We must use NTLM2 and therefore can't use Kace's provisoning. I use a GPO to deploy the agent to our clients without trouble. We can't use a GPO to deploy the agent to servers though, long story, but can't do it. We have about 100 and I need a way to deploy the 5.3.53177 agent via Scripting or Distributed.

All servers are at 5.3.47657.

I've checked the existing entries here and if the answer exists, I've missed it.

What's the best method and command line to deploy the MSI to clients with the previous Kace agent?

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

4

The KBOX can support NTLMv2 Levels 0-4.  It cannot provision a machine using Level 5.  

Since you are trying to use Provisioning, I would assume that you do not have the agent on the servers yet as provisioning would not be used for an agent upgrade.  If all 100 of these servers already have an agent then jknox would be right in saying that you can upload the agent bundle and allow them to update on their own from the k1000.  

In the case where you are installing new agents, you could temporarily lower the NTLM level (If using level 5) on the target servers through GPO.  Run the provisioning schedule then raise it back up.  

There is not a way to deploy from the K1000  via via Scripting or Distribution without having an agent already installed, unfortunately.

For reference, the full range of values for the LMCompatibilityLevel value that are supported by Windows NT 4.0 and Windows 2000 include:

·         Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.

·         Level 1 - Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

·         Level 2 - Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

·         Level 3 - Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.

·         Level 4 - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).

·         Level 5 - Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).

 

Answered 01/18/2013 by: WhitzEnd
Seventh Degree Black Belt

Please log in to comment

Answers

2

There is a built in mechanism to upgrade the agents that are already there.

Upload the 5.3.53177 kbin to: Settings>K1000 Agent>Agent Updates from KACE>Upload K1000 Agent Update Files

How to enable automatic agent upgrades:

Settings>K1000 Agent>Agent Updates from KACE>Enabled

Also check the box for "Update Broken Agents".

PLEASE NOTE: If you have multiple organizations, you will need to do this for each one.

Answered 01/17/2013 by: jknox
Red Belt

Please log in to comment
1

I created a script for some of the 5.3 to 5.4 upgrades and added the machines label to push to.  You can modify this for the versions installed and to install

Answered 01/17/2013 by: SMal.tmcc
Red Belt

Please log in to comment
1

Why not just tell teh KBOX to require NTLM v2 under Settings > Control Panel > Security Settings

 

Answered 01/17/2013 by: nshah
Red Belt

Please log in to comment
1

Thanks to all for the replies!

@SMal.tmcc - I will try this first as it allows me to deploy at will when needed. Helpful if I need to deploy to one or just a few machines for any reason.

@jknox - My official response to this is... hmmmmm... I'm not sure why we have it unchecked. It was originally enabled, but I'm not the only Kace admin and such changes are expected to be presceded with a notification email. I'm checking on it and will probably enable it shortly. I'm double checking to be sure someone above my pay grade didn't make the decision to disable it.

@nshah - Yea, we do have those boxes checked. Our GPO is set to Send NTLMv2 respons only: Refuse LM & NTLM  --- When we first had to change the GPO to this setting, we worked with Kace and they said there would eventually be updates to correct it, but for now, there was no way around it. Therefore we can't use Kace's auto-provisioning (the one that uses IP ranges), under the K1000 Agent tab > Provisioned Configurations. My understanding is the Kace setting references the shares, but the GPO is also handling traffic which Kace is using NTLMv1 for.

If I'm mistaken or things have changed regarding NTLM, please let me know. I'd be happy to be corrected on that point. :-)

---

Whatever the final solution is, I'll respond to this post with it. I'm open to any suggestions.

Thanks again.

 

Answered 01/18/2013 by: murbot
Tenth Degree Black Belt

Please log in to comment
0

I tried to push the agent via GPO and it wouldn't distribute to any endpoints using documentation here and on the KACE Knowledge base. Any ideas on where to start troubleshooting GP for any issues pushing files/conflicting policies that might stop it?

 

Answered 01/18/2013 by: GeekSoldier
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity