zac for Windows (1)

Name

zac - The command line management interface for the Micro Focus ZENworks Agent that is installed and running on Windows managed devices.

Syntax

zac command options

Description

The zac utility performs command line management functions on the ZENworks managed device, including installing and removing software bundles, applying policies, and registering and unregistering the device.

Guide to Usage

Most commands have a long form and a short form:

  • Long form: add-reg-key

  • Short form: ark

When both forms are available, the command is listed as follows:

add-reg-key (ark) arguments

When using the command, enter only the long form or the short form:

zac add-reg-key arguments

zac ark arguments

Arguments can be mandatory or optional. Mandatory arguments are included in angle brackets <argument>. Optional arguments are included in square brackets [argument]. If an argument includes a space, enclose it in quotation marks:

zac ark "arg 1"

Help Commands

/h or --help

Displays information about the commands.

Antimalware Commands

malware-agentstatus (mas)

Gathers the current status of the ZENworks Antimalware Engine for local troubleshooting.

Examples:

zac mas

zac malware-agentstatus

malware-clearfoldersecurity (mcfs)

Clears the security restriction on the %ZENWORKS_HOME%\\zav\\events folder.

Examples:

zac mcfs

zac malware-clearfoldersecurity

malware-disable-onaccess-scans (mdas)

Disables on-access scans for the number of minutes specified in the command. If a time is not specified the default is 60 minutes.

Examples:

zac mdas

zac mdas --15

zac-disable-onaccess-scans --90

malware-enable-onaccess-scans (meas)

Enables on-access scans that are disabled by the malware-disable-onaccess-scans zac command.

NOTE:This command is only an “undo” of the mdas zac command that still has time remaining. This command will not enable on-access scanning if it is disabled in the policy.

Examples:

zac meas

zac malware-enable-onaccess-scans

malware-install (mi) [options]

Installs the Antimalware engine on this device.

Examples:

zac mi

zac malware-install

malware-policy-list (mpl)

Lists all assigned Antimalware policies in the zone, to include Antimalware Enforcement, Custom Scan, Network Scan, and Scan Exclusions policies, if applicable.

Examples:

zac mpl

zac malware-policy-list

malware-quarantine-delete (mqd) [--f <filename> <fileName> ...][--a <Delete ALL files>]

Deletes Antimalware files that are currently in quarantine file. Defaults to deleting all quarantined files.

Examples:

zac mqd --f testfile.exe testfile02.bat

zac mqd --a

malware-quarantine-list (mql) [--filedetails (optional extra details)]

Lists all quarantined files that have been found from Antimalware scans and ondemand events.

Examples:

zac mql

zac mql --filedetails

malware-quarantine-restore (mqr) [--f <filename> <filename>...][--r <restorelocation (Default: Original Path)>][--x <exclude from OnAccess filescan (1), OnDemand filescan (2), Both (4)>][--k <keepCopyInQuarantine (Default is false)>][--o <overwrite file if it exists (Default is false)>])

Restores Antimalware quarantined files to specific locations. Defaults to restoring all files to their original locations while overwriting existing files. The command does not keep a copy in quarantine or exclude from all file scans.

Examples:

zac mqr

zac mqr --r c:\temp --k

zac mqr --x 4

malware-remove (mr)

Removes the Antimalware engine from this device.

Examples:

zac mr

zac malware-remove

malware-reportstatus (mrs)

Gathers the current status of the ZENworks Antimalware Engine and reports it to the ZENworks Server.

Examples:

zac mrs

zac malware-reportstatus

malware-scan (ms)[--full | --quick | --custom <custom policy>]

Scans the device for malware infections using either Full, Quick, Custom, or Network scan.

Examples:

zac ms --full

zac ms --quick

zac ms --custom myCustom policyName

zac ms --custom myNetwork policyName

malware-scan-restart (msrs)

Restarts scans that were previously aborted.

Examples:

zac msrs

zac malware-scan-restart

malware-setfoldersecurity (msfs)

Resets the security restriction on the %ZENWORKS_HOME%\\zav\\events folder to the default setting.

