1 2 Previous Next 11 Replies Latest reply on Jan 27, 2017 7:35 AM by tao

    McAfee EPO script deployment fails

    richsaro

      Hello,

       

      As I've been rejected support (Gold Business Support) by McAfee due to running a 3rd party script (which I don't think is the problem here) I came here to get some help and hope that someone has an idea what's wrong?

       

      I've been having some issues with script deployment using McAfee EPO, which deploys the files but fails the install with an unknown error (which is very helpful).

       

      Anyway a little overview on what I am trying to achieve, in our company we have around 130ish odd Laptops that are currently off our domain (purposely) so group policy is a no. I been tasked to get those laptops Automatic Updates enabled via a script and deployed via McAfee EPO as it's the only link to those Laptops.

       

      I have now created 5 different scripts each of them are different, but do the same thing changing a registry key value from  1 to 4. Simple! And all 5 scripts work perfectly on my test laptop locally.

      Packaging the script up using "ePO.Endpoint.Deployment.Kit.9.6.0" and uploading it to the Master Repository to create a new Task all works well, until you run the task on that specific Laptop and all I get is failed to install the .zip file.

       

      Now when running cmtrace.exe to look at the live "masvc_PXXXX.log" while deploying the task these error messages appear, the same time I receive the message on the McAfee Agent Monitor on the laptop "Error occurred while installing WINUPDAT1009.zip".


      2017-01-23 14:13:40.198 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "4" iProductId "VIRUSCAN8800" iLocale "0000" iUpdateType "DAT" iUpdateState "8" iUpdateError "0" iNewVersion "8416.0000" iDateTime "20170123"

       

      2017-01-23 14:13:40.199 masvc(1788.1876) policybag.Warning: returning default policy for section=AGENT\CONFIGURATION , key=AgentVersion , value=5.0.0

       

      2017-01-23 14:13:40.436 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "0" iProductId "" iLocale "0409" iUpdateType "" iUpdateState "17" iUpdateError "0" iNewVersion "" iDateTime ""

       

      2017-01-23 14:13:44.742 masvc(1788.1876) Updater.Info: Script Event msg iEventId "0" iSeverity "0" iProductId "EPOAGENT3000" iLocale "0409" iUpdateType "N/A" iUpdateState "1" iUpdateError "0" iNewVersion "N/A" iDateTime "N/A"

       

      Hope someone can make sense out of these errors or are relating to the problem?

       

      This is my Script which works perfectly fine locally.

       

      File name: AutoUpdateEnabled.bat

       

      @echo off

      :: Set path to current product folder

      set argC=0
      for %%x in (%*) do Set /A argC+=1

      pushd "%~dp0"

      :: Get software package source directory and set as variable SRCDIR

      SET SRCDIR=

      for /f "delims=" %%a in ('cd') do @set SRCDIR=%%a

      if %argC%==0 GOTO INSTALL
      if %1==uninstall GOTO UNINSTALL

      :INSTALL

      %comspec% /c %systemroot%\regedit.exe /s "%SRCDIR%\AutoUpdateEnabled.reg
      GOTO END

      :UNINSTALL
      GOTO END

      :END

       

      Calls the reg file: AutoUpdateEnabled.reg

       

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
      "AUOptions"=dword:00000004

       

      These are the steps I done to package those two files up.

       

      Run the ePO Endpoint Deployment Kit, select folder with those two files in file in the remaining field in seen in screenshot and click build package.

      EEK.jpg

       

      On ePO upload it into the Master Repository and create a task with that deployment.

       

      Hope someone can spot something I am doing wrong as I've been working on this for the last two weeks straight, and am at the point of running out of things to try.

        • 1. Re: McAfee EPO script deployment fails
          catdaddy

          richsaro,

           

          Moved from;

          Support Forums to ePolicy Orchestrator (ePO)>Discussions

          For better exposure and assistance.

