- GFI LanGuard
The actual patch deployment (remediation) process is always done in the following way:
- GFI LanGuard logs into the target machine and accesses the remote registry of the target machine
- All files required for deployment (patchagent.exe, deploypatches.bat and patch installer executables - see note) are copied to the target machine by the GFI LanGuard server. (By default this is done via the normal admin shares to <C:\Windows\Patches> however the location can be changed to a custom share through the deployment settings)
- Note: When the target computer has a GFI LanGuard Agent installed AND that agent is configured to use a Relay Agent, patch installer executables will be requested by the Patch Agent Service from the assigned Relay Agent
- To troubleshoot connectivity from the GFI LanGuard console to the target machine for remote registry and the admin shares, use procedures noted in: How to test network connectivity and security permissions for GFI security products.
- The batch file (deploypatches.bat) contains the commands with parameters to install all selected patches silently
- A service called GFI LanGuard Patch Agent service is then installed and started on the machine. This service which will execute the batch file and monitor the status of the patch deployment. It will send status updates (starting <patch> deployment, finished <patch> deployment) to the GFI LanGuard Server's communications port (1072 by default) via HTTP. The credentials for this service are specified in the deployment settings (Local System by default), and should have local administrator permissions on the target machine as well as the "Log on as a service" right.
- For each patch a separate temporary batch file is created on-the-fly containing the actual installation commands for that one patch
- The GFI LanGuard Patch Agent Service returns the final result of the deployment (success or failure) to the GFI LanGuard Server via the communications port (1072 by default).
- After the patch deployment, the service is un-installed and any additional actions triggered (defined in the batch file), such as rebooting the machine
- What changes are required on a Windows XP SP2 / 2003 machine to allow GFI LanGuard to scan and deploy updates to it?
- Every time the GFI LanGuard Server receives a communication from the Patch Agent service it resets the timeout counter. If the timeout configured in the patch deployment settings (600 seconds by default) expires before the final result is received, a message will be shown in the UI stating that the deployment might have failed since no feedback was received. This could be due to one of the following conditions:
- The Patch Agent service fails to connect to the GFI LanGuard Server's communications port.
- A patch is taking longer to deploy than the timeout setting (Service Packs, Internet Explorer version upgrades, .NET framework patches, etc.)
- If the timeout is reached, the message is displayed and the remaining patches will be listed as "failed" and the LanGuard server will start a deployment to the next machine in the list. However, the Patch Agent service will continue to install the remaining patches and may successfully install them all. Therefore, a scan must be done to verify if the patches were in fact installed.
- When using a batch script in a Custom Software Install which triggers an installer on a network share, ensure that the PatchAgent service has sufficient permissions to access the network share. By default the PatchAgent service runs in the context of "local system". If this is not suitable, one can specify a specific user in the deployment options