Examples:

zac msfs

zac malware-setfoldersecurity

malware-support (msp)

Creates an Antimalware (AM) diagnostics package in the %ZENWORKS_HOME%\\zav\\diag folder. This takes several minutes and notifications may be displayed on the device if Agent Notification settings are enabled.

Examples:

zac msp

zac malware-support

malware-update (mus) [--signature | --agent])

Updates the ZENworks Antimalware Engine with the latest scan and product definitions.

Examples:

zac mus --agent

zac mus --signature

Authentication Satellite Server Commands

authentication server reconfigure (asr) [-t all|config|casa]

Reconfigures an enabled Authentication Satellite.

Examples:

To fetch the configuration files from the server:

zac asr -t config

To reconfigure the CASA signing certificate:

zac asr -t casa

To reconfigure the entire Satellite:

zac asr -t all

Satellite Role Commands

satellite server reconfigure (ssr) [-t jetty] [-u username] [-p password]

Reconfigures the Jetty web server.

To reconfigure the Jetty web server:

zac ssr -t jetty -u Administrator -p password

Import-satellite-cert (isc) [-pk <private-key.der>] [-c <signed-server-certificate.der>] [-ca<signing-authority-public-certificate.der>] [-ks <keystore.jks>] [-ksp<keystore-pass-phrase>] [-a <signed-cert-alias>] [-cp<signed-cert-passphrase>] [-u <username>] [-p <password>] [ -rc ]

Configures a satellite device with externally signed certificates.

-rc - Confirms reconfiguration of the Satellite Server so that the administrator is not prompted for reconfiguration.

Bundle Commands

bundle-install (bin) <bundle display name>

Installs the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.

Example:

zac bin bundle1

bundle-launch (bln) <bundle display name> [-noSelfHeal]

Launches the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.

Example to launch a bundle based on the display name:

zac bln bundle1

Example to launch a bundle based on the display name and turn selfhealing off if the launch action fails (by default, selfhealing is turned on):

zac bln bundle1 -noSelfHeal

bundle-list (bl)

Displays the list of bundles assigned to the device and the logged in user.

Example:

zac bl

bundle-props (bp) <bundle display name>

Displays the status, version, GUID, and requirements information for the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.

Example:

zac bln bundle1

bundle-refresh (br) <bundle display name or guid>

Refreshes information about the specified bundle.

Example:

zac br bundle1

bundle-uninstall (bu) <bundle display name>

Uninstalls the specified bundle. Use the bundle-list command to get a list of installed bundles and their display names.

Example:

zac bu bundle1

bundle-verify (bv) <bundle display name>

Verifies an installed bundle (specified by bundle display name) to ensure that no files have been removed or corrupted. Use the bundle-list command to get a list of the installed bundles and their display names.

Example:

zac bv bundle1

Certificate Commands

cert-info (ci) [ca certificate file path] [-u <username> -p <password>]

Lists public key certificate information for each known ZENworks server or adds a trusted root certificate to the device trusted store. The file can be in ASN.1 DER format or base-64 encoded delimited by ----BEGIN CERTIFICATE---- and ----END CERTIFICATE--.

Example:

To list the certificate for each known ZENworks server:

zac ci

To add a trusted root certificate to the devices trusted store:

zac ci c:\certs\mytrustcacert.der -u myuser -p mypassword

zac certificate-verify / cv

Verifies if the server certificate and key file copied to the remint repository are valid and updates the results to the server.

Collection Rollup Commands

collection-point (cp)

Shows the status and configuration of the collection role.

Example:

collection-point [wake]

wake - Wakes the modules that perform collection (Inventory, MD status, Message sender)

collection-upload-orphans (cuo)

Finds orphaned files on the Satellite device and rolls them up to the parent collection server or deletes them if they have already been rolled up.

This command builds a list of the files in the folders under zenserver_home\work\collection\ and then tries to find the original upload information for each entry in the collection stats database.

If there is an entry for a file in the database, and it shows that the file has not been rolled up, it rolls the file up. If the entry shows that the file has already been rolled up, it deletes the file on the Satellite device. If there is no entry for a file in the database, the file is rolled up. This command also lists any files that were not uploaded or deleted.

