When you deploy a software package to a Windows agent, the installation program starts in the SYSTEM context.
In Windows versions before Vista, all of the services ran in Session 0 and applications started in the SYSTEM context. This posed a security risk. In Windows Vista and later versions, the operating system isolates services in Session 0 and runs applications in other user sessions. Services are protected from attacks that originate in the application code. Windows Vista and later adds an Interactive Services Detection service, that detects, if running, whether any application must show a user interface, then displays the Interactive Service Detection dialog to switch to Session 0 and continue. For more information about the Interactive Services Detection service, see the Microsoft documentation.
In Windows Vista and later, the Interactive Services Detection design change created an issue for interactive software installations that require user input.
If the software being deployed has the following characteristics, the installation remains in Session 0 awaiting user input:
As no input UI is displayed, the Software Delivery job times-out.
The Software Delivery agent has supported this scenario since CA ITCM r12 SP1 by turning on the Interactive Services Detection service, allowing user input, then turning off the service before exiting.
To ensure the ability to install interactive software even if the software is not session-aware and to completely remove the dependency on the Interactive Services Detection service, CA ITCM now provides an option to specify that a software package being registered or deployed is interactive and requires user interaction on the agent computer.
To use this functionality, the administrator selects the Enable user interaction (Win LH Only) option in the procedure options when registering a software package or in the job settings when deploying a package. The agent starts the software installer in user sessions that are currently logged in and active, and also starts in the SYSTEM context.
Note: This feature helps you to install interactive applications, however, compromises the isolation feature that Microsoft provides to increase security. Use this feature carefully.
For software packages that were sealed before DM upgrade, an available option lets you enable user interaction (even in sealed state) as long as you do not select the Prevent user from being logged on while the job executes option.
If no users are logged in, the SD Agent waits for a user to login, then runs the job.
This feature uses the following configuration parameters in specific situations related to Logon Shield and restart/logoff. These parameters reside under DSM > Software Delivery > Agent:
Specifies the session in which the job runs on agents that run Windows Vista and later versions.
Values:
Default: TRUE
Limits:
Specifies the SD Agent behavior when the Logon Shield status is Wait until user logs off before job executes or Force user to log off before job executes and Enable user interaction (WinLH only) job property is TRUE.
Values:
Default: FALSE
Specifies the following actions:
Values:
Default: TRUE
Limits: This parameter applies when there are no users logged on to the computer and Interactive Jobs: Run in user session on Longhorn OS family is TRUE.
|
Copyright © 2013 CA.
All rights reserved.
|
|