Attempted install of XenDesktop 7.8 Delivery Controller software returns following error:
Installation of MSI File 'TelemetryServiceInstaller_x64.msi' failed with code 'InstallFailure' (1603)

Note: This is applicable to XenDesktop & XenApp 7.8 and later.

This error is most frequently encountered because an Active Directory GPO with the policy setting 'Log on as a service' is applied to the server where the XenDesktop 7.8 Delivery Controller software is being installed. There are several ways of resolving this.
 

Method 1: Local Policy

Place the Active Directory accounts for the Delivery Controllers into an OU with inheritance blocking enabled. Ensure that no policies are being applied directly against this OU, perform a group policy update and then browse to the local policy configurations on each Delivery Controller. Browse to the location 'Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment' in local policy editor and ensure that 'Deny log on as a service' is not prohibiting 'NT SERVICE\CitrixTelemetryService' from running as a service. Finally, ensure that either 'NT SERVICE\CitrixTelemetryService' and/or ‘NT SERVICE\ALL SERVICES’ are defined under the 'Log on as a service' policy setting.
 

Method 2: Active Directory GPO, NT SERVICE\ALL SERVICES

Create an Active Directory GPO with the Log on as a service policy setting and extends rights to 'NT SERVICE\ALL SERVICES'.
 

Method 3: Active Directory GPO, Service Account SID

Note: This can only be done on a Citrix Delivery Controller with the Group Policy Management feature installed where the CitrixTelemetryService account has been created by the installer. The process of adding the service account into an Active Directory GPO must be performed locally because Active Directory cannot detect the local CitrixTelemetryService account.

1. Click Start, point to Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click Group Policy Object Editor.
4. In Group Policy Object, click Browse, browse to the Group Policy object (GPO) that you want to modify, click OK, and then click Finish.
5. Click Close, and then click OK.
6. In the console tree, click User Rights Assignment. (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment)
7. In the details pane, double-click Log on as service right.
8. If the security setting has not yet been defined, select the Define these policy settings check box.
9. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.
10. In the Add User or Group box select Browse.
11. Click Locations and select the machine account of the local Citrix Delivery Controller.
12. Enter 'NT SERVICE\CitrixTelemetryService' in the object names field and click OK.

---

Problem Cause

The service account for 'Citrix Telemetry Service' has insufficient privileges at time of XenDesktop 7.8 install. The XenDesktop 7.8 install will associate the service account 'NT SERVICE\CitrixTelemetryService' with 'Citrix Telemetry Service', typically rights to logon as a service are extended to 'NT SERVICE\ALL SERVICES'. Editing the local or domain policy 'Log on as a Service' such that the newly created 'NT SERVICE\CitrixTelemetryService' is not defined with sufficient rights generates the install failure on the 'telemetryserviceinstaller_x64.msi'. This occurs because services configured to run under the Local System, Local Service, or Network Service accounts have a built in right to logon as a service. Any service that runs under a seperate user account must be assigned the right. The Citrix Telemetry Service is implemented as of the XenDesktop 7.6 Feature Pack 3 release and is responsible for collecting diagnostic information to support AoT CDF Tracing.  

 

Microsoft Documentation, 'Log on as a service' policy setting information:
https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx