MS10-031 Install Failures

(imported topic written by Steve91)

Hi

Is anyone having failures with this patch on Windows XP (SP2)?

We’re seeing a failure rate of about 90%.

The action script completes fine but the patch isn’t installed.

If I install the patch manually on the workstation (with or without the switches and either in the system or user context) it works fine and the relevance is then False, it only fails when deployed via BigFix.

The exit code in the bes log after the patch has run is:

Command succeeded (Exit Code=-2147023728) waithidden __Download\VBA65-KB974945-x86-ENU.exe /q:a /r:n

Not had any failures on other OS’s

What I can see in setupapi.log is:

2010/05/12 15:32:07 3116.1

#-199 Executing “C:\Program Files\BigFix Enterprise\BES Client__BESData\actionsite__Download\VBA65-KB974945-x86-ENU.exe” with command line: __Download\VBA65-KB974945-x86-ENU.exe /q:a /r:n

#E359 An unsigned or incorrectly signed file “c:\windows\temp\ixp000.tmp\kb974945.inf” blocked (server install). Error 1168: Element not found.

#W187 Install failed, attempting to restore original files.

#E064 Parsing install section

DefaultInstall

in “C:\WINDOWS\TEMP\IXP000.TMP\KB974945.inf” failed. Error 1168: Element not found.

When installed manually I see:

2010/05/14 08:54:24 3208.1

#-199 Executing “C:\VBA65-KB974945-x86-ENU.exe” with command line: VBA65-KB974945-x86-ENU.exe /q:a /r:n

#E361 An unsigned or incorrectly signed file “c:\windows\temp\ixp000.tmp\kb974945.inf” will be installed (Policy=Ignore). Error 1168: Element not found.

#-024 Copying file “C:\WINDOWS\TEMP\IXP000.TMP\VBE6.DLL” to “C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL”.

#E361 An unsigned or incorrectly signed file “C:\WINDOWS\TEMP\IXP000.TMP\VBE6.DLL” will be installed (Policy=Ignore). Error 1168: Element not found.

Cheers

Steve

(imported comment written by liuhoting91)

My first guess is Devices: Unsigned Driver Installation Behavior is configured somewhere in group policy on the machines that are failing? By default on Windows I think the behavior is “warn but allow install” but if group policy is configured to “Do not allow installation” the patch could fail.

Are there any notable differences between the machines that succeed and fail?

I think we might want to make this a support case soon.

(imported comment written by Steve91)

Thanks for the reply liuhoting,

If a group policy related failure I would expect to see the same issue even if I installed it manually (as I’ve tried via user and system account manual installs which work ok)

There appears to be something when installed manually that ignores the issue (Policy=Ignore) over the BigFix install via the system account (blocked (server install)).

When I launch a command prompt with “AT” in system mode i.e. AT HH:MM /interactive cmd and run the patch from within the system window it works fine.

BigFix obviously installs the patch with the system account so why does my manual system account install process work but not the BigFix automated system account process work?

I’m not sure this is a build specific problem as I’d expect the manual system acount process to fail also.

I’ll give my local guru (Doug) a shout monday and see what we can work out

Doug, sorry to land you with a problem, but you are the man! :slight_smile:

Cheers

Steve

(imported comment written by Mark99991)

Hi,

I too am getting the same results as Steve. Running the hotfix under an account with admin rights (Sytem context or otherwise) and the hotfix installs, however running the hotfix unattended through Bigfix it fails. I’ve also tried installing through SMS (which uses a separate installation account, also with admin rights) and it fails unless it is run when the user is logged on, with the “allow users to interact with this program” option set. It seems to be that the hotfix will only work when it has some form of user interaction set. Again there is nothing on the Microsoft site to indicate any issues with installing the hotfix, though there have been other reports on the web of similar deployment issues using other infrastrructure tools (Symantec etc).

Has anbody else experienced similar issues ?

Regards

Mark

(imported comment written by nberger91)

What was the resolution on this, same issue deploying ms02-044 via BigFix … ??

(imported comment written by Boz91)

Still searching for a resolution myself. I am getting failures with the exact same KBL

Command succeeded (Exit Code=-2147023728) waithidden __Download\VBA65-KB974945-x86-ENU.exe /q:a /r:n (fixlet 444291)

(imported comment written by JasonBigham91)

This works, via PSEXEC:

psexec -i -c \ComputerName \share\VBA65-KB974945-x86-ENU.exe /q:a /r:n

Unsigned drivers can be installed via an INTERACTIVE session.

http://support.microsoft.com/kb/840257

Not sure wht IBM cannot figure out how to make this work within the product…

(imported comment written by SystemAdmin)

Since this is requiring the interactive, maybe try running the task 540 - Enable BigFix Client Interacting with Desktop. Basically all this does is check the “Allow service to interact with desktop” checkbox in the BES Client service.

If you check the task, you will see it links to this MSKB for a little information.

http://support.microsoft.com/kb/327618

There have been some previous discussions about if this should be a default setting or not, but for now it is not.

Martin Carnegie

Gulf Breeze Software Partners

http://www.gulfsoft.com

(imported comment written by SystemAdmin)

As Martin alluded, setting the “Allow service to interact with desktop” will most likely resolve your issue. Disallowing interaction with the BESclient became standard in 8.x. Interactivity was disabled to avoid the ‘Shatter’ attack (

). The catch-22 is that disabling interaction caused several fixlets and custom tasks that we run to fail.

This catch-22 situation has been the subject of much debate. There appears to be a special call the certain Microsoft programs, such as psexec and SCCM, use to get around this issue and allow the successful operation sans the shatter vulnerability. We have been asking for some time for IBM to include that functionality into TEM.

This thread has some interesting history on this topic:

http://www.ibm.com/developerworks/forums/thread.jspa?threadID=409047

IBM, any update on this?

(imported comment written by ByDesign1977)

Hi All

Did “allow service to interact with the desktop” resolve this issue?

Cheers