- This applies to GFI LanGuard 2011 (10.2 Build 20111128) However, it should work for version 9 also.
- Java Updates.
Past month or so though I have been experiencing issues deploying both Flash and Java, but more so Java updates. I can make a Flash post separately, so let's focus on Java. This may be old news to some, but I'll share what I have learned so far, as it is, the GFI forums aren't very helpful, and neither is their non-existent knowledgebase.
The Issues
The issues I have encountered have been the following:
- Installation saying it is "complete" indicating it was successful. Checking the client for the Java installation reveals it wasn't installed or updated
- Installation does not upgrade properly and creates multiple Java installs
- Installation fails with error: "PatchAgent is performing another remediation session on the target computer"
taskkill /F /IM PatchAgent.exe
Remember you can use the Deploy Custom Software menu to shoot this batch to all those you noted.Now I know that GFI can deploy Java using the "Deploy Security Patches" menu and usually does a good job, but I don't know exactly what it does to install it. I asked their support if it removed the old instance then installed the new and they basically said, 'it performs an upgrade.' However their reply wasn't very informative. So I prefer to use "Deploy Custom Software" for Java and Adobe products.
The reason for this is because at least I know it is a clean install and I know exactly what functions it is performing. Before installing any Java update it is good practice to remove the old Java install. There are several ways of doing this, but I use what I recently learned, using WMIC.
My GFI workstation has a pretty organized "Updates" directory locally. What I do is simply store scripts and GFI XML files that store preconfigured installation sets that I can later use. In my Java folder I store a batch file which I simply named "java-remove.bat" with the following code:
wmic /FAILFAST:ON product where "name like 'Java%%'" call uninstall /nointeractive
You can run this all in one line. In order for the batch file to uninstall any instance of Java, be sure to use Java%% and not just Java% for a batch file. This batch file is handy to use if you also just want to remove Java from any client using GFI to deploy it as custom software. The great thing is, you don't have to supply any text document containing a list of computers because LanGuard already enumerates them for you. This means you don't have to use /node:'ComputerName' switch.
In the same directory I store the Java offline installer. Even though we have some 64-bit operating systems running, I don't bother with 64-bit, I just install 32-bit on all of them. Once it is downloaded, again in LanGuard use the "Deploy Custom Software" menu and add the Java executable file.
Once it is added select custom to supply the following switches:
/s /v /qn REBOOT=ReallySuppress
Hit OK and now export it so you can save the configuration as an XML. I personally add the batch file first then add the Java exe with the switches second, then I export. This allows you to save the XML with both tasks in order.If you do it this way, WMIC will uninstall all instances of Java before deploying the new Java installation.
Okay this takes care of performing a clean install using LanGuard "Deploy Custom Software" option. Now if you are getting "Successful" and "Complete" statuses but you are not seeing the installation on the clients you should verify that the Java file is named the same as it was when you downloaded it. I am still not satisfied as this being a reason to causing such a weird issue, but I tested it multiple times. Here is what I discovered:
I was renaming Java downloads to something simple like "Java-6-31.exe" and it seemed to be installing just fine for me. Especially if you test it locally from the command prompt, it will install perfectly. Even over the network via UNC path it will install. For some reason though using LanGuard it only says it installs when it doesn't. According to the processes on the client the msiexec instance continues to run and just sits there. After trying it a dozen times renaming it back to what it was was the only thing that fixed it for me. It installed perfectly. I simply use the same switches GFI uses:
/s /v /qn REBOOT=ReallySuppress
Technically speaking, the /s switch is more than enough to carry out a silent install, but I use what they use, it's difficult enough to get it working in the first place.
Summary
- Make sure "PatchAgent" is not running from an old deployment
- Uninstall Java using WMIC with a batch file
- Deploy Java with the Custom Software option
- You can combine both the uninstall and the install in the same XML file
- Important: Do not combine the PatchAgent taskkill script with the XML file, it will kill the PatchAgent and it will hang. Unfortunately GFI PatchAgent has to run first before running any scripts, so in effect, it would kill itself instantly. Instead run the PatchAgent script before hand as a separate deployment if you find some clients have PatchAgent.exe running already.
Update: Having Internet Explorer open on the client machine can sometimes cause issues with silent Java installs too. It's odd, very hit and miss because I have also seen successful installs. If you want you can kill any browsers open before running the above scripts with taskkill /F /IM iexplore.exe (or Firefox.exe).
No comments:
Post a Comment