Monday, October 20, 2008

Blog Post: you cannot use GFI Endpoint security due to Remote HW/Registry locdown policy by Windows Vista SP1

Hi,

I have been working with GFI support team for that last couple of weeks to diagnose a problem that looks so hard in the first place but it was so easy to spot once we identified the cause, I have several Windows Vista SP1 laptops since all of them comes shipped with it, we wanted to deploy GFI Endppoint security and we were testing the product, everything works fine on XP SP3 machines, but on windows Vista SP1 it didn’t work, the problem that we couldn’t detect the drivers on the machine that runs Vista Sp1, the error was “Failed to enumerate devices on the machine”; if we try to deploy the agent manually it yells at us saying that you don’t have permissions to install this product so what the heck going on?

 

After several hours of regmon and filemon, I found that the agent access the machine using remote registry, so you have to:

-       Start the remote registry service.

-       On Vista SP1 machines, you need to allow the access for HKLM hive totally remotely.

-       The GFI agent service needs to run as domain admin!!!

1.Go to Computer Configuration \ Administrative Templates \ System \ Device Installation
2.Double click on  "Allow Remote Access to the PnP interface" and enable the policy

 

Finally it works, now we need to test it out, please read more about the security lockdown settings of windows Vista and the new registry access restrictions for windows Vista.

1 comment:

Anonymous said...

Its relatively very easy to disable the GFIEndpointSecurity (atleast at the moment). Is it good enough?

See my detailed article:
http://me.enirav.com/?p=554

Thanks,

Nirav Doshi
nirav@inbox.com