Before running this command, on Linux, you should run the zac crw command and on Windows, the zac cp wake command to send any pending files to the parent server.

Example:

zac cuo

Content Distribution Commands

cdp-checksum (cchk) [-l:<path to log>]

Validates satellite content by computing the checksum on each file.

The optional log file details results of the checksum comparison.

Example:

zac cchk -l:"C:\Program Files\Novell\ZENworks\logs\cchk.log"

cdp-verify-content (cvc) [-c] [-l:<path to log>]

Compares the list of content IDs and their sync states on this CDP with what the Primary Server thinks it should have.

You can use the following options:

  • -c - Computes the checksum on the local content.

Example:

zac cvc -l:"C:\Program Files\Novell\ZENworks\logs\cvc.log"

cdp-import-content (cic) <content path> [-l:<path to log>]

Imports missing content from the directory specified by content-path, logging to the file specified by log-path.

Example:

zac cic c:\import_source_directory -l:"C:\Program Files\Novell\ZENworks\logs\cic.log"

wake-cdp (cdp) [cleanup | replicate [ content type(s)]]

Wakes the Content Distribution Point worker thread. You can use either of the following options:

  • cleanup - Removes any content that should no longer be stored on the Content Distribution Point.
  • replicate - Downloads any new or changed content from the Content Distribution Point’s parent ZENworks Server. One or more content types can be specified. If no content types are specified, all types are replicated.

Examples:

zac cdp

zac cdp replicate

zac cdp replicate Windows-Bundle

This command is applicable only if the agent is promoted as a Satellite Server.

The content types include:

  • Default

  • linux-bundle

  • Policy

  • Macintosh-Bundle

  • Patch-Informational-Bundles

  • zscm-policy

  • subscription-default

  • Patch-Critical-Bundles

  • Patch-System-Bundles

  • subscription-optional

  • Patch-Recommended-Bundles

  • subscription-recommended

  • Imaging

  • SystemUpdate-Agent

  • Patch-Software-Bundles

  • subscription-security

  • Windows-Bundle

    NOTE:The content types are case-sensitive.

Imaging Commands

file-system-guid (fsg) [-d] [-r]

Displays, removes, or restores the workstation GUID in the file system in preparation for taking an image.

For example:

To display the GUID value:

zac fsg

To remove the GUID and also conninfo.dat from the file system:

zac file-system-guid -d

To restore the GUID to the file system:

zac file-system-guid -r

To display the GUID value:

zac fsg

Inventory Commands

inventory [scannow | cdf | -f scannow]

Runs an inventory scan or opens the Collection Data Form.

Example to run an inventory scan:

zac inv scannow

Example to open the Collection Data Form:

zac inv cdf

Example to run a full scan:

zac inv -f scannow

Location Commands

config-location (cl)

Displays the configuration location. The configuration location determines which ZENworks server (or servers) the device connects to for authentication, configuration, content, and collection purposes.

Examples:

zac config-location

zac cl

Logging Commands

logger (log) [resetlog | level [MANAGED|ERROR|WARN|INFO|DEBUG] | managedlevel]

Changes or displays the logger configuration for the ZENworks Agent.

You can use the following options:

  • resetlog - Resets the log.
  • level - If this option is used without a level, it displays the current managed logging level. If it is used with one of the levels, changes the logging level to the specified level.
  • managedlevel - Displays the Global Log level of the zone.

Example to reset the log file:

zac logger resetlog

Example to show the current log level:

zac logger level

Example to set the log level to DEBUG and above:

zac logger level DEBUG

OS Target Command

ostarget (os)

Displays the ostarget record associated with the workstation OS or a specified version string.

Examples:

To display the version string and corresponding ostarget info for the workstation:

zac ostarget

To display the corresponding ostarget info for a specific version string:

zac ostarget "Windows 10 1703 64 Enterprise (Build 15063)"

After running the command OSVersion and OSTargetEntry are displayed.

NOTE:Ensure that both OSVersion and OSTargetEntry are same.

