Things to check when the Lumension Client Deployment tool fails

Version 1


    Lumension Endpoint Security (LES), all versions


    Certain ports, services and settings need to be in place in order for the HEATsoftware Client Deployment Tool to contact and communicate with the end machine during client deployment.




    Below is a list of common reasons why the HEATsoftware Client Deployment Tool will fail to communicate with the end client machine or fail to successfully complete and installation:

    • Ensure the client time is correct.
    • Is there any Firewall running on the client and blocking TCP/33115, TCP/65129 (65229 if using TLS), UDP/137 and 138, TCP/139 and 445 or RPC ports 135. Perhaps you could temporarily disable the firewall as a test.
    • Ensure the public key you are using is valid, it must match exactly the one used by the application server. 
    • If you are using a policies.dat file with the install, note this expires 2 weeks after generation by default. To extend this please refer to KB 22991 - Increasing the lifetime of a permissions package.
    • The Deployment tool uses services on the remote client which have to be up and running: ‘Server’, ‘Computer Browser’ and ‘Remote Registry’, otherwise it cannot contact the client. Please double check these (perhaps these may be set via GPO also). 
    • If you are deploying to a Vista machine please see KB 22980 - Cannot query a Vista machine with the Deploy tool for a known issue with Vista deployments and how to resolve
    • It may be a DNS issue (we use netbios). A test would be to include an entry for the client machine in the HOSTS file on the application server and retry.
    • Ensure the account you are running the deployment with has sufficient rights to access to the remote registry. (It should have administrator rights on the client machine) 
    • We use netbios so please ensure there is no duplicate machine on the network
    • Ping the machine name. Please check that the resolved address is the same as the endpoint machine name. Ensure you can manage the machine via MMC snap-in and connect via remote registry as a test.
    • Ensure you can connect to the ipc$ share from the server by running the following at a command prompt on the application server itself: net use\\ClientName\ipc$
    • Also check if remote access to the registry is allowed per this Microsoft kb article:;en-us;314837
    • Maybe the registry is somehow restricted. An important key to check is:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
    • At least the local admin group (full access) and the Local Service group (full read access) should be mentioned there.
    • “Client for Microsoft Networks” and “file and Printer Sharing” need to be checked (from Network properties) on the client
    • The admin$ share needs to be enabled and accessible on the client (if not allowed then you will not be able use the Sanctuary Client Deployment tool to deploy the client as we need to copy the installation files locally)
    • ‘Use simple file sharing’ (from folder options in Windows Explorer on the client) has to be unchecked.

    If you still face issues please contact support and provide the below information to help us resolve more quickly:

    • Please verify the exact version of LES you are running (server and client) 
    • Please send a screenshot of the error you are getting
    • Advise on the client OS in question. Have other clients install okay?
    • Advise on any additional configuration you have performed in the Deployment Tool for this package/machine.
    • Please send in the client installation log files if present, refer to KB 22970 - Obtaining various log files from Lumension Endpoint Security, this will provide valuable information as to why an installation attempt has failed once it has kicked-off.

    You may choose to roll-out the LES client using other methods by using MSIEXEC.exe and supported switches as opposed to using the Client Deployment Tool. The Client Deployment Tool is not designed for large scale deployments. Please refer to KB 23349 - How to install the LES client using Windows Installer/MSIExec for more info.