Ask the Community
Groups
Troubleshooting Agent Push "Unitrends KB 693" - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>How to troubleshoot problems when attempting to use agent push to push an agent updates from the Unitrends system to its protected Windows clients. This article may be used to troubleshoot the error "Windows installer encountered error 1603 during agent uninstall. Ensure account used is a domain administrator or the local Administrator account. See Unitrends KB 693"</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <p>Agent Push is a feature in which our system can “push” install an agent as part of the setup of a Windows client. With agent push, a user no longer has to manually download and install the agent on a Windows system before adding it as a client on our system. It is a Windows-only feature, and supported Windows versions are Windows XP Pro 64bit/2003 32/64bit and up. (note: this feature is not available on free edition virtual appliances). <br><br>In its underlying implementation, Agent Push is performed using the <i>winexe</i> utility. The utility invokes the Windows installer command msiexec, accessing the agent files that have been made accessible to the prospective client through a samba share on the backup system called the <i>windows_agents</i> share.<br><br><b>Prerequisites</b><br><br>The following are required for the Agent Push feature:<br>• For Windows Vista and later, go to the Network and Sharing Center and make sure File and Printer Sharing is <i>On</i> for the current network profile.<br>• In Windows Vista and later, if errors persist when adding the client, it is likely related to User Access Control (UAC) remote access restrictions. If the errors persist, the UAC policy will need to be changed. On systems with UAC enabled, one of the following must apply: </p> <ol><li>The client trust credentials entered on the Unitrends Client setup page are for a "domain administrator" account.</li> <li>The client trust credentials entered on the Unitrends Client setup page are for the systems local 'Administrator' account. Being a different member of the Administrators group is not sufficient, it must be the built-in account to bypass UAC. If the local administrator account is disabled, enable it by executing the following in an elevated command prompt "net user administrator /active:yes" </li> <li>If you would like to use a local administrator that is not the 'Administrator' account ensure the Registry DWORD key <b>LocalAccountTokenFilterPolicy</b> exists in the path of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and the values is set to <b>1</b>. For more on this UAC setting, see this link: <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fsupport.microsoft.com%2Fkb%2F951016">http://support.microsoft.com/kb/951016</a>.</li> <li>The protect server and the Unitrends system must run the same SMB version. To enable SMB2 on the Unitrends system, follow <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Funitrends-support.zendesk.com%2Fhc%2Fen-us%2Farticles%2F360013295918%3Fq%3DSELECT%2BArticleNumber%252CId%252CSummary%252CResolution__c%252CAttachment__Body__s%252CCause__c%252CNotes__c%252CAttachment__ContentType__s%252CAttachment__Length__s%252CAttachment__Name__s%252CTitle%252CKnowledgeArticleId%252CDescription__c%2Bfrom%2BArticle__kav%2Bwhere%2BPublishStatus%253D%2527Online%2527">How Unitrends supports SMBv2</a>. Alternately, the protected asset must support SMB1.</li> </ol> • <i>Workstation</i> and <i>Server</i> services are running and set to automatic startup.<br>• For Windows XP Pro 64bit and 2003, make sure that the network adapter itself has <i>File and Printer Sharing for Windows Networks</i> checked (this is almost always the case, but good to double-check in case an error is seen). To verify, select <b>Control Panel > Network and Sharing Center > Change Adapter Settings</b>, then right-click the adapter, select <b>Properties</b> and check <b>File and Printer Sharing for Microsoft Networks</b>.<br>• For Windows XP, turn off Simple Sharing. Select <b>Control Panel > Folder Options > View</b> and uncheck <i>Use Simple File Sharing</i><br>• Verify <i>Remote IPC</i> and <i>Remote Admin</i> shares are enabled. These shares should be enabled with File and Printer Sharing, but verifying is a good idea if you’re still having trouble. To verify, issue the following command from an elevated command prompt and check the output for <i>ADMIN$</i> and <i>IPC$</i>: <b>net share</b><br>• Firewall rules must allow inbound and outbound traffic between the backup system and Windows client. Default Windows firewall rules limit many services to the subnet. If the backup system is outside the client subnet, modify <i>Firewall Printer and File Sharing</i> settings (TCP ports 139 and 445) to allow communication between the systems.<br><br><b>Logging</b><br><br>Installation errors for <i>winexe </i>and <i>msiexec</i>, as well as other related information, are logged in the Agent Push log at /usr/bp/logs.dir/cmc_AgentPush.log.<br><br><b>Samba.conf entries</b><br><br>Agent Push relies on two entries in Samba’s configuration file: /etc/samba/smb.conf. If the following message appears and all other prerequisites have been met, ensure that samba.conf contains the share entries noted below.<br><br><b>Error:</b><br><br>Prereq output file /backups/samba/[client].xml is missing.