It would appear that on computers running Protect in a kiosk-type environment that certain corruption may be taking place.Example of the consequences of this seen are Invalid Pointer errors when accessing the Altiris Agent GUI as well as WMI corruption. Potential corruption is not limited to these examples mentioned and could be related to any type of registry or file captured and then being deleted through the protected users session on logout. The relevant exclusions to the AeXNSagent.exe is included under the [ignoreproc] section of the protcfg.ini so no files related to any work that the Altiris Agent is doing should be captured into the protected users session to begin with.
Autologin has been configured on these kiosk computers. This is not an uncommon setup as many kiosk computers are set up with an extremely locked-down environment with no requirement for multiple guest users.What happens is that any processes set up to be ignored under the [ignoreproc] header in the protcfg.ini will not be ignored unless that relevant process is started prior to the users session starting, that is, straight after the users details are passed through the Microsoft GINA authentication box (that is, the authentication box you typically see as soon as Windows boots). With autologon this is usually hidden or too fast to take note of.
This behavior is by design as it is designed so that if a protected user logs in and creates a service, that service will be captured into the protected users session and depending on configuration (but typically for a kiosk computer) be deleted when that user logs out.What this means is that for any process (service) not started prior to the autologin, any files or registry entries touched, will be captured into the users session and deleted on logout. This is what is manifesting corruption in the Altiris Agent (Invalid pointer errors) as well as causing WMI corruption amongst a whole range of other potential issues.
Note: The local group policy is outlined in the following instructions, but if the client is a member of a domain and domain group policies apply, adjust the steps accordingly. For more info on group policy precendece, refer to http://technet2.microsoft.com/WindowsServer/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true
- On your client, copy the below text and save it into a new file; save it, for example, as C:\Wait4Services.vbs. This particular script will be what we use to run prior to login. It will keep looping until it sees most services started. This is a guide and you way want to modify the script accordingly to skip certain services that may be required to start and then stop soon afterwards. You may also use other scripting applicable to your client that serves a similar function :
Set objWMIService = GetObject("winmgmts:" _
IntCount = 100
TryAgain = True
Do While TryAgain = True
TryAgain = False
Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where StartMode = 'Auto'")
For each obj in colListOfServices
If obj.State <> "Running" Then
Select Case obj.DisplayName
Case "Security Center"
Case "Computer Browser"
Case "System Restore Service"
'[Repeat Case select here for all services that are set to Automatic that stop again.]
'Case "Other Service Name"
'Add a final wait to allow Altiris Agent to begin "At Startup" scheduled tasks.
- On your client navigate to the local group policy by going to Start > Run and typing gpedit.msc. Click OK.
- Drill down to the following areas and make the suggested configurations:
- Computer Configuration > Windows Settings > Scripts. In the right-hand pane, double-click on Startup and add C:\Wait4Services.vbs created in step 1.
- Computer Configuration > Administrative Templates > System > Scripts. In the right-hand pane, enable Run logon scripts synchronously.
- Computer Configuration > Administrative Templates > System > Scripts. In the right-hand pane, configure "Maximum wiat time for Group Policy scripts" with a maximum suitable time so that if one of the services fails to stop the client will not just sit there doing nothing.
- Computer Configuration > Administrative Templates > System > Logon. In the right-hand pane, enable Always wait for the network at computer startup and logon.
At this point you can install Protect onto your kiosk computer confident that nothing will be captured (and potentially deleted) that should not be.
All versions of Protect.