Server VDA uninstall, upgrade and hotfix setup fail on XenApp XenDesktop 7.6.300 and higher

book

Article ID: CTX215992

calendar_today

Updated On:

Description

While trying to upgrade or uninstall the Server VDA 7.6.300 or higher or to install an hotfix on the Server VDA 7.6.300 or higher, the operation fails with the error code:
"Installation of MSI File 'ICATS_x64.msi' failed with code 'InstallFailure' (1603)."

The log file in C:\Users\username\AppData\Local\Temp\1\Citrix\XenDesktop Installer\MSI Log Files\IcaTS_x64xxxxxxx.log or IcaTS_x64uninstallxxxxxxxx.log shows:
"Product: Citrix HDX TS (retail) -- Error 1402. Could not open key: HKEY_LOCAL_MACHINE32\SOFTWARE\Citrix\EUEM\LoggedEvents. System error 5. Verify that you have sufficient access to that key, or contact your support personnel."

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

To uninstall the software we can first attempt to use the VDA cleanup utility: http://support.citrix.com/article/CTX209255
To be able to successfully complete the upgrade or uninstall or the hotfix setup operations, it is necessary to provide the System account with full control on the HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents registry key
Permanent Fix: restore in the Remote Desktop Users group on the Server VDA the groups Authenticated Users and Domain Users deleted after the initial Server VDA Install (for more details refer to the Problem Cause section of this article)

Workaround: if the permanent fix can't be applied for any reason, follow one of the below workarounds

Add the Authenticated Users group to the Remote Desktop Users group on the Server VDA:

Before begin the upgrade, uninstall or hotfix setup operations, add the Authenticated Users group to the Remote Desktop Users group. This can be completed via GUI (Computer Management -> Local Users and Groups -> Groups -> Remote Desktops Users) or via CMD:

net localgroup "Remote Desktop users" "authenticated users" /add

When the Setup is completed, if necessary, remove the Authenticated Users group from the Remote Desktop users group:

net localgroup "Remote Desktop users" "authenticated users" /delete

NOTE: Be aware that, if the membership of the Remote Desktop Users group is controlled via GPO and the setup requires an intermediate reboot before running the VDA setup (ie to install the Microsoft .NET framework), the Authenticated Users group will be removed after the reboot by the GPO and it has to be added again to the Remote Desktop Users group to complete the setup successfully

Change the permissions on the HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents registry key via Regedit:

Login onto the VDA using an account that is part of the local Administrators group and start Regedit
Navigate to HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents
If necessary click OK on the Error Opening Key message
Right-click on LoggedEvents and select
Click OK on the Windows Security alert and click on the Advanced button
Click OK on the Windows Security alert and in the Advanced Security Settings screen click "Change" to change the owner of the key
Select the current user as owner of the key and click OK. Close and reopen the permissions for the LoggedEvents registry key
Add the System account to the Permissions for LoggedEvents: click Add -> System -> Ok
Highlight the System account and select Full Control then click OK

$Machine generated alternative text: Perm iss Group or user names: S, LOCAL SERVICE !, NETWORK SERVICE Remote Desktop Users (W2K12R2VDATEST1\Remote De... &j, SYSTEM Md... Remove Permissions for SYSTEM Allow Deny Full Control I Read L] Special permissions U U For special pemiissions or advanced settings. Mvanced click Advanced. L___________$

Run the Server VDA upgrade, uninstall or hotfix setup operation

NOTE: Be aware that when the setup is completed the permissions on the HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents registry key will be reverted and the System account removed from the ACL

Problem Cause

A design change in the Server VDA setup modified the Access Control List for the registry key HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents

The System account is the owner of the key but doesn't have any right on the key itself:

Machine generated alternative text: Owner SYSTEM Change Permissions Auditing Effective Access For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). Permission entries: Type Principal Access Inherited from Applies to , Allow LOCAL SERVICE Full Control None This key and subkeys j Allow NETWORK SERVICE Full Control None This key and subkeys gj Allow Remote Desktop Users (W2K1... Full Control None This key and subkeys

In the ACL for this registry key the "Remote Desktop Users" has Full Control

The setup for XA/XD Server VDA 7.6.300 and newer adds to the "Remote Desktop Users" group the groups "Domain Users" and "Authenticated Users"

$Machine generated alternative text: Remote Desktop Users Description: Members in this group are granted the right to logon remotely Members: ¿ CTX\Domain Users ¿ NT AUTHORlTYjthenticated Users (5-1-5-11)$

Please note that, when the Server VDA is installed on a machine, a new local group called "Direct Access Users" is created and non-administrative users, even though they are part of the Remote Desktop Users group, can no longer RDP to the VDA itself if they are not part of the Direct Access Users group, http://support.citrix.com/article/CTX203246.

The System account is by default part of the Authenticated Users. As long as the System account is directly or indirectly member of the "Remote Desktop Users", no issue will be experienced.
In some environments the administrators modify manually or via GPO the membership of the "Remote Desktop Users" removing the groups added during the VDA Setup: "Domain Users" and "Authenticated Users".
if the "Domain Users" and "Authenticated Users" administrators groups were manually deleted, adding them back to the"Remote Desktop Users" group will fix the issue.

The GPO used to control the group membership is:
Computer Configuration\policies\Windows Settings\Security Settings\Restricted Groups
If this policy is applied to the Server VDA to control the "Remote Desktop Users" membership, all the users and groups not specified by this policy will be removed from the "Remote Desktop Users" membership. This means that the groups "Domain Users" and "Authenticated Users", added to the Remote Desktop Users group by the Citrix Server VDA setup, will be removed after the first reboot when the GPO will be applied. Add the "Domain Users" and "Authenticated Users" groups to the groups in the Computer Configuration\policies\Windows Settings\Security Settings\Restricted Groups will fix the issue.

Under those conditions the System account will not have any right to access the HKLM\Software\Wow6432Node\Citrix\EUEM\LoggedEvents registry key and the upgrade or uninstall or the hotfix setup will fail with Access Denied

$Machine generated alternative text: 08:56: j3msexecexe 08:56: Fmsecexe 08:56: Wmsiexecce 08:56:. 3528 ReçenKey HKLM\5OFTWARE\Wow6432Node’c*.tc\EUEtN.ogçedEveru 3528 RegOpen Key HKLM\SOF1WARE\Wow6432Node’C*ttc\EUEM\I.oggedEvers 3528 ReçOpenKey HKM\SOFWARE\Wcw6432NodeC*itc\EUEM’1.oggedEverts 3528 RegOpen Key H)QM\SOflWARE\Wow6432Node’\EUEM\LoçedEverts PCESS DENIED Desied Access R ACCESS DENIED Desied Access R ACCESS DENIED Desred Access: R ACCESS DENIED Desied Access. R..$

Issue/Introduction

The Upgrade or Uninstall operation of a XenDesktop or XenApp Server VDA on Windows Server 2012 fails with error message "Installation of MSI File 'ICATS_x64.msi' failed with code 'InstallFailure' (1603)." Adding an hotfix to the Server VDA 7.6.300 and higher fails with the same error message

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"