It would appear that on computers running Protect in a kiosk-type environment that certain corruption may be taking place.
Example of the consequences of this seen are Invalid Pointer errors when accessing the Altiris Agent GUI as well as WMI corruption. Potential corruption is not limited to these examples mentioned and could be related to any type of registry or file captured and then being deleted through the protected users session on logout.
The relevant exclusions to the AeXNSagent.exe is included under the [ignoreproc] section of the protcfg.ini so no files related to any work that the Altiris Agent is doing should be captured into the protected users session to begin with.
Autologin has been configured on these kiosk computers. This is not an uncommon setup as many kiosk computers are set up with an extremely locked-down environment with no requirement for multiple guest users.
What happens is that any processes set up to be ignored under the [ignoreproc] header in the protcfg.ini will not be ignored unless that relevant process is started prior to the users session starting, that is, straight after the users details are passed through the Microsoft GINA authentication box (that is, the authentication box you typically see as soon as Windows boots). With autologon this is usually hidden or too fast to take note of.
This behavior is by design as it is designed so that if a protected user logs in and creates a service, that service will be captured into the protected users session and depending on configuration (but typically for a kiosk computer) be deleted when that user logs out.
What this means is that for any process (service) not started prior to the autologin, any files or registry entries touched, will be captured into the users session and deleted on logout. This is what is manifesting corruption in the Altiris Agent (Invalid pointer errors) as well as causing WMI corruption amongst a whole range of other potential issues.
In order to resolve this issue, ensure that all services are started (especially those outlined in the protcfg.ini under the [ignoreproc] header) prior to the autlogin taking place.
In order to achieve this, the following resolution steps must be followed:
On your client, copy the below text and save it into a new file; save it, for example, as C:\Wait4Services.vbs. This particular script will be what we use to run prior to login. It will keep looping until it sees most services started. This is a guide and you way want to modify the script accordingly to skip certain services that may be required to start and then stop soon afterwards. You may also use other scripting applicable to your client that serves a similar function :
Set colListOfServices = objWMIService.ExecQuery ("Select * from Win32_Service Where StartMode = 'Auto'")
For each obj in colListOfServices If obj.State <> "Running" Then Select Case obj.DisplayName Case "WDPOperations" 'OK Case "Security Center" 'OK Case "Computer Browser" 'OK Case "System Restore Service" 'OK
'[Repeat Case select here for all services that are set to Automatic that stop again.] 'Case "Other Service Name" 'OK Case Else TryAgain= True End Select End If Next WScript.Sleep 500 Loop
'Add a final wait to allow Altiris Agent to begin "At Startup" scheduled tasks. WScript.Sleep 10000
On your client navigate to the local group policy by going to Start > Run and typing gpedit.msc. Click OK.
Drill down to the following areas and make the suggested configurations:
Computer Configuration > Windows Settings > Scripts. In the right-hand pane, double-click on Startup and add C:\Wait4Services.vbs created in step 1.
Computer Configuration > Administrative Templates > System > Scripts. In the right-hand pane, enable Run logon scripts synchronously.
Computer Configuration > Administrative Templates > System > Scripts. In the right-hand pane, configure "Maximum wiat time for Group Policy scripts" with a maximum suitable time so that if one of the services fails to stop the client will not just sit there doing nothing.
Computer Configuration > Administrative Templates > System > Logon. In the right-hand pane, enable Always wait for the network at computer startup and logon.
At this point you can install Protect onto your kiosk computer confident that nothing will be captured (and potentially deleted) that should not be.
Applies To All versions of Protect.
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.