Ian Lockhart at myITforum

An Aussie perspective
GFI EndPoint Security Agent -install fun & games

 I ran into a problem recently where I wanted to have the EndPoint agent install as part of our SOE build process.  As I soon found out, doing so wasn't as straight forward as you'd imagine, and according to GFI the only method available to install the agent is either via it's own console or using Group Policy.  When running the AgentInstall.MSI file manually (i.e. determining which setup switches to use, etc), we were constantly presented with "You are not authorized to install this product. Installation terminated".

As I wasn't happy with either method because I really wanted the software installed before anyone could use the machine, where using the console meant some manual intervention that left devices "open" until the agent install, and Group Policy seemed like a backward step when we make heavy use of SCCM, I needed to work out how to make it happen.

It transpires that there is actually a way to install the product using alternate methods.  The "trick" lies in being able to install the agent msi file under "LocalSystem", which once discovered explains why the install is only supported by the GFI console & Group Policy software deployment (which runs as LocalSystem).

To achieve my desired outcome I needed 3 components, the Sysinternals/Microsoft Tool, psexec (here), the AgentInstall.msi custom file generated from our console, and a little "undocumented" psexec switch (this last one was the hardest to overcome/diagnose).  The install command utilised, ended up just being:  psexec -s -accepteula msiexec /i agentinstall.msi /qn  (-s =use localsystem account, -accepteula =accept EULA (see below), /i =install, /qn =silent install).

I included both the psexec executable and the msi file in the single directory to make working with the paths easier.  The issue I observed when testing was my install would just "hang" once started and never actually finish (whether fail or succeed), that I eventually figured out was the EULA "waiting" for a response (obviously the scripted install during the PC build was not visible).  After adding this additional "undocmented" switch, the install completed successfully and now happily all my new PC builds are appearing in the GFI EndPoint Admin console with the agent ready & waiting.

Hope this may help someone else stuck on the same/similar issue overcome that troublesome install.

Published Monday, July 18, 2011 4:41 PM by ilockhart


No Comments