Does anyone script installation of AnyConnect and modules with BigFix? I’ve run into a situation where, after installing the VPN client and DART, the Posture module refuses to install. In the BigFix log, msiexec fails with error code 1603. In the Posture MSI log, it fails with
Error 1316. The specified account already exists.
Oddly, the MSI log also indicates the Posture install somehow looks for or references the AnyConnect core module msi in the __Download directory.
Meanwhile, if I run the msiexec from an administrator command shell with the exact same parameters, it works. (And doesn’t reference the core msi.) It’s maddening.
Since it’s running in 32-bit mode, it may not be able to locate the C:\Program Files (x86) path – which would be redirected as C:\Program Files to a 32-bit program.
In the ActionScript, before you start the Cisco installer, try enabling 64-bit mode with
action uses wow64 redirection false
Hmm a look at the second, successful log indicates it’s doing the same thing - resolving SystemFolder as \windows\syswow64. I’d still try turning off the wow64 redirection and see whether that helps.
You could also try installing the MSI interactively, under the SYSTEM account, using psexec (www.microsoft.com/sysinternals)
First, thank you for the look and insight! After being out sick for several days, I’m back on the case. Alas, these ideas haven’t given my anything new yet. Disabling wow64 redirection doesn’t change the results.
After more trails and failures, I’ve isolated that the MSI does not install if it’s located in the BigFix site’s __Download directory. If I use PSEXEC in a command session, and point it to the file in that location, it fails.
If I use PSEXEC in a command session and point it to a file in a more normal location, it succeeds.
Odd, I just created a Fixlet to upgrade AnyConnect to v3.1.10010
I simply downloaded the MSI and installed it. The only quirk I ran into was that I had to Kill the vpnui.exe process first if a user was logged in. Without that, it left me with an empty folder where the program was supposed to be!
I only installed the Core VPN component, no additional modules.
@atlauren try installing just the Core VPN component by itself, get that to work first. I would only install the modules if you really need them, but those might be able to be handled as separate install commands or tasks.
Thanks for the suggestions. Alas, that’s exactly what I’m doing. A task for the core VPN, a task for DART (these work fine), and then a task for Posture (not working) – in the exact order prescribed by Cisco.
Alas, the whole thing that started this was that some/most machines with Posture aren’t able to update the components from the VPN headend connection. Our desktop crews have had to upgrade those manually in remote GUI sessions – I’m trying to remove that work.
It’s written to be relevant to Cisco v2.x and 3.x clients and to kill the vpnui.exe process if it’s running. Failure to kill this process can result in the Upgrade actually uninstalling the VPN client (but leaving the install folders in place which is how we went back and ‘found/fixed’ the broken installs).
Relevance:
Windows of Operating System
NOT ((if (exists wmi AND (not (name of operating system = “WinME” ))) then (string value of selects “caption from win32_operatingsystem” of wmi & " " & csd version of operating system) else ( “Windows " & (following text of first “Win” of (name of operating system as string)) & (if (name of operating system = “WinNT” ) then ((if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” whose (exists value “ProductType” of it AND (value “ProductType” of it as string as lowercase = “servernt” OR value “ProductType” of it as string as lowercase = “lanmannt” )) of registry) then (if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” whose (exists value “ProductSuite” of it AND value “ProductSuite” of it as string as lowercase contains “terminal” ) of registry) then " Terminal Server” else " Server" ) else " Workstation" ) & " " & csd version of operating system) else (if (name of operating system = “Win98” ) then (if (csd version of operating system as string contains “A” ) then " Second Edition" else “” ) else (if (name of operating system = “Win95” ) then (if (csd version of operating system as string contains “C” OR csd version of operating system as string contains “B” ) then " OSR2" else “” ) else " " & csd version of operating system ))))) as lowercase contains “server”) /* NOT a Server OS */
(exists keys whose (((Value “DisplayName” of it as string as trimmed string as lowercase = “cisco anyconnect secure mobility client”) OR (Value “DisplayName” of it as string as trimmed string as lowercase = “cisco anyconnect vpn client”)) AND (Value “DisplayVersion” of it < “3.1.10010”)) of keys “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of Registry) /* Verify that the Cisco AnyConnect is installed and the Version is lower tan 3.1.10010 */
I’ll post mine as well, once I have everything dialed together. I wound up building a template for MSI installers that heavily uses properties; it makes pretty short work of reusing elements from download paths and filenames to generate the execution lines and installation logs. I’m pretty proud of it.
When you guys execute PsExec from inside BigFix, what does that code look like? I have this, but the PsExec never actually executes msiexec; it seems to just park in Task Manager, as though waiting for input or something.
Prior to this, I prefetch the MSI and pstools.zip, copy the MSI to c:\windows\temp, and unzip psexec.exe out of pstools into the __Download directory. Then I execute psexec as the SYSTEM account. This is the line that winds up in the BigFix log: