Jump to content
Braingears

Agent Deploy - Generate Installers with Tokens

Recommended Posts

Posted (edited)

Will generate ticket with Windows MSI, Mac, and Linux installers with tokens.
• Enter # of months until the token expires. If left blank, the default is 12 (enter number only)
• Enter alternative LocationID. If left blank, it will default to the Location where the script was executed from. 
• Enter Email address if you want to receive an email with all of the links.
• Additional PowerShell and Mac Terminal Scripts will be included to make deployments easier. 

Due to the latest vulnerability patches, we can no longer download any Automate Installer that is not downloaded with an Authenticated Automate User. With the help of Darren White creating the Token Generator, I've created Automate scripts to easily create the Automate Installers with Tokens and will currently create tokens from 1 month to years.

I've also updated the "Agent Deploy - Create GPO on DC" to create a "CW Automate Agent Deployment" GPO and automatically link it to the root of the domain (optional parameter). 

**Caution** This not a ConnectWise Automate blessed method of creating installer tokens, and the the developers could change the installer methods just like the did with the previous installers at any time. This is also true for the tokens themselves in the `installertokens` table. 

Agent Deploy - Generate Installers with Tokens.xml Agent Deploy - Remove GPO on DC.xml

Agent Deploy - Create GPO on DC.xml

Edited by Braingears
Updated 'Create GPO' due to accidentally applying Mac Token when creating .bat
  • Like 4

Share this post


Link to post
Share on other sites

Nice, this is what I was envisioning to build for us internally, so I appreciate it. Question, is there any upper limit on the installer tokens that you have come across? For example, is 120 months a valid input? I assume no process from CWA rolls through and wipes these tokens out that we have found yet?

Share this post


Link to post
Share on other sites

Although I did not limit the number of months that you could enter, it's my personal recommendation not to exceed 1-2 years. Fortunately every time you use the links provided it will download the most up-to-date agent installer to be used. On the other hand, I have no idea what CW Automate developers plan to do or change in the future. None of us expected the typical generic installers would be locked down, and they might also make changes to the Deployment.aspx or `installertokens` table in the future. The official web portal only creates these tokens for 24 hours and clears out expired tokens in a nightly routine. Time will tell...

 

Share this post


Link to post
Share on other sites

Thanks Chuck, unfortunately, I'm meeting with an error that the Automate Server or token parameters was not entered or was inaccessible

Share this post


Link to post
Share on other sites
Posted (edited)

hmm...Bitdefender is blocking the powershell script that creates the Automate.bat file....not sure how to work around that without putting environments at risk.  It obviously doesn't like system calling powershell (we've had that problem using a batch file with BD to deploy automate).

Kinda makes sense...system running a powershell command to download something from internet.  its exactly what we do not want to be happening..until we do

Edited by Mark Hodges

Share this post


Link to post
Share on other sites

You may have saved me several hours of work. I was getting ready to start working on exactly this same thing, so if you did, thanks in advance! 

Share this post


Link to post
Share on other sites

I must be missing something because every it downloads an installer is says the package cannot be opened. 

 

Logs state:

Automate Installer Exit Code: 1620
Automate Installer Logs: C:\WINDOWS\Temp\Automate_Agent_2020-07-06_10-38-23.log
The Automate MSI failed. Waiting 15 Seconds...
Installer will execute twice (KI 12002617)
Automate Installer Exit Code: 1620
Automate Installer Logs: C:\WINDOWS\Temp\Automate_Agent_2020-07-06_10-38-42.log

 

 

Share this post


Link to post
Share on other sites
Posted (edited)

It took me a minute, but I figured out what happened. The script generated a .bat file with the mac agent token instead of the windows one, I manually edited the bat file and it's working.

 

So basically once I run this I have to go manually edit the bat file with the right installer token. I can't find where it is generating the bat file yet to fix it. 

I found where to fix the issue I'm running into. On the Create GPO on DC script at line at line 46. I adjusted installer_token to installertoken_msi. Once I did this it began working, it makes sense though since the last intaller_token was the mac token. 

 

Thanks again for doing all the heavy lifting! 

