How to deploy EPPatch.msi via GPO

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk171338
Technical Level
Product	Endpoint Security VPN, Endpoint Security Client, Harmony Endpoint
Version	E80.61 (EOL), E80.62 (EOL), E80.64 (EOL), E80.65 (EOL), E80.70 (EOL), E80.71 (EOL), E80.72 (EOL), E80.80 (EOL), E80.81 (EOL), E80.82 (EOL), E80.83 (EOL), E80.84 (EOL), E80.85 (EOL), E80.86 (EOL), E80.87 (EOL), E80.88 (EOL), E80.89 (EOL), E80.90 (EOL), E80.92 (EOL), E80.94 (EOL), E80.95 (EOL), E80.96 (EOL), E80.97 (EOL), E81, E81.10
OS	Windows
Date Created	31-Dec-2020
Last Modified	26-Jan-2021

Solution

Prerequisites

Verify that the GlobalSign root certificate is installed on your affected devices. For more information see sk171399.
EPPatcher.msi (can be downloaded from here).
Shared folder from which EPPatch.msi should be deployed.
ORCA tool installed in order to create a Windows Installer Transform (*.MST) file.
ORCA tool is part of the Windows SDK Components for Windows Installer Developers (Install the “MSI Tools” from the SDK).

Creating MST installer file

Open ORCA tool.
Pull the ‘EPPatcher.msi’ file to the ORCA tool.
Select New Transform from the Transform menu.
In Tables column, select Property.
On the right panel, populate UNINST_PASSWORD property value with the Endpoint uninstall password of your organization.
After applying the change, select Generate Transform from the Transform menu. You will then be required to save the change as an .MST file.

Deploying EPPatch.msi via GPO

Copy both ‘EPPatch.msi’ & .MST files to the same location on the shared folder.
On the Domain Controller, open Group Policy Management.
Create a GPO for the desired group.
Right-click on the newly created GPO and select Edit…
In the new window, under Computer Configuration, expand Policies → Software Settings.
Right-click on Software installation → New → Package…
In the opened browser windows, select the EPPatch.msi file from the shared folder, then Open.
NOTE: It is essential that you use the UNC path of the shared folder.
In Deploy Software window, select Advanced, then Ok.
In EPPatch Properties window, select the Modifications tab.
Click Add…
Select the MST file, then click Open.
Click OK.
The GPO is ready. For the GPO to take effect, client machines should be
rebooted.

How to make sure that EPPatch.msi was successfully installed

In “C:\Windows\System32\drivers” you should see two files:
- epklib.bad - This is the old epklib file that was replaced by EPPatch.
- epklib.sys - This is the new file. If you right-click on it, then select
  Properties → Details tab. File version should be 8.60.5.7253.
In “C:\Windows\Internet Logs\EP_CDTDll.log” you should see this line, indicating a successful patch installation:
“File 'C:\Windows\System32\drivers\epklib.sys' dumped successfully”

Related solution:
sk171275 - How to check the Patch logs for success/failure messages when using the EPPatch.msi

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating