Overview
This article guides you on the process of patch deployment in GFI LanGuard and how it works.
Requirements
Files required for deployment:
- patchagent.exe
- deploypatches.bat
- patch installer executables
Process
- GFI LanGuard logs into the target machine and accesses the remote registry.
- All required files mentioned for deployment are copied to the target machine by the GFI LanGuard server.
- By default, this is done via the standard admin shares to
C:\Windows\Patches
. However, the location can be changed to a custom share through the deployment settings.
NOTE: When the target computer has a GFI LanGuard Agent installed and that agent is configured to use a Relay Agent, patch installer executables are requested by the Patch Agent Service from the assigned Relay Agent.
- By default, this is done via the standard admin shares to
- Troubleshoot network connectivity and security permissions from the GFI LanGuard console to the target machine for remote registry and the admin shares issues.
- The batch file
deploypatches.bat
contains the commands with parameters to install all selected patches silently. - A service called GFI LanGuard Patch Agent service is then installed and started on the machine.
- This service executes the batch file and monitors the status of the patch deployment.
- It sends status updates:
Starting <patch> deployment
,Finished <patch> deployment
to the GFI LanGuard server's communications port 1072 (by default) via HTTP. - The credentials for this service are specified in the deployment settings using the local system by default and should have local administrator permissions on the target machine as well as the Log on as a service right.
- For each patch, a separate temporary batch file is created on-the-fly containing the actual installation commands for that one patch.
- The GFI LanGuard Patch Agent Service returns the final result (success or fail) of the deployment to the GFI LanGuard server via the communications port 1072 (by default).
- After the patch deployment, the service is un-installed and any additional actions triggered defined in the batch file, such as rebooting the machine.
NOTES:
- Changes are required on Windows XP SP2/2003 machines to allow GFI LanGuard to scan and deploy updates to it.
- Every time the GFI LanGuard server receives a communication from the Patch Agent service, it resets the timeout counter. If the timeout configured in the patch deployment settings (600 seconds by default) expires before the final result is received, a message is shown in the UI stating that the deployment might have failed since no feedback was received. This could be due to one of the following conditions:
- The Patch Agent service fails to connect to the GFI LanGuard server's communications port.
- A patch is taking longer to deploy than the timeout setting - Service Packs, Internet Explorer version upgrades, .NET framework patches, etc.
- If the timeout has reached, the message displays the remaining patches are listed as failed and the LanGuard server starts a deployment to the next machine in the list. However, the Patch Agent service continues to install the remaining patches and may successfully install them all. Therefore, a scan must be done to verify the installation of the patches.
- When using a batch script in a Custom Software Install which triggers an installer on a network share, ensure that the Patch Agent service has sufficient permissions to access the network share. By default, the Patch Agent service runs in the context of the local system. If this is not suitable, one can specify a specific user in the deployment options.
Related Article
Unable to Deploy Patches - Error: The service did not start due to a logon failure.