I work for a state dept. and we get our ePO updates pushed. However, every time ePO needs updating the .msi file cannot run without having admin rights. So when ever a user logs in the installer tries to run, cant, and errors out. The installer tries to run out of the Common Framework directory, and the permissions on that are set to Everyone with read only access. The issue can be resolved temporarily by changing the permissions to either have read/execute or Authenticated Users with modify rights (our standard). However, once the installer runs the permissions get changed back to Everyone with read only. The ePO administrator seems to think that it has something to do with the way our image is setup, but after reviewing the kb article here:
No, not dat updates. I am talking about updates to ePO itself. For instance they pushed an update from v3.6 to 4.0 then from 4.0 to 22.214.171.1245 and the latest from 126.96.36.1995 to 188.8.131.522
Each time it pushes an installer called mfeagent.msi to the common framework directory and tries to run from there, but cant. So every time there is an update the whole organization gets an error message saying MFEagent.msi cannot run, until I go run it manually. And each time I run it manually it changes the permissions on the Common Framework directory back to Everyone with Read Only.....
Have you tried a manual push from the ePO console and using the domain admin credentials? Or try creating a new framepkg.exe, the update services should be running with a local system account with admin rights.
Thanks for the post Schoeys. Unfortunately the ePO admin is not in the same city as we are. We are currently in the process of splitting off onto our own network, but that will be at least another 6mos-1yr.
In the mean time I have been in contact with the ePO admin and he has tried a manual push with no success. According it him the update services are running under Domain Admin group which is present on all our machines as an admin group, but again I am unable to verify this...I am only taking his word.
Thanks again for your assistance. There is another person with the exact same issue about five/six threads down.
No Problem Sorry couldn't help more, but did have a thought, as it works under and admin acccount, is the issue a conflict between a GPO and virusScan console stopping the msi from running? You have the problem though of not having access to the logs on the ePO server which might be of more help to you. Strange about permissions, we're citrix so the PC's don't sit on the domain and the msi's run fine when pushed out.