Helo
some subscription failed on windows 2022 at install

jmp\vagrant@WIN1 C:\Users\vagrant\Desktop\wec_pepped>powershell C:\Users\vagrant\Desktop\wec_pepped\setup_subscriptions.ps1
WARNING: CREATING new AD Group: Domain Miscellaneous
-> WecFwdLog-Domain-Misc_Script
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_Security
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_Sysmon
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_Service
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_Application
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_Misc
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Misc_System
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
WARNING: CREATING new AD Group: Domain Privileged
-> WecFwdLog-Domain-Privileged_Script
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_Security
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_Sysmon
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_Service
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_Application
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_Misc
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Privileged_System
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
WARNING: CREATING new AD Group: Domain Clients
-> WecFwdLog-Domain-Clients_Script
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_Security
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_Sysmon
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_Service
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_Application
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_Misc
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Clients_System
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
WARNING: CREATING new AD Group: Domain Servers
-> WecFwdLog-Domain-Members_Script
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_Security
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_Sysmon
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_Service
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_Application
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_Misc
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Members_System
The subscription is saved successfully, but it can't be activated at this time.
Use retry-subscription command to retry the subscription. If subscription is running,
you can also use get-subscriptionruntimestatus command to get extended error status.
Error = 0x3ae8.
The subscription fails to activate.
-> WecFwdLog-Domain-Servers_Script
-> WecFwdLog-Domain-Servers_Security
-> WecFwdLog-Domain-Servers_Sysmon
-> WecFwdLog-Domain-Servers_Service
-> WecFwdLog-Domain-Servers_Application
-> WecFwdLog-Domain-Servers_Misc
-> WecFwdLog-Domain-Servers_System
-> WecFwdLog-Domain-Controllers_Script
-> WecFwdLog-Domain-Controllers_Security
-> WecFwdLog-Domain-Controllers_Sysmon
-> WecFwdLog-Domain-Controllers_Service
-> WecFwdLog-Domain-Controllers_Application
-> WecFwdLog-Domain-Controllers_Misc
-> WecFwdLog-Domain-Controllers_System

Error in Eventviewer: "the SDDL string contains ans invalid sid or a sid that cannot be translated paramter name:sddlForm"

PS C:\Users\vagrant> wecutil gr WecFwdLog-Domain-Members_Service

Subscription: WecFwdLog-Domain-Members_Service
RunTimeStatus: Inactive
LastError: 1337
ErrorMessage: The security ID structure is invalid.
ErrorTime: 2023-07-29T22:37:59.538

PS C:\Users\vagrant> echo $PSVersionTable

Name Value

PSVersion 5.1.20348.1850
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.20348.1850
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

PS C:\Users\vagrant> echo ([Environment]::OSVersion)

Platform ServicePack Version VersionString

Win32NT 10.0.20348.0 Microsoft Windows NT 10.0.20348.0
thanks for you help

Hello,

Thanks for the great cookbook - there's a minor issue I've spotted, maybe you'll be able to reproduce it.
I'm setting this on a greenfield Windows server 2019.

Under: Set up the WEC subscriptions
I'm installing the channels (Step 1), but configuring custom channels (Step 2) fails silently, and then Step 3 is a hard fail.
My understanding is that Step 2 fails, as the Subscription service is not yet running.

Jumping to Step 4 and back to Step 2 solved the issue and the subscriptions were created after that.

Cheers

The system cannot find the file specified.
Failed to open subscription. Error = 0x2.

wecutils does not generate error in try clause that PowerShell understands (cmd utill vs PowerShell cmdlets). this means that $doUpdate variable is never updated to $false as catch clause is never ran

I have fixed this changing to following in setup_subscriptions.ps1 file.

foreach ( $chan in $ChannelList.GetEnumerator() ) {

     **<# $doUpdate = $true
      try {
          & wecutil gs "$($prov.key)_$($chan.key)" | Out-Null
      }
      catch {
          $doUpdate = $false
      } #>**
      $doUpdate = $true
      & wecutil gs "$($prov.key)_$($chan.key)" 2>&1>$null

      if ("$LASTEXITCODE" -eq 2){
      $doUpdate = $false
      }
}