Overview
LanGuard Remediation Jobs are stalling at Pending state when trying to patch clients and install updates, or you are not able to deploy LanGuard Agents since their status forever stays as 'Pending install.'
Another scenario is when a devices scan is initiated from the LanGuard server console; it hangs on the initial few lines, not showing any new information for a long time.
Solution
There are several possible causes for the remediation or Agent deployment jobs stalling with pending status. Thoroughly follow the steps below to verify that the environmental variables are met, and all the required settings are correct.
1. Missing requirements or a security feature in the environment might be blocking the LanGuard operations.
Verify the Required Settings are met in your environment. Be thorough - all of these settings are equally important; without them, operations will fail. Pay extra attention to the Required Network Connectivity and Security Permissions - this is the most common root cause for the LanGuard operations issues. Confirm the absence of security blocks with your network and security teams. It is also important to ensure that antivirus software is not interfering with the agent installation. Use the Antivirus and Backup Exclusions section of the LanGuard Requirements article, as well as the Resolving the Antivirus Causing LanGuard to Malfunction or Hang at Startup article as a reference.
2. The database connectivity issues might be the root cause.
In this case, the debug log lanss_vXXX_attendantservice.csv
located in the %Data%\GFI\LanGuard 12\DebugLogs\
would have the relevant errors:
- "Error EOleException: 'Invalid connection string attribute'"
- Source = "Microsoft SQL Server Native Client 11.0", Description = "Login failed for user ..."
- "Login failure error repeated for all 10 attempts, stopped trying."
In such cases, address the database connectivity errors using the solution from Resolving 'Could not connect to database backend' Error in GFI LanGuard Console article and with the help of your Database Administrator.
3. The database might be running out of space.
When the SQL Server runs out of disk space or SQL Express reaches its database size limit, the LanGuard back-end database stops updating. This, in turn, leads to unexpected errors. Check the free space on the server hosting the database and the current database size and fix any found issues there Maintaining the SQL Database Used by LanGuard article.
4. The wrong IP address might be used for agent deployment or remediation jobs.
If LanGuard has several network interface cards, the wrong one can be used for agent deployment or remediation. Disable these network interface cards locally and run a localhost scan using the HW audit in LanGuard to update the correct IP address before starting a new agent deployment and remediation.
5. Target machine(s) might have incorrect alternative credentials.
In the LanGuard console Dashboard, check the properties of the target machine(s). If alternative credentials are set up, verify whether they are required, are correct, and have the necessary rights on the target machine(s). Refer to the Best Practices for Setting up Account Permissions with Alternative Credentials in LanGuard for more information.
6. There might be problems with the GFI LanGuard Attendant service or the dedicated account required permissions.
The environmental changes might lead to problems with the GFI LanGuard Attendant service, the necessary rights may change due to GPO settings, or in the Active Directory environment, the dedicated service account is removed from the local administrator's group. Follow the steps below to address this.
If in the process you find out the GFI LanGuard Attendant service is not running or stopping, resolve this issue following the corresponding article.
If the Attendant service is missing completely, this means a broken or corrupt installation. Repair the installation.
To fix the permissions settings:
- On the LanGuard server, go to Control Panel > Administrative Tools > Services and verify that the GFI LanGuard XX Attendant Service is running.
-
Change the account used by GFI LanGuard XX Attendant Service:
- Double-click the GFI LanGuard XX Attendant service.
- Select the Log On tab, and in the Log on as: section, select This account.
- Specify an account having local administrative rights in the format
<Domain>\<User>
or browse to the admin user. - Enter the password for the specified account and click Apply.
- Choose the General tab and click Start to start the service.
- On the LanGuard server, change the DCOM identity:
- Open DCOMCNFG - press Windows + R keys together, type
dcomcnfg
and press the Enter key. - Expand Component Services > Computers > My Computer > DCOM Config.
- Locate LNSSCommunicator, right-click on it, and open Properties.
- In the Identity tab, click Browse and select a user with Administrator rights on all machines in the domain.
- Enter the password for the selected user and Apply changes.
- Open the Local Security Policy (
gpedit.msc
) on the LanGuard server. - Navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Check the properties of Replace a process level token and Adjust memory quotas for process policies.
- Add the account used in the Identity tab (above) to these policies.
- Do the same for the Logon as a batch job policy.
- Restart the GFI LanGuard XX Attendant service.
- Open DCOMCNFG - press Windows + R keys together, type
- On the LanGuard server, launch the LanGuard Console and update communications IP address:
- From the Configuration tab, select Agents Management.
- Click Agents Settings.
- From the General tab under Communications, select the IP address of LanGuard instead of the Default selection.
- Click OK to apply the changes.
- On the Windows target machine(s), explicitly add the user account that is running the services to the Log on as Services Local Security Policy:
- Navigate to Start > Run and type
secpol.msc
and press Enter. - Expand Local Policies and choose the User Rights Assignment.
- Scroll down to Log on as a service, right-click it, and open Properties.
- Click Add User or Group and add that account there.
- Click Apply and OK and close out of the Local Security Policy.
- Apply the changes.
- Navigate to Start > Run, type
GPupdate /force
and press Enter.
- Navigate to Start > Run and type
- Disable UAC on both server and client machines.
Start a new agent deployment or remediation to verify whether the problem is gone. If the issue persists, try the steps below:
- On the LanGuard server, verify that the GFI LanGuard XX Attendant Service is running.
- On the LanGuard server, change the DCOM identity:
- Open DCOMCNFG:
- Press Windows + R keys together.
- Type
dcomcnfg
and press the Enter key.
- Expand Component Services > Computers > My Computer > DCOM Config.
- Enter the Properties of LNSSCommunicator.
- In the Identity tab, select the Launching User radio button.
- Restart the GFI LanGuard XX Attendant service.
- Open DCOMCNFG:
Testing
Start the activity that was having issues and verify that the problem is gone. If the issue persists, contact GFI LanGuard Support.