5 Replies Latest reply on Apr 7, 2017 5:46 AM by cwinning

    Guidance on patch deployment

    KirloxChamplow Rookie

      Hi All,

       

      I have followed this steps on this guide howto:How To: Perform a Custom Action Complete Tutorial with Custom Actions  The push of file is working but its on a different location on the propatches its on C:\WINDOWS\ProPatches\Installation\ followed by a filename of InstallationSandbox#2017-04-04-T-03-34-22 inside it is the files that i put on the custom action. The problem is that it does not actually install it but on the logs its stated that its successful I did a reboot as well but no positive results.

       

       

      2017-04-04T03:35:03.7540725Z 0214 I STPackageDeployer.cpp:209 No support files in the deployment package.

      2017-04-04T03:35:03.7696978Z 0214 I STPackageDeployer.cpp:271 No vendor patch installers in the deployment package.

      2017-04-04T03:35:07.3791421Z 0214 E STPackageDeployer.cpp:494 Reboot disallowed or not required. externalRebootOption = '2', deployer requested reboot: true

      2017-04-04T03:35:07.4416433Z 0214 S DeployExeStates.cpp:412 Leaving STDeploy::CInitialExecutionPackageDeploy::DoStatefulRemediateActions.

      2017-04-04T03:35:07.4416433Z 0214 I STDeploy.cpp:249 Current remediation phase completed. Process exit code: 3010.

      2017-04-04T03:35:07.4416433Z 0214 S STDeploy.cpp:154 Leaving wmain.

       

       

      What else I am missing?

       

       

      Thanks

      Sherwin

        • 1. Re: Guidance on patch deployment
          cwinning CommunityTeam

          Hello,

           

          Can you provide a screenshot of your Custom Actions tab?

           

          Thanks,

          Charles

          • 2. Re: Guidance on patch deployment
            KirloxChamplow Rookie

             

            Hi here is the screenshot for my custom actions. Thanks for the help.

            • 3. Re: Guidance on patch deployment
              cwinning CommunityTeam

              Hello,

               

              The basic setup looks good, what version of Protect are you running?

               

              Logs:  It would be interesting to see the logs from the target machine.  This will tell us if the patch install processes were started.

               

              1. On the target machine, navigate to C:\Windows\ProPatches\Logs
              2. Zip and attach all the logs to this post.

               

              Verify the patches can be installed as the system account:  Patches are installed as the Local System Account, this isn't an issue in most cases, but it's something you should verify before continuing.

               

              1. Download psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)
              2. Open a command prompt and navigate to the extracted folder. Run psexec.exe to open cmd.exe with -i -s as depicted below:
                  psexec.exe cmd.exe -s -i

              In the new command prompt that opens, navigate to the where the patch installers  are located and run this command:

                  nameofpatch.exe /quiet

              This will effectively launch the installer using the SYSTEM account using the switches for a silent deployment.  If it doesn't look like it's installing..

              Run the installer with no switches from the CMD running as the System account.  What do you see?

               

              Thanks,

              Charles

              • 4. Re: Guidance on patch deployment
                KirloxChamplow Rookie

                Hi Charles,

                 

                Attached are the logs, Regarding the system account? will this work on a domain admin account which is also part of the local administrator of the machine?

                 

                 

                Thanks

                Sherwin

                • 5. Re: Guidance on patch deployment
                  cwinning CommunityTeam

                  Hello,

                   

                  The account set in the Machine Group is used to scan the target and copy files to it.  All of the patches, including Custom Actions, are processed by the System account on the target machine.  The Windows Installer service uses this account and it shouldn't be changed.

                   

                  It looks like the deployment attempted to process the executables, this is the trace statement:

                   

                  Started C:\WINDOWS\system32\cmd.exe /U /Q /D /V:ON /C "%PATHTOFIXES%WindowsServer2003-KB3197835-x64-custom-ENU.exe /quiet"

                  Process handle 00000278 returned '1603'.

                  Started C:\WINDOWS\system32\cmd.exe /U /Q /D /V:ON /C "%PATHTOFIXES%WindowsServer2003-KB4012598-x64-custom-ENU.exe /quiet"

                  ChildProcess.cpp:140 Process handle 00000274 returned '1603'.

                   

                  The attempt returns a Microsoft error 1603, which indicates failure:  More on this error.

                   

                  One of the causes refers directly to the System Account not having permissions, so you should perform the test I outlined.

                   

                  Thanks,

                  Charles