As I've been rejected support (Gold Business Support) by McAfee due to running a 3rd party script (which I don't think is the problem here) I came here to get some help and hope that someone has an idea what's wrong?
I've been having some issues with script deployment using McAfee EPO, which deploys the files but fails the install with an unknown error (which is very helpful).
Anyway a little overview on what I am trying to achieve, in our company we have around 130ish odd Laptops that are currently off our domain (purposely) so group policy is a no. I been tasked to get those laptops Automatic Updates enabled via a script and deployed via McAfee EPO as it's the only link to those Laptops.
I have now created 5 different scripts each of them are different, but do the same thing changing a registry key value from 1 to 4. Simple! And all 5 scripts work perfectly on my test laptop locally.
Packaging the script up using "ePO.Endpoint.Deployment.Kit.9.6.0" and uploading it to the Master Repository to create a new Task all works well, until you run the task on that specific Laptop and all I get is failed to install the .zip file.
Now when running cmtrace.exe to look at the live "masvc_PXXXX.log" while deploying the task these error messages appear, the same time I receive the message on the McAfee Agent Monitor on the laptop "Error occurred while installing WINUPDAT1009.zip".
2017-01-23 14:13:40.198 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "4" iProductId "VIRUSCAN8800" iLocale "0000" iUpdateType "DAT" iUpdateState "8" iUpdateError "0" iNewVersion "8416.0000" iDateTime "20170123"
2017-01-23 14:13:40.199 masvc(1788.1876) policybag.Warning: returning default policy for section=AGENT\CONFIGURATION , key=AgentVersion , value=5.0.0
2017-01-23 14:13:40.436 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "0" iProductId "" iLocale "0409" iUpdateType "" iUpdateState "17" iUpdateError "0" iNewVersion "" iDateTime ""
2017-01-23 14:13:44.742 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "0" iProductId "EPOAGENT3000" iLocale "0409" iUpdateType "N/A" iUpdateState "1" iUpdateError "0" iNewVersion "N/A" iDateTime "N/A"
Hope someone can make sense out of these errors or are relating to the problem?
This is my Script which works perfectly fine locally.
File name: AutoUpdateEnabled.bat
:: Set path to current product folder
for %%x in (%*) do Set /A argC+=1
:: Get software package source directory and set as variable SRCDIR
for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a
if %argC%==0 GOTO INSTALL
if %1==uninstall GOTO UNINSTALL
%comspec% /c %systemroot%\regedit.exe /s "%SRCDIR%\AutoUpdateEnabled.reg
Calls the reg file: AutoUpdateEnabled.reg
Windows Registry Editor Version 5.00
These are the steps I done to package those two files up.
Run the ePO Endpoint Deployment Kit, select folder with those two files in file in the remaining field in seen in screenshot and click build package.
On ePO upload it into the Master Repository and create a task with that deployment.
Hope someone can spot something I am doing wrong as I've been working on this for the last two weeks straight, and am at the point of running out of things to try.
I have had much success with adding/deleting a registry through WinRar: add the reg file to a WinRar archive (right click the reg file and "add to archive" <> save as sfx <> add the following command in the Archive Comment:
;The comment below contains SFX script commands
Setup=regedit /s "C:\Temp\****.reg"
EEDK the SFX file <> check-in to the ePO repository <> create a task with a command line of /s
Shame it still fails with the same error.
It goes through the motions on the Agent Monitor
Error occurred while installing WINUPDAT1009.
It looks like McAfee doesn't like the package at all.
This is what the *.reg file contains...
Windows Registry Editor Version 5.00
GPO doesn't come to play here as these laptops are on a workgroup rather than our domain, and the local policy doesn't seem to refer that registry is being blocked, also if it were then manually running it on my test laptop would technically fail.
Have disabled On Access Protection in McAfee just to rule out it's not something silly like that, which hasn't made a slightest difference.
Also I doubt its permissions talking back to the EPO server which is on our domain, as I am getting the same error on my works laptop which is on the domain.
You wouldn't know if what ever user created the package for McAfee ePO the user account get's somehow assigned to that ZIP file it creates? Just a thought this is....
You may be dealing with a rights issue; "EPO server which is on our domain" yet the "laptops are on a workgroup rather than our domain" .... "manually running it on my test laptop would technically fail" - you maybe running under the local admin - depending on if the account you are using to login with to your test laptop has local admin rights - just a guess.
Try dumping the actual reg file in the Temp folder on one of those non-domain laptops and then: psexec \\IP or FQDN -s -i regedit /s "c:\Temp\****.reg"
If that works (check the reg to confirm), my guess it may not due rights, then try: psexec \\IP or FQDN -s -i "c:\Temp\****.exe" <> exe is the winrar with the regedit
Why have you complicated your script so much?
You could just use:
reg add command
and maybe a:
reg query to test the presence of the value 0x4 and if it fails to set, then your script should change the Custom reg key to let's say 3.
Also use Tao solution with the winrar --> sfx and for the unpack use %windir%\temp\ folder.
If you use other folder make sure it exist on those computers and if they don't create it with mkdir command in your script. Keep in mind that this script will be running with the system account.
Sorry for get back a couple of days later, colleague had nicked my testing laptop so was not able to do any more testing.
@ jabii - That was my very first script, a simple add reg command, which worked perfectly running it on the laptop itself but deploying it via McAfee it failed. And googling it some people mentioned mcafee doesn't like simple scripts and would require something more complex that's why I ended up with this one now... which I'm having no luck either.
@tao - Yeah tried those two commands both work perfectly on the laptop itself.
Though I did make some progress, McAfee Agent Monitor is now not reporting that the install of my WINUPDAT package fails. It's completing successfully. Though still not running my script as the registry has not changed, but the files have been extracted to the c:\temp folder. All I changed this time is running the Deployment Kit as my domain admin account rather than the local admin, I assume then that the tool kit does keep a reference to what account has created this package and uses it to authenticate to the ePO !?
Which I am going to try the WinRAR method again now that McAfee does deploy the package.