Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - LanGuard Section
  3. Articles

Agent Install or Remediation Job Status Stuck at Pending

Overview

While trying to deploy the security patches or install an Agent, the job status stays at Pending.

Another scenario is when a scan is initiated, it does not continue and the Scanner Activity Window only shows the following text:

STARTING SECURITY SCAN FOR MACHINE/RANGE: <target>
Profile: <Profile name>

Diagnosis

Possible causes for jobs stuck with 'pending' status are:

  • The wrong IP address is used for agent deployment or remediation job
  • The service account is not able to start the remediation job due to a security feature blocking its process
  • In the Active Directory environment, the Restricted Groups Domain Policy is used to specify the administrator members on the domain computers

    • GFI LanGuard creates its dedicated account with Local Administrator rights
    • These rights may change due to GPO settings. In this situation, the LNSS_MONITOR_USR dedicated account will be removed from the local administrator's group

Solution

  1. On the LanGuard server go to Control Panel > Administrative Tools > Services and verify that the GFI LanGuard XX Attendant Service is running.

  2. Change the account used by GFI LanGuard XX Attendant Service:

    1. Double-click the GFI LanGuard XX Attendant service.
    2. Select the Log On tab and in the Log on as: section, select This account.
    3. Specify an account having local administrative rights in the format <Domain>\<User> or browse to the admin user.
    4. Enter the Password for the specified account and click Apply.
    5. Choose the General tab and click Start to start the service.
  3. On the LanGuard server change the DCOM identity:

    1. Open DCOMCNFG:
      1. Press Windows + R keys together.
      2. Type dcomcnfg and press the Enter key.
    2. Expand Component Services > Computers > My Computer > DCOM Config.
    3. Enter the Properties of LNSSCommunicator.
    4. In the Identity tab, click Browse and select a user that has Administrator rights on all machines in the domain.
    5. Enter the password for the selected user and Apply changes.
    6. Open the Local Security Policy (gpedit.msc) on the LanGuard server.
    7. Navigate to Local Computer PolicyComputer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    8. Check the properties of Replace a process level token and Adjust memory quotas for process policies.
    9. Add the account used in the Identity tab (above) to these policies.
    10. Do the same for the Logon as a batch job policy.
    11. Restart the GFI LanGuard XX Attendant service.
  4. On the LanGuard server launch the LanGuard Console and update communications IP address:

    1. From the Configuration tab, select Agents Management.
    2. Click Agents Settings.
    3. From the General tab under Communications, select the IP address of LanGuard instead of the Default selection.
      mceclip0.png
    4. Click OK to apply the changes.
  5. On the Windows target machine(s), explicitly add the user account that is running the services to the Log on as Services Local Security Policy:

    1. Navigate to Start > Run and type secpol.msc and press Enter.
    2. Expand Local Policies.
    3. Choose User Rights Assignment.
    4. Scroll down till you see Log on as a service.
    5. Right-click it and go to Properties.
    6. Click Add User or Group and add that account there.
    7. Click Apply and OK and close out of the Local Security Policy.
    8. Apply the changes.
    9. Go to Run > type GPupdate /force and press Enter.
  6. Disable UAC on both server and client machines:

    1. Click Restart Now to apply the change right away, or click Restart Later and close the User Accounts tasks window.
    2. Clear the Use User Account Control (UAC) to help protect the computer checkbox, and then click OK.
    3. If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    4. In the User Accounts tasks window, click Turn User Account Control On or Off.
    5. In the User Accounts window, click User Accounts.
    6. In Control Panel, click User Accounts.
    7. Click Start, and then click Control Panel.
NOTE: If LanGuard has more network interface cards, the wrong one can be used for agent deployment or the remediation. Disable these network interface cards locally and run a localhost scan using the HW audit in LanGuard to update the correct IP address before starting a new agent deployment and remediation.
Start a new agent deployment or remediation to verify whether the problem is gone. If the issue persists, try the steps below:
  1. On the LanGuard server verify that the GFI LanGuard XX Attendant Service is running.
  2. On the LanGuard server change the DCOM identity:

    1. Open DCOMCNFG:
      1. Press Windows + R keys together.
      2. Type dcomcnfg and press Enter key.
    2. Expand Component Services > Computers > My Computer > DCOM Config.
    3. Enter the Properties of LNSSCommunicator.
    4. In the Identity tab, select the Launching User radio button.
    5. Restart the GFI LanGuard XX Attendant service.

Testing

Start the activity that was having issues and verify that the problem is gone.

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments