This article provides detailed information related to the process of patch deployment in GFI LanGuard. It also describes the communications between the GFI LanGuard server and the target machines.
Remote patch deployment with LanGuard can be initiated in two different ways:
- Manually from the LanGuard UI.
- Through the LanGuard Attendant service’s scheduled patch deployment module when:
- Patch deployment is scheduled for a later stage, or
- Automatic patch deployment was configured for a scheduled scan, or
- Automatic patch deployment was configured for any of the Agents.
NOTE: Although the Agent handles the load during scanning, it will NOT perform any patch deployment. Instead, the scan result is returned to the LanGuard server which then deploys any required patches. This is done to avoid having multiple patch repositories spread over the network.
It is possible to follow the process and cancel operations as described in Monitoring Remediation Operations. Canceling a deployment process is only possible via Cancel selected deployment which is enabled in only two situations:
- The deployment task status is “Scheduled” (the deployment task is still waiting to begin execution)
- The deployment task status is “Running…” or “Incomplete” (the task has begun execution but is not finished yet) AND there are computers on which the deployment is rescheduled AND there is no computer on which the deployment status is “Incomplete”
On any other deployment task status, the Cancel selected deployment option is disabled.
Regardless of the type - manual or automatic, and whether this is patch deployment, custom software installation, or any other remediation job, the actual remediation process always follows the same steps, described below.
GFI LanGuard logs into the target machine and accesses the remote registry.
All files required for deployment are copied to the target machine. This includes PatchAgent.exe and any patch executables. By default, this is done via the standard admin shares to
C:\Windows\Patches. However, the location can be changed to a custom share through the deployment settings.
Depending on the various settings for the remediation job, more files may be copied. For example, if the remediation was configured to allow choosing the time to reboot, an additional file rebootattendant.exe would also be copied.
NOTE: When the target computer has a GFI LanGuard Agent that is configured to use a Relay Agent, only the PatchAgent.exe and deploy_patches.bat are copied initially. The Patch Agent Service once started would request patch installer executables from the assigned Relay Agent.
Each of the above steps should be successfully completed for the remediation job to proceed. Testing network connectivity and security permissions from the LanGuard server to the target machine can help with the remote registry and the admin shares issues troubleshooting.
The batch file deploy_patches.bat containing the commands with parameters to install all selected patches silently is created and copied to the target computer.
A service called GFI LanGuard Patch Agent Service (PatchAgent.exe) is then installed and started on the machine. The credentials for this service, specified in the deployment settings, should have local administrator permissions on the target machine as well as the Log on as a service rights.Patch Agent Service:
- calls and executes each command in the deploy_patches.bat file
- monitors the status of each patch deployment
- creates/writes to the PatchAgent.log
- sends status updates such as Starting <patch> deployment, Finished <patch> deployment, etc., via HTTP to the GFI LanGuard server's communications port 1072 (by default)
For each command in the primary deploy_patches.bat file, a separate temporary batch file is created on-the-fly and executes just that one command/patch.
The GFI LanGuard Patch Agent Service returns the final result (success or fail) of each individual patch deployment to the GFI LanGuard server via the communications port 1072 (by default). This port needs to be open on the LanGuard server for it to receive the final status.
After the patch deployment, the service is uninstalled, and the system continues with performing any additional actions or triggers defined in the batch file, such as rebooting the machine, etc.
- All the Required Settings should be configured for the successful patch deployment.
- The default port for communication (1072) can be changed.
- When using a batch script in a Custom Software Install, which triggers an installer on a network share, ensure that the Patch Agent service has sufficient permissions to access the network share. By default, the Patch Agent service runs in the context of the local system. If this is not suitable, specify a specific user in the deployment options.
It is possible to receive Timed out: PatchAgent did not respond in the permitted time interval error message when deploying patches, but that doesn't mean that the process actually failed. Refer to the Remediation Error: "Timed out: PatchAgent did not respond in the permitted time interval" When Attempting to Deploy Patches for more information and the solution.