Automatic deployment (installation) of endpoint software using Active Directory synchronization does not take place for some computers that are not running a server operating system.
- This article is only relevant where no installation appears to have been attempted against the computer(s). If 'Install errors' are shown against the computer(s) in Enterprise Console under the 'Alert and Error Details' tab these should be looked into separately.
- If a manual 'Protect Computers...' task is attempted against the computer(s), Sophos Endpoint Security and Control deploys without issue.
- For information regarding automatic deployment to server operating systems see KBA47894
First seen in
Enterprise Console 4.0.0
When performing an automatic deployment of Sophos Endpoint Security and Control as part of an Active Directory synchronization; Sophos Enterprise Console performs a look-up against a Domain Controller (DC) to check the 'logonCount' attribute of each computer object it is attempting to deploy to. If this value is set to '1' or more then the deployment will take place. However if the 'logonCount' attribute of a computer has a value of '0' the installation will not be attempted.
In most environments the 'logonCount' is always likely to be 1 or higher, however in a multiple DC environment this attribute will not get replicated between DCs. Thus if a computer never authenticates against the DC queried by Enterprise Console, the deployment will fail for that computer.
What To Do
This issue is being tracked as DEF85760 and the behavior will be changed in a future release of Sophos Enterprise Console.
In the interim, deploying to endpoints manually from Sophos Enterprise Console or as part of a scripted approach will still work. For more information on other deployment methods see article 114191.
To help you establish which computers are affected, a script has been generated which, when run from the Sophos Enterprise Console computer, will list all computers that have a 'logonCount' of '0'. The following steps describe the procedure:
- On the management server, download the script LogonCount.vbs.txt.
- Rename the file to 'LogonCount.vbs'.
- Launch the script by double-clicking on 'LogonCount.vbs'.
- Once complete, which may take a couple of minutes, a file called 'ComputersLogonCount.txt' will have been created in the same directory as the script and will contain a list of all endpoint computers that have a 'logonCount' attribute of 0.
Note: We cannot provide a script to modify the 'logonCount' for a computer object as this value cannot be manually set/imported into Active Directory.
The logonCount cannot be manually edited. To view the 'logonCount' attribute for a computer object you can use either:
- Active Directory Users and Computers (View | Advanced Features should be enabled) to see the attributes of an object in more recent versions of the tool.
- A viewer of Active Directory objects such as Active Directory Explorer.
It is important to remember that this attribute is not replicated between DCs but a count of number of logons for the computer object against the DC you are connecting to. For more information on this attribute see Microsoft article: http://msdn.microsoft.com/en-us/library/windows/desktop/ms676845(v=vs.85).aspx.