MSI installs, Cisco AnyConnect, and modules

Does anyone script installation of AnyConnect and modules with BigFix? I’ve run into a situation where, after installing the VPN client and DART, the Posture module refuses to install. In the BigFix log, msiexec fails with error code 1603. In the Posture MSI log, it fails with

 Error 1316. The specified account already exists.

Oddly, the MSI log also indicates the Posture install somehow looks for or references the AnyConnect core module msi in the __Download directory.

Meanwhile, if I run the msiexec from an administrator command shell with the exact same parameters, it works. (And doesn’t reference the core msi.) It’s maddening.

1 Like

If anyone’s interested, here are Dropbox links to my log files:

BigFix, failure:

Command shell, success:

Not sure if it matters, but at the end of the failed MSI log I can see that you’re running the installer in 32-bit mode:

 Property(S): res_DIR = C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\res\
Property(S): AnyConnect_VPN_Client_DIR = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco AnyConnect Secure Mobility Client\
Property(S): COMMONAPPDATA_LEGACY_AC_DIR = C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\
Property(S): PhoneHome_DIR = C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\CustomerExperienceFeedback\
Property(S): SystemFolder = C:\Windows\SysWOW64\
Property(S): l10n_DIR = C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\l10n\
Property(S): DART_INSTALLED = C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\DART\DARTEngine.dll

Since it’s running in 32-bit mode, it may not be able to locate the C:\Program Files (x86) path – which would be redirected as C:\Program Files to a 32-bit program.

In the ActionScript, before you start the Cisco installer, try enabling 64-bit mode with

action uses wow64 redirection false

Hmm a look at the second, successful log indicates it’s doing the same thing - resolving SystemFolder as \windows\syswow64. I’d still try turning off the wow64 redirection and see whether that helps.

You could also try installing the MSI interactively, under the SYSTEM account, using psexec (

1 Like

First, thank you for the look and insight! After being out sick for several days, I’m back on the case. Alas, these ideas haven’t given my anything new yet. Disabling wow64 redirection doesn’t change the results.

Interestingly, however, running it under psexec -s succeeds! Log link:

Did it work if you run it using PSExec through BigFix?

Oh my that makes my head hurt.

It is definitely worth a try. There are times when it seems to help.

You could also try: waitdetached

waitdetached didn’t produce better results.

I’m currently jousting with psiexec via BigFix, but I’m currently running up against what looks like a command length character limit.

After more trails and failures, I’ve isolated that the MSI does not install if it’s located in the BigFix site’s __Download directory. If I use PSEXEC in a command session, and point it to the file in that location, it fails.

If I use PSEXEC in a command session and point it to a file in a more normal location, it succeeds.


I would copy it out to C:\Windows\Temp and run it from there.

Also, do you have the path in quotes? If you don’t have the path in quotes, then it should fail.

Odd, I just created a Fixlet to upgrade AnyConnect to v3.1.10010

I simply downloaded the MSI and installed it. The only quirk I ran into was that I had to Kill the vpnui.exe process first if a user was logged in. Without that, it left me with an empty folder where the program was supposed to be!

I only installed the Core VPN component, no additional modules.


Maybe that is the issue.

@atlauren try installing just the Core VPN component by itself, get that to work first. I would only install the modules if you really need them, but those might be able to be handled as separate install commands or tasks.

Thanks for the suggestions. Alas, that’s exactly what I’m doing. A task for the core VPN, a task for DART (these work fine), and then a task for Posture (not working) – in the exact order prescribed by Cisco.

Alas, the whole thing that started this was that some/most machines with Posture aren’t able to update the components from the VPN headend connection. Our desktop crews have had to upgrade those manually in remote GUI sessions – I’m trying to remove that work.

1 Like

I’d be interested if you or anyone else could share working tasks for this, even with the prefetch details obfuscated.

I uploaded a ‘cleaned up’ version of my AnyConnect upgrade fixlet to

It’s written to be relevant to Cisco v2.x and 3.x clients and to kill the vpnui.exe process if it’s running. Failure to kill this process can result in the Upgrade actually uninstalling the VPN client (but leaving the install folders in place which is how we went back and ‘found/fixed’ the broken installs).


  • Windows of Operating System
  • NOT ((if (exists wmi AND (not (name of operating system = “WinME” ))) then (string value of selects “caption from win32_operatingsystem” of wmi & " " & csd version of operating system) else ( “Windows " & (following text of first “Win” of (name of operating system as string)) & (if (name of operating system = “WinNT” ) then ((if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” whose (exists value “ProductType” of it AND (value “ProductType” of it as string as lowercase = “servernt” OR value “ProductType” of it as string as lowercase = “lanmannt” )) of registry) then (if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” whose (exists value “ProductSuite” of it AND value “ProductSuite” of it as string as lowercase contains “terminal” ) of registry) then " Terminal Server” else " Server" ) else " Workstation" ) & " " & csd version of operating system) else (if (name of operating system = “Win98” ) then (if (csd version of operating system as string contains “A” ) then " Second Edition" else “” ) else (if (name of operating system = “Win95” ) then (if (csd version of operating system as string contains “C” OR csd version of operating system as string contains “B” ) then " OSR2" else “” ) else " " & csd version of operating system ))))) as lowercase contains “server”) /* NOT a Server OS */
  • (exists keys whose (((Value “DisplayName” of it as string as trimmed string as lowercase = “cisco anyconnect secure mobility client”) OR (Value “DisplayName” of it as string as trimmed string as lowercase = “cisco anyconnect vpn client”)) AND (Value “DisplayVersion” of it < “3.1.10010”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of Registry) /* Verify that the Cisco AnyConnect is installed and the Version is lower tan 3.1.10010 */
1 Like

I’ll post mine as well, once I have everything dialed together. I wound up building a template for MSI installers that heavily uses properties; it makes pretty short work of reusing elements from download paths and filenames to generate the execution lines and installation logs. I’m pretty proud of it. :smile:

When you guys execute PsExec from inside BigFix, what does that code look like? I have this, but the PsExec never actually executes msiexec; it seems to just park in Task Manager, as though waiting for input or something.

Prior to this, I prefetch the MSI and, copy the MSI to c:\windows\temp, and unzip psexec.exe out of pstools into the __Download directory. Then I execute psexec as the SYSTEM account. This is the line that winds up in the BigFix log:

__Download\psexec.exe -s -i c:\windows\system32\msiexec.exe /i "c:\windows\temp\anyconnect-posture-win-3.1.10010-pre-deploy-k9.msi" /qn /norestart /l+*vx "C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__Global\Logs\posture.log"

…but the posture.log never gets written. This indicates to me that PsExec stalls and never actually executes msixexec. But why?

What happens if you run the command from an Administrator CMD prompt?

This was because the SYSTEM user hadn’t accepted the PsExec EULA. Adding -accepteula solved that problem.

1 Like

I’m rebuilding my trial/truth table. Will repost when I have it down…