 

::---------------------------------------------------------------------------------
::  Script      : Install ConnectWise Automate Agent
::  Version     : 1.0
::  Written by  : Chuck Fowler
::---------------------------------------------------------------------------------
:: The Token "@InstallerToken@" will Expire on @expirationdateutc@ UTC

%windir%\system32\WindowsPowerShell\v1.0\powershell.exe -Command "Invoke-Expression(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Braingears/PowerShell/master/Automate-Module.psm1'); Install-Automate -Server '%redirhostname%' -LocationID @TargetLocationID@ -Token '@InstallerToken_MSI@' -Transcript"

 

Edited by DeWaynePeden
Updated information.

Share this post


Link to post
Share on other sites

The script for deploying the GPO references '@InstallerToken@ when creating the .bat file. Because the last agent generated is the mac agent. So it applies the mac token. When I changed the link at line 46 to create the bat file using @installer_token_MSI@ it pulled the windows token and generated the correct installer. There was no issue downloading an installer, it just downloaded and configured and .msi installer with a mac token so it never worked.

 

I hope that makes sense. 

  • Thanks 1

Share this post


Link to post
Share on other sites
Posted (edited)

@DeWaynePeden Thanks for the update. I've updated the script. 

Remember to update the GPO's .bat file. You can also 'Remove GPO' then 'Create GPO' to replace it after the script has been updated. 

Edited by Braingears

Share this post


Link to post
Share on other sites
Posted (edited)

Bummed that we have to rip out our existing .vbs-based agent installer GPOs, but whatever.
This looks to be a great solution. The token gen works, the GPO deployment works, the LTService install works, but my GPO-deployed test agents are failing to register.

Automate_Deploy.txt is showing several instances of this:

PS>TerminatingError(Get-Date): "Cannot bind parameter 'Date' to the target. Exception setting "Date": "Cannot convert null to type "System.DateTime".""
PS>TerminatingError(Add-Member): "A positional parameter cannot be found that accepts argument '([int]((Get-Date) - (Get-Date (Get-ItemProperty "HKLM:\SOFTWARE\LabTech\Service").HeartbeatLastSent)).TotalSeconds)'."
PS>TerminatingError(Add-Member): "A positional parameter cannot be found that accepts argument '([int]((Get-Date) - (Get-Date (Get-ItemProperty "HKLM:\SOFTWARE\LabTech\Service").LastSuccessStatus)).TotalSeconds)'."

LTErrors.txt is indicating failed signup:

LTService  v200.251     - 7/15/2020 12:42:22 PM     - Failed Signup, Will wait over 30 minutes to try again.:::

But manual execution of the GPO batch file command results in successful agent registration.

Any ideas?

Edited by drinkxon

Share this post


Link to post
Share on other sites

@Braingears This is great! Thanks for putting in the time to build it out and share it.

Agent Deploy - Create GPO on DC script
I noticed that the powershell script on line 49 was missing "Import-Module GroupPolicy" at the start. Once i added this the script ran perfectly.

Share this post


Link to post
Share on other sites

My test states:  ErrorDescription The system cannot find the file specified. 

I delayed the logon script by several minutes due to the possibility of network connections not being up while the script is running but I get the same deal.

 

Event ID 1130

 

  ErrorCode 2 
  ErrorDescription The system cannot find the file specified.  
  ScriptType 0 
  GPODisplayName CW Automate Agent Deployment 
  GPOFileSystemPath \\test.lcl\sysvol\test.lcl\Policies\{670905DF-4B4F-462C-BF29-CEAF296B41EF}\Machine 
  GPOScriptCommandString CWAutomateDeploy.bat 

Share this post


Link to post
Share on other sites
On 7/16/2020 at 10:40 PM, Chris said:

@Braingears This is great! Thanks for putting in the time to build it out and share it.

Agent Deploy - Create GPO on DC script
I noticed that the powershell script on line 49 was missing "Import-Module GroupPolicy" at the start. Once i added this the script ran perfectly.

It's assumed that the domain controller with FSMO roles attached would have the module by default. Please continue to test, if I need to add it, I will. 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...