Utils\ATP\
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleSourceProcessPath = c:\Utils\ATP\Azure ATP sensor Setup.exe
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleTag =
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleUILevel = 4
[1080:123C][2022-04-04T19:13:11]i410: Variable: WixBundleVersion = 2.177.15156.22652
[1080:123C][2022-04-04T19:13:11]i007: Exit code: 0x80070005, restarting: No

I've checked the locations and only see the log file with the name Azure Advanced Threat Protection Sensor_20220404191152.txt
Try to check if this file exist on the disk:
C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}\\state.rsm
If not, try to copy it from another working machine. if it's there, make sure you have permissions to access it.
Inside this folder -C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}, I see the the Azure ATP Sensor Setup.exe application. I also verify that I have full access to the folder.
Do you see the file state.rsm there ?
Nope. I don't see any state.rsm.
Try to copy it there from a working machien and try again, see if it resolves the issue.
It's the first installation so don't have a previous state.rsm. I can possible try the install on a member server and see if it works.
It might be better to open a support ticket and mentioning this part of the log:
"[1080:123C][2022-04-04T19:11:52]w055: Could not load or read state file: C:\ProgramData\Package Cache\{e87f7178-6183-4f00-a3df-5f320af0ae7e}\\state.rsm, error: 0x80070002."
It could be a failure with the MSI service, support can engage the right team if needed.

BTW - did you try to reboot yet and see if it get fixed? sometimes MSI can recover after a reboot.
Thank you for the input. Yes, I've rebooted a number of times.

I found the solution. This issue was caused by virus protection applications stopping the installer from writing keys.

I temporarily disabled the virus checker (McAfee in my case) and it solved the problem.

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE