If a deployment to an Patch Agent fails, a hexadecimal code is returned to the Lumension Server indicating the reason for the failure.
The following is the list of deployment failure codes and their meanings. Note that clicking on the deployment failure in the Lumension Server web interface will display detailed information regarding the failure, which may assist in troubleshooting.
This rare failure indicates an issue with the metadata of the package being deployed. Re-caching the vulnerability will solve this behavior.
The most common failure, this error indicates the Patch Agent encountered a problem executing the script associated with the deployment or the Windows Installer returned a generic 1603 installation failure. The most common reason for a script failure is the operating system's Windows Script Host scripting components are not registered or malfunctioning.
Re-registering the scripting components on the machine in question will typically solve this, typed from a Run or CMD prompt or deployed through a Custom Package (use the /s switch in the command line of a Custom package to hide the notification message from the End-User). You may also create a batch file (*.bat) to execute this instead of the CMD Prompt:
regsvr32 /u C:\WINDOWS\system32\vbscript.dll
regsvr32 /u C:\WINDOWS\system32\jscript.dll
regsvr32 /u C:\WINDOWS\system32\dispex.dll
regsvr32 /u C:\WINDOWS\system32\scrobj.dll
regsvr32 /u C:\WINDOWS\system32\scrrun.dll
regsvr32 /u C:\WINDOWS\system32\wshext.dll
regsvr32 /u C:\WINDOWS\system32\wshom.ocx
For 64-bit operating systems, you also must run the following:
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\vbscript.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\jscript.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\dispex.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\scrobj.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\scrrun.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\wshext.dll
C:\WINDOWS\syswow64\regsvr32 /u C:\WINDOWS\syswow64\wshom.ocx
If a generic Windows Installer 1603 error is encountered during script execution, you may also receive a 190C. This may be caused by lack of available disk space, permissions issues, missing files, missing prerequisites, or other OS-related issues. To determine root cause, attempt the Manual Deployment method explained below.
This code indicates a download failure. Drilling down into the failure will display the exact reason for the 190D. In most cases this occurs if the package is not reachable due to a missing or invalid registry value in the Lumension Server or the file is physically no longer available (re-caching the vulnerability should solve this behavior).
This may also happen if the Storage directory was moved but the IIS website, registry, or database entries for the Storage directory were not updated properly.
Lastly, we have seen certain instances of this error on 7.0 and higher LEMSS installations where Windows 2008 R2 SP1 and .NET Framework 4.0 are installed (please see KB 759 - 'All deployments fail with 190D errors after installing Windows 2008 R2 SP1 and .Net Framework 4.0 on LEMSS 7.0 or higher' for details and resolution).
This code indicates a package execution failure. These are some of the more difficult issues to troubleshoot due to the lack of detail returned by the Windows Installer to the Update Server via the Update Agent. In most cases, this is caused by the failure of the patch to install properly due to a missing prerequisite (e.g., Microsoft Word install files are missing; some of the program's files are missing) or an OS problem (Windows Installer is damaged).
To determine root cause, it is recommended to attempt installation of the patch manually, since return codes from the Windows Installer to the Update Agent are not detailed. Running the file manually will typically display more information in a dialog box explaining the exact reason for failure, as described below:
Manual Deployment (-pldo)
To determine the reason for a Windows Installer failure, deploying the package using the -pldo option within the Lumenion product is a solution that will yield more detail.
To deploy with -pldo, click the Edit icon in the Package Deployment Order and Behavior page of the Deployment Wizard and replace the Optional Flags with: -pldo
Once deployed, this option will leave the package in the %TEMP% location (e.g., C:\WINDOWS\TEMP) where you may then execute the package manually. In most cases, the error encountered will explain in detail the reason for the MSI failure, allowing you to correct the OS or Program-related issue.
An alternative to deploying the package through a Lumension product is to visit the Microsoft KB article associated with the vulnerability in question, downloading, and then executing the patch on the end-point.