Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 28 replies
  • Subscribers 1 subscriber
  • Views 28160 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV client push scheduled task doesn't run in Windows 7

kevindv10

Hello.

I have Enterprise Console (4.5 I think) running on Windows 2008 64-bit, trying to push out to Windows 7 clients. About 60% of the clients receive and install ok, but the rest don't. I thought their group policies were the same but maybe not.

Anyway, I can see the scheduled task being created on the client, but it doens't run. If I run it manually the client installs fine and updates with Enterprise Console, but I can't manually run the task on hundreds of clients.

I've spent a lot of time trying to find a group policy that might be restricting the remotely created scheduled task from running (with everything up to and including domain admin credentials) but I'm empty handed. Anyone know what the problem might be?

A tech from Sophos helped me at least figure out that the task was being created and could be run manually. It was a pleasure working with a support person that actually seemed to care!! Made the best of a frustrating situation.

Thanks in advance.

:5156


This thread was automatically locked due to age.
  • 0

    Hello kevindv10,

    debugging the task scheduler is a royal pain. Does SEC report an error (which one)?

    Anyway, I can see the scheduled task being created on the client, but it doesn't run. If I run it manually ...

    How do you run it manually? Are you using the same account as for Protect Computers? I'm asking because I observed a similar behaviour when UAC was turned on for the account entered in Protect Computers: The task was created and registered but didn't run and was deleted some time later. This of course does not explain why it works on some and not on others. Apart from an account's settings UAC can also be configured by a policy and that's where I decided to give up ...    

    Christian

    :5164
  • 0

    Thanks for the response. I have UAC turned off via group policy and confirmed that it is off on the client. Just to be sure though, I used domain admin credentials to do the push and install, and also logged onto the client as a domain admin.

    The error reported in SEC is ffffffff "Awaiting response from computer". I've done a little looking at from what I can gather that is simply a time out or other generalized error.

    I'll poke around UAC some more. Maybe I'm missing a policy somewhere. Still, keep those ideas coming!! This is driving me crazy!! ;-)

    :5167
  • 0

    I have the same problem, I have spoken to the Sophos Techs some of who say it could be GP related, but I can’’’’t put a finger on it. Did you find any solutions?

    :7251
  • 0

    The tech support I worked with was great, although we never did figure it out completely. If you run the install and monitor scheduled tasks on the target machine you will likely see that the task is indeed being pushed to the client, but in our case the task just sat there and never ran. When the task failed entirely the task on the target machine would be deleted.

    If you are on the target machine you can run the scheduled task manually and the install will proceed, and that's what we ended up doing. In my case it was the computers at an entire school, albeit a small school, so manually running the task on 60'ish computers wasn't the end of the world. I shudder to think of what will happen next summer when we switch the rest of the school district to Win7. I had spent so much time looking at this from the Sophos perspective that I didn't fully troubleshoot from the angle that Win7 scheduled tasks was the culprit.

    Maybe a better way would be to install the Sophos package from the Sophos share, but pushing it out with SCCM or group policy software installations instead of Enterprise Console. I can't remember how Sophos installs from the server or what the package looks like, but maybe there's an msi with a transform that installs and tells the client where to look for updates.

    If you find a solution/workaround please post it!

    Good luck!

    :7255
  • 0

    Hi,

    Once armed with the deployment string PSExec could also be used to protect machines outside of SEC:

    http://technet.microsoft.com/en-us/sysinternals/bb897553 

    It wouldn't take much work to put a GUI front-end on it where you pass it a deployment string and a list of computerames/IPs as a text file/textarea to deploy to.  The deployment string could also add the group path switch to the string dynamically based on the name/IP of the machine if that would be a suitable way of putting the machine in the target group automatically.

    Having said that I'd still favour an AD start-up script to run the deployment string as applied to certain OUs I know I need to protect. This way you know you'll always catch the machines when they're on a push always requires this, where as a "pull" from the client guarantees a higher change of success.  A quick check in the script to see if the machine already has the software and you're done.  

    As for putting it in the right group automatically, this depends on how many target groups you might have.  It could be sufficient to create different start-up scripts with hard-coded group paths in and these are applied to different OUs.  If there are more groups and more complexity, then a mapping table in the script that is checked as the script is run, then based on some machine marker to provide the group path on the fly.  Sub-string of the computer name, computer description, IP range, site logon server, etc..

    Hope that gives people a few ideas.

    Jak

    :7259
  • 0

    While I can not offer a solution, maybe this workaround helps:

    If you have the authority to manage GPOs for the machines, you might try a start-script that executes setup.exe with the required parameters. To avoid multiple installations, check wether the exe exists.

    --- quickanddirtyapproach.cmd ---

    rem check whether SAV is already installed

    if exist "c:\program files\sophos\Sophos Anti-Virus\savmain.exe" goto finish

    rem start unattended installation with management enabled, no firewall

    start \\avserver\sophosupdate\cids\s000\setup.exe -updp \\avserver\SophosUpdate\CIDs\S000\savscfxp\ -user avinst -pwd xxxxxx -mng yes -s

    :finish

    rem this is the end

    rem

    --- quickanddirtyapproach.cmd ---

    This script might need some finetuning, and you will need to provide valid credentials for the share on the av-server.

    Best regards,

    Detlev

    :7301
  • 0

    Hi i have been having the same issue with the scheduled task as we are preparing to do a full college upgrade to windows 7 and i have set all the services and uac settings and firewall is also off all via gpo.

    Now some machines it does work fine but we have 2 fresh win 7 machines that will be used as images but they will not work via the console installation. Well one did while testing file and printer sharing, then i uninstalled to test again now it will not install at all.

    Now i have been playing today with it and it holds the schedule like everyone else butwhen selecting the scedule to run it works fine. Now i did notice that in the scedule that the console makes their is no Trigger event in the scedule? now i assume this is because it is supposed to start stright away. now if i set a trigger like start at 13.50 it does start and works fine.

    Wat we could do with is to edit the scedule from the sophos end to include a trigger in the schedule like 1 min after the schedule is created then this might resolve this issue.

    Does anyone know if this is possiable?

    Or anyother work around as i dont want to roll this out via gpo as that is what the console is for.

    cheers

    David Hallam

    :8791
  • 0
    Is there a solution for the problem with the scheduled task? In my company the installation works fine on some machines, but on many others the task is not executed and I'm getting the error message "Awaiting response from the computer."
    :11639
  • 0

    Hi i have found a poss fix for this issue, well it has worked for me. I found a post from another user regarding issues with permissions on the tasks folder so i updated my win7 policy as a test and behold it worked.

    the following is what is needed to be added to the gpo:

    in group policy for domain: computer-policies windows setting - security- file system

    add %SystemRoot%\Tasks - add rights to user who install

    You have to have rights to write to folder \\computer\c$\windows\tasks to all computers in domain

    by dafault even domain admins have no rights to wrtite to this folder from network

    :11749
  • 0

    scrap that it worked once now is still having the same issue.

    This rearlly need to be addressed now as we are rolling out classrooms now and rearlly need a fix for this.

    I have also noticed that our sophos install is on our image using the sophos image writeup which works fine on the machines, but if we ever need to re-install via the console we are stuffed.

    Also i have noticed that the workstations update the ide's fine from the server but if we change any of the config on the console and try to apply it to the workstations it just hangs at the awaiting policy from console which is also a issue.

    any help please :-)

    :11845