OSVersion: Windows 10 1703 64 Enterprise (Build 15063)

OSTarget Entry: windows10-1703-ent-gen-x64

Product: Windows 10 Enterprise x64 Version 1703

Version: 10.0 1703

Vendor: Microsoft

Primary Role: Workstation

Package Manager: msi

Architecture: x86_64

Patch Management Commands

patch-scan (ps)

Scans the device for patches that are not applied, using the device's current patch signature (DAU) file. The results are then uploaded to the server.

An example to run a patch scan:

zac ps

patch-scan --quick (ps --quick)

Uploads the last scan results to the server; it does not run a new detection scan.

An example to run a quick patch scan:

zac ps --quick

patch-scan --complete (ps --complete)

Scans the device for patches that are not applied, using an updated patch signature (DAU) file. The results are then uploaded to the server.

An example to run a complete patch scan:

zac ps --complete

patch-apply-policy (pap)

Updates devices with the latest version of all patch policies.

An example to run a patch apply policy:

zac pap

patch-quarantine-release (pqr)

Releases any quarantined patches on the device where the command is run from quarantine so that a one-time installation attempt can occur, either from a patch policy schedule or a remediation schedule.

An example to run a patch quarantine release:

zac pqr

patch-distribute-policy, pdp

Distribute all patch policies to the device. This will attempt to distribute all patches that do not match the policy.

patch-download, pd

Downloads the content associated with the specified patch names.

Syntax: zac patch-download (pd) [options]

The following are the available options:

--patch: Name of the patches that should be installed. If you want to install multiple patches, then specify the name of the patches separated by a comma.

Example: zac pd --patch patch_name1, name2, name3

patch-download-catalog, pdc

Downloads the catalog used for scanning the patches.

Syntax: zac patch-download-catalog (pdc)

patch-export-catalog, pec

Exports the patch details in the catalog to the PatchMetadata.csv file.

Syntax: zac patch-export-catalog (pec)

patch-install, pi

Downloads and Installs the specified patch.

Syntax: zac patch-install (pi) [--patch <patch name>]

The following are the available options:

--patch: Name of the patch that should be downloaded and installed.

Example 1: zac pi --patch notepad

In this example, notepad patch will be downloaded and installed.

NOTE:Only one patch can be specified at a time.

patch-list, plp

Lists all the required patches.

Syntax: zac patch-list (plp) [options]

The following are the available options:

--all: List all the patches, including the installed patches.

policy-list, pl

This command returns a list of the policies that are currently enforced on the device. By default, this displays the effective (non-filtered) policies.

zac pl –all

Displays both filtered and non-filtered policies.

Policy Commands

policy-list (pl)

Lists the policies that are currently being enforced on the device (effective policies). To list all policies (effective and non-effective), use the --all option.

Examples:

zac pl

zac pl --all

policy-refresh (pr)

Applies all of the policies assigned to the device and user.

Example:

zac pr

Registration Commands

add-reg-key (ark) <registration key>

Registers the device by using the specified key. Registration with keys are additive. If the device has previously been registered with a key and you register it with a new key, the device receives all group assignments associated with both keys.

Example:

zac ark key12

register (reg) [-g] [-r] [-a <authorization key>] [-k <key>] [-u <username> -p <password] <ZENworks Server address:port>

Registers the device in a Management Zone.

To execute this command you must have Create/Delete device rights for the folder that you are attempting to register.

You can use the following options:

  • g - Lets you create a new device object with a new GUID and password for the device if you have multiple devices with the same GUID. When you register a device by using this switch, all the associations (policies and bundles) assigned to the original device object are removed. You cannot use this option to create a new GUID for a Primary Server or a Satellite device. The local user must have Local Administrator rights to use this option.
  • k - Lets you register the device using the specified registration key.
  • p - Lets you specify the Management Zone administrator’s password.
  • u - Lets you specify the Management Zone administrator’s username.
  • r - Lets you to reset the device password and then register the device.
  • a - Lets you specify the authorization key to authorize the device.
  • The Authorization key is stored locally in the ZENworks agent. The key can be added/updated in the agent using this option.
  • This option cannot be used along with the other options.

Examples:

zac reg -k key1 https://123.456.78.90

zac reg -k key1 -u administrator -p novell https://zenserver.novell.com:8080

The port number is required only if the ZENworks Server is not using the standard HTTP port. If a username and password are not supplied, you are prompted for them.

