Hi everyone,
I have come here in the hopes that someone more skilled/experienced than I am can help me out. I’m still relatively new to SCCM/MECM and have been working on supporting our Application deployments. We’ve recently been given the new Cisco Secure Client 5.1.5.65 from EnterpriseNetworks and have been asked to get our clients upgraded to the newest version.
Here’s our current situation.
Could have multiple other lower versions of Anyconnect installed. Could have Start Before Login (SBL) installed. We are hybrid so anyone could be using the VPN at any moment. As far as I’m aware, SBL needs a restart if it gets uninstalled/installed.
I came across this post from 3 years ago that sounds like it would work for our situation https://www.reddit.com/r/SCCM/comments/njr1vu/how_to_upgrade_cisco_anyconnect_client_using_sccm/
In essence, I have deployed an application with the initial PSADTK script, let’s call it script 1, that will create the necessary local folders and copy from ccmcache all of the required files which includes the install script (script 2) and create the task schedule to run script 2. Script 2 runs on startup and is responsible for ensuring that all version less than 5.1 are uninstalled, installs the latest one, remove the task schedule and then delete the local files.
However, I’m unsure how to set detection rules to confirm that Secure Client has installed successfully after the computer has restarted as its now running a local Task Schedule and using a separate PSADTK script to actually do the installation. As of this moment, once script 2 runs and does all of the cleanup, the Detection rules will fail and make the application available again, which essentially turns into a loop.
Any help or guidance would be greatly appreciated!
Thanks!
We simply ran the installer that our security guy compiled from the CSE backend with no wrapper at all.
“CSE_Installer_made_from_backend.exe” /R /S /desktopicon 0 /startmenu 0
Then we detected with a reg key
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Immunet Protect
DisplayVersion>=7.5.5.21061
That’s it. We had several installers, one for workstations, one for Domain Controller, one for Servers, One for VM’s. Each of those had unique custom policy built into the installer.
edit: we are now removing this piece of &^#$ product across all assets and going back to Defender. We have had numerous outages due to the performance of this product. Burned so many times over the last 4 years that I lost count.
If you have access to the Cisco website, go and download the ‘Cisco Secure Client Pre-Deployment Package (Windows) - includes individual MSI files’ zip file.
For the PSADT:
Pre-install section:
- Run Stop-service for each of the following processes:
vpnagent, vpnui, csc_ui, csc_vpnagent
- We are running umbrella so we also kill csc_umbrellaagent
Install section:
just run execute-MSI for each MSI with parameter ‘/q /norestart’
For the Deployment Type Detection Method, you can import multiple MSI Files.
E.G. we import both the “core-vpn” MSI as well as the “Umbrella” MSI.
We target our app to only install after hours and it will forcefully. We also setup our detection method to force a reboot.
This works for us, might not work for you.
We normally tell them to do the upgrade via the gateway so when people connect it installs latest build.
Then mop up what is left later.
If you have version 4.x to 5.x or installing NAM module make sure you test. There are 2 bugs upgrading.
Bugs:
CSCwd65721
CSCvw79615
I’ve been using the scheduled task on the next reboot with the double psadt mentioned in that post. Before, I had many failures, probably about 30% or more now its almost 100% every version. It’s great; it runs the installer as system on the next login. I did have to modify it because it wasn’t running off power, which I had to have.
$Trigger= New-ScheduledTaskTrigger -AtStartup
$User= "NT AUTHORITY\SYSTEM"
$SCHSettings= New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Priority 5
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\ITutils\Setup\Cisco\AnyConnect\Deploy-Application.exe -Deploymode Silent"
Register-ScheduledTask -TaskName "Cisco_Install" -Trigger $Trigger -User $User -Action $Action -Settings $SCHSettings -RunLevel Highest –Force
Just deploy the k9 msi files for the modules. Super easy, smooth upgrade.
What detection do you have to deploy script 1? If script 1 just copies the content and creates a scheduled task then create a reg key as detection. Then your scheduled task will run script 2 that’s cached and install the required VPN version.
I’m currently doing a similar upgrade. I wrap everything up in PSADT and detect if they are on VPN. If VPN is running I trigger the deferral prompt and give them a date time to complete it by.
Again, if VPN was running I put a custom prompt asking them to restart and exit with 3010 which will trigger the SCCM restart prompt with 24hr countdown.
I feel like you may be going about that in a complicated way, with psadt just add some user prompts to get the apps closed and give deferral options, then complete the install, after the install enforce a reboot
Why are you doing task scheduler way? I did 2 years ago when it was any connect, and
pre-Instal was
Inform user that there will be force reboot at the end of this app install with 15 min counter before force restarting the machine. (This can be hidden if fully silent install)
Stop services and process
Remove all old config
Remove old anyconnect
Delete old reg values
Install
Create all required folder and copy config over
Install the app modules one by one with sleep 10 sec in between
Post install
Test all config is there
Finally force reboot with 15 min counter on screen or just restart if no user logged in or no interaction
Detection was windows installer
And existence of new config files
This is the best answer here. We too did the same thing. Luckily CSE as a product will easily in-place upgrade the existing product too.
My bad, it looks like they have rebranded Anyconnect with the “Cisco Secure” name. My post above references the Cisco Secure Endpoint.
Unfortunately, we don’t have access to the cisco site and are using what we are provided. I do like the idea of stop services to ensure it’s not running while performing the upgrades. The idea is to have it auto-installed but not while someone could potentially be working on their device, forced restart is out of the question (for now).
May I ask what your detection method was ensure it was installed?
Ah. Forgot to mention. No user interaction. Silent is preferred
We currently aren’t forcing user interaction.
Appreciate the comment. Unfortunately we have found in place upgrades sometimes mess up actually deleting old files and registries. Especially if vpn hasn’t properly disconnected. But someone mentioned to check net-adapter not in use as a safety measure to check before uninstalling
Unfortunately, we don’t have access
Tell them to 1. get you access or 2. download it when you need it updated.
but not while someone could potentially be working on their device
What are you using to determine this? I have seen using ‘Global Conditions’ to script detecting if the VPN is in use. E.G. Powershell Get-NetAdapter to see if specific interface status is ‘up’.
If you need reliable silent installs, you really should get be getting the MSIs from Cisco. Not sure why you don’t have access, but I would outright refuse to do it any other way. I will have somebody download it while on the phone with me if I have to, but I am going to get the MSI package if the vendor has one.
you have to do it on the original installer folder unfortunately. You could do it on both the .exe and folder but it will keep failing and recopying files every retry until the user reboots. It’s really handy once it’s setup (and you have the double psadt template) i’ve used this method for very stubborn apps that won’t install no matter what. I’ll usually deploy it before software updates so there’s not a lot of time till a reboot. I usually have it on the install folder and then a device wmi collection with the secure client version to monitor how many machines have it.