          • 2. Re: McAfee EPO script deployment fails
            tao

            I have had much success with adding/deleting a registry through WinRar:  add the reg file to a WinRar archive (right click the reg file and "add to archive" <> save as sfx <>  add the following command in the Archive Comment:

             

            ;The comment below contains SFX script commands

             

            Path=C:\Temp\

            SavePath

            Setup=regedit /s "C:\Temp\****.reg"

             

            Silent=1

            Overwrite=1

             

             

            EEDK the SFX file <> check-in to the ePO repository <> create a task with a command line of /s

            • 3. Re: McAfee EPO script deployment fails
              richsaro

              Hmm that's quite good idea. I'll try that one and post if it was successful.

               

              Thanks

              • 4. Re: McAfee EPO script deployment fails
                richsaro

                Shame it still fails with the same error.

                 

                It goes through the motions on the Agent Monitor

                 

                Installing WINUPDAT1009.

                Verifying AutoUpdateScripting.exe

                Error occurred while installing WINUPDAT1009.

                 

                It looks like McAfee doesn't like the package at all.

                • 5. Re: McAfee EPO script deployment fails
                  tao

                  Double check the registry to confirm - Wondering, are there GPO's or McAfee access protection rules in place that would lock down reg keys?

                  • 6. Re: McAfee EPO script deployment fails
                    richsaro

                    This is what the *.reg file contains...

                     

                     

                    Windows Registry Editor Version 5.00

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
                    "AUOptions"=dword:00000004

                     

                    GPO doesn't come to play here as these laptops are on a workgroup rather than our domain, and the local policy doesn't seem to refer that registry is being blocked, also if it were then manually running it on my test laptop would technically fail.

                    Have disabled On Access Protection in McAfee just to rule out it's not something silly like that, which hasn't made a slightest difference.

                    Also I doubt its permissions talking back to the EPO server which is on our domain, as I am getting the same error on my works laptop which is on the domain.

                     

                    You wouldn't know if what ever user created the package for McAfee ePO the user account get's somehow assigned to that ZIP file it creates? Just a thought this is....

                    • 7. Re: McAfee EPO script deployment fails
                      tao

                      You may be dealing with a rights issue; "EPO server which is on our domain" yet the "laptops are on a workgroup rather than our domain" .... "manually running it on my test laptop would technically fail" - you maybe running under the local admin - depending on if the account you are using to login with to your test laptop has local admin rights - just a guess.

                       

                      Try dumping the actual reg file in the Temp folder on one of those non-domain laptops and then: psexec \\IP or FQDN -s -i regedit /s "c:\Temp\****.reg"

                       

                      If that works (check the reg to confirm), my guess it may not due rights, then try: psexec \\IP or FQDN -s -i "c:\Temp\****.exe" <> exe is the winrar with the regedit

                      • 8. Re: McAfee EPO script deployment fails
                        jabii

                        Why have you complicated your script so much?

                        You could just use:

                         

                        reg add command

                         

                        and maybe a:

                         

                        reg query to test the presence of the value 0x4 and if it fails to set, then your script should change the Custom reg key to let's say 3.

                         

                        Also use Tao solution with the winrar --> sfx and for the unpack use %windir%\temp\ folder.

                        If you use other folder make sure it exist on those computers and if they don't create it with mkdir command in your script. Keep in mind that this script will be running with the system account.

                        • 9. Re: McAfee EPO script deployment fails
                          richsaro

                          Sorry for get back a couple of days later, colleague had nicked my testing laptop so was not able to do any more testing.

                           

                          Anyway....

                           

                          @ jabii - That was my very first script, a simple add reg command, which worked perfectly running it on the laptop itself but deploying it via McAfee it failed. And googling it some people mentioned mcafee doesn't like simple scripts and would require something more complex that's why I ended up with this one now... which I'm having no luck either.

                           

                          @tao - Yeah tried those two commands both work perfectly on the laptop itself.

                           

                          Though I did make some progress, McAfee Agent Monitor is now not reporting that the install of my WINUPDAT package fails. It's completing successfully. Though still not running my script as the registry has not changed, but the files have been extracted to the c:\temp folder. All I changed this time is running the Deployment Kit as my domain admin account rather than the local admin, I assume then that the tool kit does keep a reference to what account has created this package and uses it to authenticate to the ePO !?

                          Which I am going to try the WinRAR method again now that McAfee does deploy the package.

                          1 2 Previous Next