NOTE:

  • The -g and -k options will not be honored if the corresponding device object is already present on the server and reconciliation takes place with that device object.

  • When you modify or update the GUID using the -g option, then audit and messages generated with the old GUID will be lost.

reregister (rereg)[-u <username> -p <password>] <new guid>

Registers a device in the current zone and assigns it the GUID of an existing device object. The currently associated device object is deleted.

To execute this command you must have Create/Delete device rights for the folder on which you are attempting to reregister.

For example, if you image a device after replacing the hard drive, the device might get a new GUID. However, by using the reregister command, you can assign the device’s GUID that it had before you replaced the hard drive.

Examples:

To reregister, specify a username and password:

zac reregister -u myuser -p mypassword eaa6a76814d650439c648d597280d5d4

To reregister and be prompted for a username and password:

zac reregister eaa6a76814d650439c648d597280d5d4

NOTE:

  • The -g and -k options will not be honored if the corresponding device object is already present on the server and reconciliation takes place with that device object.

  • When you modify or update the GUID using the -g option, then audit and messages generated with the old GUID will be lost.

unregister (unr) [-f] [-s] [-a] [-u <username> -p <password>]

Removes the device’s registration from the Management Zone.

To execute this command you must have Create/Delete device rights for the folder on which you are attempting to unregister.

Example:

To force a device to unregister locally when a server cannot be contacted:

zac unr -f -u myuser -p mypassword

To unregister locally and suppress prompting for a user name and password:

zac unr -s

Use -a option to unregister asynchronously. With this option server deletes the device asynchronously.

The -a, -f, -u, and -p parameters are optional. If you don’t use the -u and -p parameters, you are prompted to enter a username and password. The -f parameter ignores the ZENworks database and forces the device to be unregistered locally; this option is necessary only if the device object has already been deleted from the ZENworks database or if the device cannot connect to the database. If -a option is specified, ZENworks server returns the unregister call quickly, but deletes the device object asynchronously from the database at a later point of time. If your device deletion is not complete and tries to register the device again, then the ZENworks server displays an error. If there is large amount of data associated with the device in the database, it might take long time to delete the device. Ensure that -a option is used when actual device deletion on server takes long time and causes the agent unregister command to timeout.

NOTE:Running the UNR command might cause high utilization of the database. This might be due to any of the following reasons:

  • The UNR command is running on the server.

  • The zone contains a large number of managed devices.

  • The managed devices have a huge history.

  • Patch Management is enabled.

reestablish-trust (retr) [-u <username> -p <password>]

Reestablishes trust with the current Management Zone. The username and password used must be of the Zone Administrator.

Example:

zac retr -u myuser -p mypassword

The -u and -p parameters are optional. If you don’t use the -u and -p parameters, you are prompted to enter a username and password.

Remote Management Commands

request-remote-session, rrs

Requests a remote management session from the managed device even in the absence of the Z-icon. This command is available on managed devices with 11.3.1 and later versions.

Examples:

zac request-remote-session

zac rrs

Status Commands

cache-clear (cc)

Clears the ZENworks cache on the device. This removes all entries in the cache database and deletes any cache files associated with those entries.

Example:

zac cc

NOTE:If your ZENworks administrator has enabled the self defense feature for the ZENworks Agent, you must supply an override password before running the zac cc command. Otherwise, you receive the following message:

You do not have permission to clear the cache. Please contact your ZENworks administrator.

You must request the override password from your ZENworks administrator. If he has not set an override password, he must do so before you can use the command. After you receive the password:

  1. Double-click the ZENworks icon (z-icon) in the system tray, click Agent (under Status), then click the Policy Override link in the Agent Security Settings section to display the About box.

  2. Click Override Policy, enter the override password, then click Override.

  3. Go to a command line prompt and run the zac cc command.

  4. After the cache is successfully cleared, return to the About box and click Load Policy to disable the password override.

dump-prop-pages (dpp) <target directory>

Outputs the HTML pages displayed in the ZENworks icon’s property pages to files in the specified target directory.

