Sophos Endpoint Defence + Gold Image = Error 'Windows could not finish configuring the system'

Ryan Williams

2/5/23, 4:18 AM

When I install Sophos Endpoint Defence on an Amazon provided AMI; and then create a custom AMI from it; why do EC2 instances display an error dialog on boot 'Windows could not finish configuring the system'?

In my case I used EC2 Image Builder to run SophosSetup.exe /quiet I then had it run a series of commands provided in Sophos Sysprep.txt from https://support.sophos.com/support/s/article/KB-000035040?language=en_US

However after creating the AMI I was unable to boot any EC2 instances from it. The Troubleshooting > Take Screenshot function allowed me to view the error dialog on the screen.

127

0 + 0

sophos

amazon-ami

amazon-ec2

Score:0

Server

Ryan Williams

2/5/23, 4:18 AM

I learned that when a windows instance boots for the first time it records logs in C:\Windows\Panther\setup.etl. By stopping a troubled instance and attaching its root volume to another instance; I was then able to use 'tracerpt.exe' setup.etl -of csv -o logs.csv to gain access to the logs. In my case I discovered the following error messages in those logs.

"(c0000022): Failed to set value [SAVOnAccessSid]"
"(c0000022): Failed to process value [SAVOnAccessSid]"
"(c0000022): Failed to process reg key or one of its descendants: [\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SAVOnAccess]".

After reviewing the documentation at https://support.sophos.com/support/s/article/KB-000035040?language=en_US I discovered that the Sophos Sysprep.txt script provided performs one additional step that the "Manually prepare a gold image" section does not.

This additional step was to re-enable Tamper Protection prior to shutting down to create the image.

I did an experiment and discovered that if I left Tamper Protection disabled; the descendant EC2 instances worked.

I also confirmed that Tamper Protection re-enabled itself in the descendant EC2 instances which has accomplished my objective.

0 + 0

Ryan Williams

2/5/23, 4:48 AM

Worth noting that if you choose to use the Sophos Central Endpoint API to obtain the Tamper Protection password; be mindful that the ID found in EndpointIdentity.txt is not the same thing as the EndpointId required by the API. Lookup the correct EndpointId using the /endpoints resource with the following filter 'cloud=aws-<instanceId>'.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Sophos Endpoint Defence + Gold Image = Error 'Windows could not finish configuring the system'

TH: Sophos Endpoint Defense + Gold Image = ข้อผิดพลาด 'Windows ไม่สามารถกำหนดค่าระบบให้เสร็จ'

RO: Sophos Endpoint Defense + Gold Image = Eroare „Windows nu a putut termina configurarea sistemului”

RU: Sophos Endpoint Defense + Gold Image = Ошибка «Windows не удалось завершить настройку системы»

VI: Sophos Endpoint Defense + Gold Image = Lỗi 'Windows không thể hoàn tất cấu hình hệ thống'

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.