1. Prerequisites:
1.1 The rollout module must be loaded on the rollout server. To check this:
- Select the rollout server into the search node or in the Topology/Groups node in the console
- Go to its sub-node Agent Configuration > Module Configuration > tab Configuration
If it is not loaded, there is below warning in the rollout server mtxagent.log:
2020/03/03 12:11:08 AgentActionDB W [5620] Action RolloutAssign is not registered
1.2. Windows administrative shares must be enabled
The rollout server must be able to access to "C$" or "D$" as an example, depending on the Installation Directory that is set on the general tab of the configuration).
If it is not possible to enable administrative shares, enabling "AdminShares=ADMIN,C-L" in the ../client/config/rollout.ini of the rollout server could be a solution as per the document created by a partner here.
If it's not possible to activate the administrative shares and that the alternative method doesn't work either, the pull mode must be used: Client Management: How to create and deploy Agent Rollouts to the Client by using the pull mode. Note that once a rollout pull is generated it could be deployed by GPO as an example: Client Management: How to deploy an agent through a GPO.
1.3. The RPC service must be started:
The "Remote Procedure Call (RPC)" service must be started on the target device. If it is not the agent will not be able to create its service, start it etc
Note: the Remote Registry Service is no longer required.
1.4. Firewall:
The firewall must either be stopped or some ports must be opened on the target:
- 135 TCP (RPC)
- 445 TCP (SMB)
1.5. api-ms-win-crt-runtime-l1-1-0.dll
This file is a prerequisite since 12.8. If it is not installed on the target then the rollout will fail to start. More information is here: Client Management: the upgrade or installation of an agent fails - manually running mtxsetup.exe returns a system message saying api-ms-win-crt-runtime-l1-1-0.dll is missing
2. Rollout Configuration:
At least one administrator account must be set in the user account tab:
It must exist on the target device and have the necessary rights to access to the windows shares and to create and start services.
3. Communications:
It is useful to set a rollout server if there are devices on other locations than the master or if there are VLANs or restricting network rules that forbid the master or another rollout server to directly communicate with the devices that must be installed.
From the rollout server itself it must be possible to:
------------------------------------------------------------------
- Resolve the name of the target device
- At least contact the target device through its ip address from the rollout server. If the name resolution doesn't work the ip addresses will have to be set in the "Targets" tab of the rollout configuration instead of the hostnames, else it won't work.
- Access to the windows share of the target, by using one of the credentials set into the tab "User Accounts" of the rollout configuration.
Please pay extra attention to the fact that these tests must be done from the rollout server itself, and not from another device, as it might change everything.
4. Error causes:
-----------------
4.1. 'The device cannot be reached'
This issue can have multiple origins, it would more likely be a problem like these:
- The account that is set does not have the required rights.
- The firewall is active and the ports listed above are closed.
- The rollout server is not able to contact the target device because of network rules or the name resolution not working.
- Administrative shares are not enabled.
4.2. 'Operation Failed'
This error message is displayed while verifying or starting the rollout and it is due the fact that the module "Rollout" is not loaded on the rollout server in the console.
To fix this check 1.1 at the top of this KA.
4.3. 'Configuration Failed'
This may occur:
- If a "user account" was not set in the rollout configuration, check point no 2 above.
- If the licenses expired: it is possible that while using the console the licenses may have expired or exceeded for BCM Agents as seen in Global Settings > licenses, causing this status. In the targets tab, this error will show as 'missing parameter'.
4.4 Access denied: Even though able to login into the windows end device with the same windows user account locally.
UAC settings on the windows operating system which causes the error 'access denied' on console. Disable UAC.
5. More information can be found in below articles.
-Agent Rollout Errors
-Rollout Fails: Maintenance operation found
-Rollout server shows a status of Unassignment Paused
-Prepare your installation of a client on Mac OS X: enable ssh for root and manage services
Notes:
If the name resolution doesn't work properly on the network or on part of it, it will not be possible to use the asset discovery scan results to create a group with discovered devices set to auto rollout. The targets will have to be assigned manually by ip address instead.
Do not hesitate to vote for this idea to have this functionality to be implemented in the future.