Example:

zac dpp c:\temp

get-settings (gs) <key>

Settings are downloaded by the Settings Module to the local cache on every refresh. This will return the effective settings associated with the given key.

Example:

zac gs key1

All valid ZENworks settings keys are stored in the %ZENSERVER_HOME%\cache\zmd\settings directory.

Example to list the Remote Management settings:

zac gs RemoteManagement

refresh (ref)[general | partial bundle <Bundle Display Name> [bypasscache]

Initiates a general refresh to refresh all bundles, policies, registration, and configuration settings; initiates a partial refresh to refresh all policies, registration, and configuration settings.

Use bypasscache to avoid using data from the server cache during the refresh. This option is useful for testing or troubleshooting.

Examples:

zac ref general bypasscache

zac ref partial bypasscache

set-proxy (sp) [options] <IP address/Hostname:port>

Specifies a proxy to contact rather than contacting a ZENworks Server directly.

The options are:

  • --default - Sets a proxy that can be overriden by proxy settings from the Management Zone.
  • --clear - Clears the current proxy, but will use proxy settings from the Management Zone.
  • --ipv6 - sets an IPv6 proxy.

Examples:

IPv4:

zac sp 123.456.78.90:2349 administrator novell

zac sp /default 123.456.78.90:2349

zac sp /clear

IPv6:

zac sp /ipv6 [2001:db8:0:1:1:1:1:1]:2349 administrator novell

zac sp /default /ipv6 [2001:db8:0:1:1:1:1:1]:2349

zac sp /clear /ipv6

If a username and password is not specified, then you will be prompted to enter them.

winproxy-refresh (wpr)

Queries the Management Zone for proxy work assigned to this device.

Example:

zac wpr

zenhttp-status(zhs)

Lists port and status of the web server.

Example:

zac zhs

This command is applicable only if the agent is promoted as a satellite.

info-collect (zeninfo) [<targetfile>] [-q]

Collects ZENworks support information, including cache data, configuration data, debug logs, product installation information, refresh times, status events, and basic system information. The information is packaged into a ZIP file and placed in the location you specify. If you do not specify a location, ${TEMP}\zeninfo-${DateTime}.zip is used for Windows and ${TMPDIR}\zeninfo-${DateTime}.zip is used for Linux. If you are experiencing problems with a managed device, Micro Focus Support might ask you to run this command and send the resulting ZIP file to Micro Focus to help troubleshoot your problem.

You can use the following option:

  • q - Skip launching explorer after collection.

The zeninfo command can be run by the local administrators. If you are not a local administrator and you run the command, the system prompts you to enter the administrator credentials. You can also set the AllowZenInfoWithoutAdminPwd string value to True, which enables any user to run the zeninfo command. To set the AllowZenInfoWithoutAdminPwd string value, do the following:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\.

  3. Set the AllowZenInfoWithoutAdminPwd string value to True.

WARNING:If the AllowZenInfoWithoutAdminPwd string value is set to True, the sensitive ZENworks Configuration Management settings and configuration information is visible also to the users who are not the local administrators.

zone-config (zc) [-l]

Displays information about the ZENworks Server that the device is accessing for configuration information (the Configuration server) or lists the information for the Configuration server.

Examples:

zac zc

zac zc -l

statussender (sts)

This command rolls up status information to the Primary Server. You can either roll up information that was updated since the last time the status was rolled-up or you can roll up the complete status information.

Examples:

To roll up status information that was updated since the last successful status roll up:

zac sts rollup

To roll up status information on the same thread

zac sts rollup syn

To roll up complete status information:

zac sts rollup full

NOTE:From the ZENworks 2020 release onwards, the zac bsr command has been deprecated. Execute the zac sts command to roll up bundle status information.

System Update Commands

zac zeus-refresh / zeus-ref

Retrieves the system update when it is assigned to a device.

NOTE:This command is not applicable on Satellite Servers.

zac system-update-report-status / surs

Enables administrators to resend the system update status to the server immediately.

ZENworks Endpoint Security Management Commands

zac zesm-refresh / zesm-ref

Resets the ZENworks Endpoint Security Management cache on the managed devices.