This article provides detailed information related to the process of patch deployment in GFI LanGuard. It also details the communication that takes place between the GFI LanGuard server and the target machines.
Files required for deployment:
- patch installer executables
The following section describes the automated patch deployment process in a step-by-step manner:
GFI LanGuard logs into the target machine and accesses the remote registry.
All required files mentioned for deployment are copied to the target machine by the GFI LanGuard server. By default, this is done via the standard admin shares to
C:\Windows\Patches. However, the location can be changed to a custom share through the deployment settings.
NOTE: When the target computer has a GFI LanGuard Agent installed, the agent is configured to use a Relay Agent; and the Patch Agent Service requests patch installer executables from the assigned Relay Agent.
You can troubleshoot network connectivity and security permissions from the GFI LanGuard console to the target machine for remote registry and the admin shares issues.
The batch file deploypatches.bat contains the commands with parameters to install all selected patches silently.
A service called GFI LanGuard Patch Agent service is then installed and started on the machine.
- This service executes the batch file and monitors the status of the patch deployment.
- It sends status updates such as Starting <patch> deployment, Finished <patch> deployment, etc., to the GFI LanGuard server's communications port 1072 (by default) via HTTP.
- The credentials for this service are specified in the deployment settings using the local system by default. They should have local administrator permissions on the target machine as well as the Log on as a service right.
For each patch, a separate temporary batch file is created on-the-fly containing the actual installation commands for that one patch.
The GFI LanGuard Patch Agent Service returns the final result (success or fail) of the deployment to the GFI LanGuard server via the communications port 1072 (by default).
After the patch deployment, the service is uninstalled, and the system continues with performing any additional actions or triggers defined in the batch file, such as rebooting the machine, etc.
- Changes are required on Windows Vista or later machines to allow GFI LanGuard to scan and deploy updates to it.
- Port 1072 is the default port for communication; however, the port can be changed.
- Every time the GFI LanGuard server receives a communication from the Patch Agent service, it resets the timeout counter. If the timeout configured in the patch deployment settings (600 seconds by default) expires before the final result is received, a message is shown in the UI stating that the deployment might have failed since no feedback was received. This could be due to one of the following conditions:
- The GFI LanGuard Patch Agent service fails to connect to the GFI LanGuard server's communications port.
- A patch is taking longer to deploy than the timeout setting. This may occur while installing Service Packs, Internet Explorer version upgrades, .NET Framework patches, etc.
- When the timeout value has reached, a message displays the remaining patches listed as failed, and the LanGuard server starts a deployment to the next machine in the list. However, the GFI LanGuard Patch Agent service continues to install the remaining patches and may successfully install them all. Therefore, a scan must be done to verify the installation of the patches.
- When using a batch script in a Custom Software Install, which triggers an installer on a network share, ensure that the Patch Agent service has sufficient permissions to access the network share. By default, the Patch Agent service runs in the context of the local system. If this is not suitable, one can specify a specific user in the deployment options.
Unable to Deploy Patches - Error: The service did not start due to a logon failure