- This applies to GFI LanGuard 2011 (10.2 Build 20111128) However, it should work for version 9 also.
- Java Updates.
I have been using GFI LanGuard for quite a long time now. Also I have been pretty happy with GFI's products and support. However I noticed that their forums were full of folks that seemed dissatisfied with the product. It seems it was mostly in the "non-Microsoft" patch area. I have been using it as I said, pretty successfully keeping my domain updated--especially with the annoying Java and Flash updates that are released oh every 5 seconds. Well not really but if you are reading this, you understand.
Past month or so though I have been experiencing issues deploying both Flash and Java, but more so Java updates. I can make a Flash post separately, so let's focus on Java. This may be old news to some, but I'll share what I have learned so far, as it is, the GFI forums aren't very helpful, and neither is their non-existent knowledgebase.
These are the procedures I use to update Java on my client computers. Note, I personally don't worry about the Autoupdate notifications, but you can modify the procedures how you want if you would rather "neuter" Java notifications. There are quite a few tutorials on how to do that on the web, so I won't go into that here.
The Issues
The issues I have encountered have been the following:
- Installation saying it is "complete" indicating it was successful. Checking the client for the Java installation reveals it wasn't installed or updated
- Installation does not upgrade properly and creates multiple Java installs
- Installation fails with error: "PatchAgent is performing another remediation session on the target computer"
The last one is more related to GFI not completing a task and being stuck in memory. If you run into this problem fix it first before trying to install anything. Note the machines that have the error and kill the process with a simple batch file which you can shoot to them all:
taskkill /F /IM PatchAgent.exe
Remember you can use the Deploy Custom Software menu to shoot this batch to all those you noted.
Now I know that GFI can deploy Java using the "Deploy Security Patches" menu and usually does a good job, but I don't know exactly what it does to install it. I asked their support if it removed the old instance
then installed the new and they basically said, 'it performs an upgrade.' However their reply wasn't very informative. So I prefer to use "Deploy Custom Software" for Java and Adobe products.
The reason for this is because at least I know it is a clean install and I know exactly what functions it is performing. Before installing any Java update it is good practice to remove the old Java install. There are several ways of doing this, but I use what I recently learned, using
WMIC.
My GFI workstation has a pretty organized "Updates" directory locally. What I do is simply store scripts and GFI XML files that store preconfigured installation sets that I can later use. In my Java folder I store a batch file which I simply named "java-remove.bat" with the following code:
wmic /FAILFAST:ON product where "name like 'Java%%'" call uninstall /nointeractive
You can run this all in one line. In order for the batch file to uninstall
any instance of Java, be sure to use
Java%% and not just
Java% for a batch file. This batch file is handy to use if you also just want to remove Java from any client using GFI to deploy it as custom software. The great thing is, you don't have to supply any text document containing a list of computers because LanGuard already enumerates them for you. This means you don't have to use
/node:'ComputerName' switch.
In the same directory I store the
Java offline installer. Even though we have some 64-bit operating systems running, I don't bother with 64-bit, I just install 32-bit on all of them. Once it is downloaded, again in LanGuard use the "Deploy Custom Software" menu and
add the Java executable file.
Once it is added select
custom to supply the following switches:
/s /v /qn REBOOT=ReallySuppress
Hit OK and now
export it so you can save the configuration as an XML. I personally add the batch file
first then add the Java exe with the switches
second, then I export. This allows you to save the XML with both tasks in order.
If you do it this way, WMIC will uninstall
all instances of Java before deploying the new Java installation.
Okay this takes care of performing a clean install using LanGuard "Deploy Custom Software" option. Now if you are getting "Successful" and "Complete" statuses but you are not seeing the installation on the clients you should verify that the Java file is named the same as it was when you downloaded it. I am still not satisfied as this being a reason to causing such a weird issue, but I tested it multiple times. Here is what I discovered:
I was renaming Java downloads to something simple like "Java-6-31.exe" and it seemed to be installing just fine for me. Especially if you test it locally from the command prompt, it will install perfectly. Even over the network via UNC path it will install. For some reason though using LanGuard it only
says it installs when it doesn't. According to the processes on the client the
msiexec instance continues to run and just sits there. After trying it a dozen times
renaming it back to what it was was the only thing that fixed it for me. It installed perfectly. I simply use the same switches GFI uses:
/s /v /qn REBOOT=ReallySuppress
Technically speaking, the /s switch is more than enough to carry out a
silent install, but I use what they use, it's difficult enough to get it working in the first place.
Summary
- Make sure "PatchAgent" is not running from an old deployment
- Uninstall Java using WMIC with a batch file
- Deploy Java with the Custom Software option
- You can combine both the uninstall and the install in the same XML file
- Important: Do not combine the PatchAgent taskkill script with the XML file, it will kill the PatchAgent and it will hang. Unfortunately GFI PatchAgent has to run first before running any scripts, so in effect, it would kill itself instantly. Instead run the PatchAgent script before hand as a separate deployment if you find some clients have PatchAgent.exe running already.
Hope this helps, so far this works for me.
Update: Having Internet Explorer open on the client machine can sometimes cause issues with silent Java installs too. It's odd, very hit and miss because I have also seen successful installs. If you want you can kill any browsers open before running the above scripts with taskkill /F /IM iexplore.exe (or Firefox.exe).
