Support Center > Search Results > SecureKnowledge Details
How to deploy EPPatch.msi via GPO Technical Level


  1. Verify that the GlobalSign root certificate is installed on your affected devices. For more information see sk171399.
  2. EPPatcher.msi (can be downloaded from here).
  3. Shared folder from which EPPatch.msi should be deployed.
  4. ORCA tool installed in order to create a Windows Installer Transform (*.MST) file.
    ORCA tool is part of the Windows SDK Components for Windows Installer Developers (Install the “MSI Tools” from the SDK).

Creating MST installer file

  1. Open ORCA tool.
  2. Pull the ‘EPPatcher.msi’ file to the ORCA tool.
  3. Select New Transform from the Transform menu.
  4. In Tables column, select Property.
  5. On the right panel, populate UNINST_PASSWORD property value with the Endpoint uninstall password of your organization.

  6. After applying the change, select Generate Transform from the Transform menu. You will then be required to save the change as an .MST file.

Deploying EPPatch.msi via GPO

  1. Copy both ‘EPPatch.msi’ & .MST files to the same location on the shared folder.
  2. On the Domain Controller, open Group Policy Management.
  3. Create a GPO for the desired group.
  4. Right-click on the newly created GPO and select Edit
  5. In the new window, under Computer Configuration, expand Policies Software Settings.

  6. Right-click on Software installationNew Package
  7. In the opened browser windows, select the EPPatch.msi file from the shared folder, then Open.
    NOTE: It is essential that you use the UNC path of the shared folder.

  8. In Deploy Software window, select Advanced, then Ok.
  9. In EPPatch Properties window, select the Modifications tab.
  10. Click Add
  11. Select the MST file, then click Open.
  12. Click OK.
  13. The GPO is ready. For the GPO to take effect, client machines should be

How to make sure that EPPatch.msi was successfully installed

  1. In “C:\Windows\System32\drivers” you should see two files:
    • epklib.bad - This is the old epklib file that was replaced by EPPatch.
    • epklib.sys - This is the new file. If you right-click on it, then select
      PropertiesDetails tab. File version should be

  2. In “C:\Windows\Internet Logs\EP_CDTDll.log” you should see this line, indicating a successful patch installation:
    “File 'C:\Windows\System32\drivers\epklib.sys' dumped successfully”
Related solution:
sk171275 - How to check the Patch logs for success/failure messages when using the EPPatch.msi
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document