9 Replies Latest reply on Mar 24, 2015 7:16 AM by cwinning

    Patch Deployment fails on all scanned workstations.

    Rookie

      I am running Shavlik 9.0 1304 in an isolated network. I have scanned a group of workstations. The scan goes fine. I get results from all workstations scanned. When I try to deploy the software package, I get an error on all workstations in the group that says "Deployment Failed. Cannot connect to "workstation Name". In the ST.Protect.Native log I get an error "Deploy.CPP:1958 DeployMachine Exception - class STCore ::Cinvalidoperationexception at Deploy.CPP :1401 Cannot connect to "workstation name". ANyone see this before?

        • 1. Re: Patch Deployment fails on all scanned workstations.
          cwinning CommunityTeam

          Hello,

           

          I believe this is an issue with the assigned credentials you have set in the Machine Properties for all your machines.

           

          The scan is completing because it is using credentials set in the Machine Group.  The deployment is most likely failing because credentials were set in the Machine Properties and they are no longer valid.

           

          To correct this:

           

          1. Navigate to View > Machines.
          2. Highlight all the machines.
          3. Right-click and choose Machine Properties.
          4. Set the credentials to None.
          5. Save out of Machine Properties.
          6. Scan these machine again from a Machine Group, make sure to assign credentials to the group.
          7. Attempt another Deployment from the scan results.

           

          This will work since the deployment will use the credentials assigned to the Machine Group.

           

          Please let me know if you have any questions!

           

          Thanks,

          Charles

          • 2. Re: Patch Deployment fails on all scanned workstations.
            Rookie

            This did not work. Actually, now I cannot even scan the machines. I get an error 452 for the scan indicating that Shavlik cannot connect to the machines. I can remote desktop into each machine. Tested credentials are current and test good. Server service is running on the remote machines and the workstation service is running on the local server 2003 workstation.

            • 3. Re: Patch Deployment fails on all scanned workstations.
              cwinning CommunityTeam

              Hello,

               

              Where are you scanning from?  A Machine Group or from View > Machines?  Also, using Remote Desktop is not a good test for connectivity since the scan does not connect to the target the same way.

               

              Charles

              • 4. Re: Patch Deployment fails on all scanned workstations.
                Rookie

                A machine group. OK. I was just throwing that out there. I just found that I cannot access the default share (c$) on these workstations. I have entered into the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ [LocalAccountTokenFilterPolicy (1)] . on one of the workstations. Still unsuccessful.

                • 5. Re: Patch Deployment fails on all scanned workstations.
                  cwinning CommunityTeam

                  Hello,

                   

                  We need to switch to troubleshooting a scan issue here because a deployment requires a successful scan.

                   

                  This was in your original post. "The scan goes fine."  Was this really the case?  If yes, do you know of any GPO changes or 'other' changes

                   

                  Removing the credentials from the Machine Properties would not have cause any issue where you would need to make changes on the target machines or on the Protect server.  At most, you would need to ensure you are supplying valid credentials in Manage > Credentials and also in the Machine Group.  Nothing more.

                   

                  For testing the connection, try this:

                   

                  1. Open an Admin CMD prompt.
                  2. Run this command:  net use \\machinename\IPC$   (you can try by IP too)
                  3. It may or may not request a name and password, supply the username/password used in the scan attempt.
                  4. Does this command complete without issue?

                   

                  Thanks,

                  Charles

                  • 6. Re: Patch Deployment fails on all scanned workstations.
                    Rookie

                    Yes. It was. Scans completed previously. I think I figured it out. I installed several security patches last week on my 2k3 server. One of them was MS15-027 (kb3002657). This is a NETLOGON patch. One of the things it does is basically disable NTLM authentication. The writeup says this may occur when you install the patch. They suggested using kerberos authentication instead. We use NTLM on our entire network, so I uninstalled that patch. The scan just completed 1 workstation and it was successful. I will let you know when all workstations are done if I have a successful patch deployment.. I can also now access C$ on the workstations.

                    • 7. Re: Patch Deployment fails on all scanned workstations.
                      cwinning CommunityTeam

                      Hello,

                       

                      Good find indeed, I would have been hard pressed determine the root cause through community site.  I look forward to your confirmation. (I'm sure it will help other users)

                       

                      Thanks,

                      Charles

                      • 8. Re: Patch Deployment fails on all scanned workstations.
                        Rookie

                        Yep. That was the problem. Patch deployment successful. &^%$#@ Microsoft!

                        • 9. Re: Patch Deployment fails on all scanned workstations.
                          cwinning CommunityTeam

                          Hello,

                           

                          I'm glad you were able to determine the root cause!  thanks for taking the time to let everyone else know too.

                           

                          Edit:  I think the goods news here is you really don't need the patch unless you are running a Domain Controller on the Windows 2003 server.  Although Microsoft recommends to install the patch 'just in case the server is promoted'.  Here is the text from the KB page:

                           

                          "This update is applicable on server machines running as domain controllers. It is suggested, however, that the update be applied to all affected platforms so that machines are protected if they are promoted to domain controller role in the future."

                           

                          Thanks,

                          Charles

                          1 of 1 people found this helpful