sticky
Important Information About Your AIS Agent Installation Package

    Diskusi Umum

  • Overview

    =======

    Every Asset Inventory Service (AIS) agent installation package contains a certificate that identifies the account of the AIS subscriber. This certificate is used to ensure that inventory reported by an agent is associated with the correct account when it is received at the AIS web service.

    This certificate has a lifetime of 3 years. After this time, the installation package cannot be used to successfully enroll new agents, although existing agents will continue to function just fine. A notification will be displayed in the console for those accounts that are approaching the 3 year threshold (approximately 60 days before the certificate expires). The systems administrator of the AIS account should then download their new agent installation package which is available from the normal download page in the AIS console.

    The AIS service supports multiple agent installation packages per account. This means that the original package and the new package can both be used to install new agents. This allows a transition period where an organization can change their procedures to use the new installation package. Eventually, however, the certificate in the original installation package will expire, after which time only the new package should be used.

    Frequently Asked Questions

    =======================

    What do I do if I see the following announcement on my home page:

    Your original AIS agent installation package expires on <expiry date>. Please download your new agent installation package and use it for all future installations. [Computers that had the original agent installation package installed before <expiry date> do not have to be updated.]”

    This means that your original agent installation package is going to expire soon, and you need to download a new one and use that for agent installations. The message will typically be shown 60 days before the package expires. You can continue using the original installation package until the date in the announcement but it is recommended that you start using the new one as soon as possible.

    When I go to the client deployment area, there’s no option to download a new installation package

    If you see the expiry announcement on the home page, the service will have generated a new installation package for your account. You download it the same way you downloaded the original package by visiting the Client Deployment area of the Management and Support workspace and click on the link that says “Download Client Here”. You can verify that you have downloaded the latest package by viewing the properties of downloaded file as follows:

    ·         Select the file and display the property page

    ·         Select the Digital Signatures Tab and view Signature List

    ·         Locate “Microsoft Corporation” in the list and double-click it

    ·         The Signing Time on the displayed property page should be Nov 2010.

    What happens if I carry on using the original installation package?

    If the announcement is shown on the home page and you continue to use the original installation package after the date shown in the message, you will not be able to successfully enroll agents into the AIS service. The installation will be successful, but when the agent attempts to enroll in the service, it will be rejected. The only way to correct this situation is to download the new installation package from the service and install that on the affected machines. [see below: How do I correct a failed installation?]

    What do I do if I see the following announcement on my home page?

    Your original AIS agent installation package expired on <expiry date>. Please download your new agent installation package and use it for all future installations. [Computers that had the original agent installation package installed before <expiry date> do not have to be updated.]”

    This means that your original agent installation package has expired. If you obtained a new installation package and phased out using the old package before the date of expiry, then you have no further actions. If, however, you have been attempting to deploy agents using your original agent installation package then you need to take the following action:

    -          Stop using the original installation package

    -          Download a new agent installation package from the AIS console by visiting the Client Deployment area of the Management and Support workspace and click on the link that says “Download Client Here”

    -          Start using the new installation package for all future installations

    -          Identify the machines where an attempt was made to install the AIS agent with the expired installation package.

    o   These will be machines where the agent was recently installed, but are not displayed in the console.

    o   For these machines, re-run the install with the new package [see below: How do I correct a failed installation?]

    How do I correct a failed installation?

    If you identify a machine where an attempt was made to install an AIS agent, but the enrollment failed because the agent installation package had expired, proceed as follows:

    -          Option #1

    o   Uninstall the AIS agent

    §   Asset Inventory Service Tips and Troubleshooting

    ·         Tip: How to remove the AIS client software

    o   Run the installation using the new agent installation package

     

    -          Option #2

    o   Run the installation using the following MSI flags: REINSTALLMODE=vomus

    §  For example:  msiexec /I  <path to new .msi file> REINSTALLMODE=vomus

    Note: if you simply run the new agent install on the failed machine (without following either of these options) it will not successfully update the agent configuration and enroll with the service.

    How do I know when my agent installation package will expire?

    The following steps describe how to determine when an agent installation package was signed. If the current date is less than 3 years from this date, the package can still be used to install and enroll an agent :

    ·         Locate the agent installation package

    ·         Select the installation package file and display the property page

    ·         Select the Digital Signatures Tab and view Signature List

    ·         Locate “Microsoft Corporation” in the list and double-click it

    ·         If the Signing Time on the displayed property page is less than 3 years ago, then the package can still be used to install and enroll an agent.

    Why does the certificate in the agent installation package expire after 3 years?

    Certificates have an expiry date to reduce the time period available to an attacker. Three years was adopted as a reasonable balance between renewing the agent installation packages and providing acceptable security for user accounts.

     


    Paul Bourgeau (MSFT)
    22 Nopember 2010 18:05