<br>Either execution succeeded and there was an error writing or reading the log<br>file, or this is an unknown error. Script output: …<br><br><b>Share Entries:</b><br><br>[windows_agents] <div>path = /backups/AgentUpgrade/Agents/Windows/<br>read only = yes<br>guest ok = yes</div> [agent_prereq] <div> path = /backups/AgentUpgrade/WinReqScript/<br>browseable = no<br>writable = no<br>guest ok = yes<br> </div> The following script can be run to add the entries. <div> /usr/bp/bin/AgentUpgradeSambaInsert.pl<br> </div> If samba.conf is edited, it must be reloaded before the changes take effect. Use the following command to reload the configuration file. <div> /sbin/service smb reload<br> </div> The script will have changed the conf file if either of the following output messages are displayed: <div> AgentUpgradeSambaInsert: Adding agent_prereq entry to smb.conf<br>AgentUpgradeSambaInsert: Adding windows_agents entry to smb.conf<br> </div> <div> <p><span style="font-family: Arial, sans-serif;"><span style="font-size: small;"><b>Windows Group Policy and Samba share access</b></span></span></p> <p><span style="font-family: Arial, sans-serif;"><span style="font-size: small;">Agent Push requires communication between client systems and the Unitrends Samba share. To test access to the Samba share, on the client system open Windows Explorer and enter \\IPADDRESS\windows_agents where IPADDRESS is the Unitrends appliances IP address. If agent msi files are not visible the following policy settings are known to cause problems:</span></span></p> <p><span style="font-family: Arial, sans-serif;"><span style="font-size: small;"><span style="color: #333333;">Microsoft network server: Digitally sign (always) – “</span><span style="color: #333333;">Disabled” recommended</span><br><span style="color: #333333;">Microsoft network client: Digitally sign (always) – “</span><span style="color: #333333;">Disabled” recommended</span></span></span><br><span style="color: #333333;"><span style="font-family: Arial, sans-serif;"><span style="font-size: small;">Network security: LAN Manager authentication level – “Send NTLMv2 response only” recommended</span></span></span></p> <p><span style="color: #333333;"><span style="font-family: Arial, sans-serif;"><span style="font-size: small;">On any given Windows machine the presently applied policies can be seen by running gpedit.msc and drilling down into the following path: Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options. If the policies are not aligned with the above recommendations (note the defaults with right-click → Properties → Explain when Not Defined is shown) retry after adjusting the local/domain policy and rebooting.</span></span></span></p> <p><br><span style="color: #333333;"><span style="font-family: Arial, sans-serif;"><span style="font-size: small;"><b>Multiple Network Cards (Release 9.1.0 and newer)</b></span></span></span></p> <p><span style="font-family: Arial, sans-serif;"><span style="font-size: small;"><span style="color: #333333;">If the Unitrends system has multiple network cards Agent Push will try to use eth0 by default. To force Agent Push to use a different interface, </span><span style="color: #333333;">i</span><span style="color: #333333;">n the Unitrends </span><span style="color: #333333;">web </span><span style="color: #333333;">UI </span><span style="color: #444444;">go to </span><span style="color: #444444;">Configure →</span><span style="color: #444444;"> </span><span style="color: #444444;">Appliances → Edit→ Advanced → General Configuration pa</span><span style="color: #444444;">ge, and scroll down to the “</span><span style="color: #444444;">Configuration Options”</span><span style="color: #444444;"> section.</span><span style="color: #444444;"> Set the value for “PushServer” to the IPv4 address of the</span><span style="color: #444444;"> </span><span style="color: #444444;">Ethernet</span><span style="color: #444444;"> interface Agent Push should communicate over.</span></span></span><br><br><b>Windows Script Host or cscript Issues</b><br>The Unitrends prerequisite script used to verify a system is push compatible is executed with Microsofts cscript utility. cscript can be enabled or disabled at a user or system level. If not enabled the following error will appear when pushing:<br><br>"Windows Script Host (cscript) does not have permission to run on the client system."<br><br>To resolve this issue check the following locations in the client system registry:<br><br>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings\<br>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\<br><br>Ensure the "Enabled" dword32 key exists and its value is 1. The HKEY_CURRENT_USER entry must correspond to the account which matches the push credentials.<br><br>It may be necessary to log in to the client system as the push user for these settings to apply.<br><br><b>SMB2 Configuration</b><br>Release 10.2.0 adds the ability to integrate with an environment where SMB 1.0 is disabled.<br><br>To configure your appliance for SMB2 see this KB <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Funitrends-support.zendesk.com%2Fhc%2Fen-us%2Farticles%2F360013295918">here</a>.<br>To configure your Windows systems see Microsoft's article <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2696547%2Fhow-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and">here</a>.<br><br>Configuring for SMB2 will prevent pushing to SMB1 only OSs (XP/2003). Additionally pushing to Windows Vista and Windows 2008 (non-R2) is not supported in the SMB2 only configuration.<br><br>Windows 2019 - Windows 2019 ships with SMBv1 disabled by default. It is recommended to enable SMBv2 mode on Unitrends appliances to support Agent Push with 2019. If this is not possible due to legacy systems in your environment, SMBv1 can be re-enabled by following the instructions <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F2696547%2Fhow-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and">here</a>.</p> </div> </article> </main>