Creating a Transform (*.MST) File to control installation of Symantec Endpoint Protection
This article is part of a series describing how to leverage Group Policy Software Installation to install SEP. All automatically and without touching SEPM when you deploy a computer.
GPO Installs and SEP, Part 1
How to leverage Group Policy Software Installation to install SEP Clients.
https://www-secure.symantec.com/connect/articles/creating-transform-mst-file-control-installation-symantec-endpoint-protection
GPO Installs and SEP, Part 2
How to turn GPO-installed SEP Clients into Managed Clients and assign them to the correct Group. Even if you don’t use GPO installs, this article makes your SEP installation more robust.
https://www-secure.symantec.com/connect/articles/s...
GPO Installs and SEP, Part 3
How to comply with Symantec’s supported upgrade path for MP installations.
https://www-secure.symantec.com/connect/articles/m...
___________________________________________________________________
What is a Transform?
A Transform (*.MST) file allows you to collect installation options for programs that use the Microsoft Windows Installer in a file. They can be used on the Installer (MSIEXEC.EXE) command line, or used in a software installation Group Policy in a Microsoft Active Directory domain.
How can they help me with SEP?
For Symantec Endpoint Protection (SEP), I have found MSTs most useful for controlling the features installed on SEP clients. As a bonus, when SEP is installed using MST files, it is no longer possible to install or remove individual components using Add or Remove Programs in Control Panel. This is a bonus for controlling configuration of a managed system.
How do I create one?
We will use Orca, a free utility from Microsoft, to generate the Transform. This Microsoft Knowledge Base article tells you how to obtain and install Orca:
support.microsoft.com/kb/255905
- Launch Orca, click File/Open, navigate to the SEP *.MSI file and click Open. For current versions of SEP, the filenames are Symantec Antivirus.msi and Symantec Antivirus Win64.msi.
- In the Tables pane, click Property.
- Click Tables/Add Row. The Add Row dialog box opens.
- Click the Property row and enter ADDLOCAL.
- Type the names of the Features you want included in this installation, separated by commas. (See below.)
- Click OK.
- Click Transform/Generate Transform and save the MST file with a descriptive name. I use the names of the features included in the Transform as the filename.
What are the SEP features, and how do I specify them?
Use that as a guide for specifying features--except--contrary to the documentation, be aware there is no feature named “ÉmailTools”. If you include EmailTools in the list, your MST will not work. This may be relevant for using SETAID.INI, but it does not apply to the MST.
For example, to install Antivirus/Antispyware, Proactive Threat Protection, Outlook E-mail snap-in and POP/SMTP e-mail snap-in, you would type this:
Core,SAVMain,OutlookSnapin,Pop3Smtp,PTPMain,COHMain
How do I use the MST?
On the command line
In a Group Policy Object
2. Select the SEP MSI file, and then click Advanced. (This is the ONLY opportunity you will have to apply a Transform to this Package.)
3. On the Modifications tab, click Add and select the MST file you created.
Can I put x86 and x64 Packages in the same GPO?
Nothing wrong with that. On the Deployment tab of the x86 Package, click Advanced and turn off Make this 32-bit X86 application available to Win64 machines. Even if you forget, the x86 version won't install, but it will waste a minute or two during every bootup trying. At this writing, some SEP features are not supported on x64, so you'll likely need to use different MST files for the x64 product.
This installs an unmanaged SEP client. How do I make it managed?
This companion article shows you how to use Startup Scripts to drop an appropriate SYLINK.XML file on each client. It has the added benefit that your SEP installation will be more robust, because you can ensure that clients will always be able to find a SEPM without any action from you, even in situations Symantec has not anticipated.
https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together
How do I meet Symantec's requirements for installing MPs only over their corresponding MRs with GPO installs?
An upcoming article discusses this very issue.
Very good article! Thanks for
Very good article!
Thanks for sharing this information.
Cheers,
Aniket
This is Very Usual
Thank you for this Article!
Realy thank you for write this.
I Hope You will continue
Best Regards.
------------------------------------------
Everything works better when everything works together.
This is fantastic
Thank you for this very helpful article,
Need this kind of help in future even.
I realy hope you will continue.
Thanks & regards
Ranga Abeyratne
Interesting! :D
John Optimus
Love it!
Thanks! Have been wondering how I could bundle a flavor of SEP into the corp deployment. This is probably the most useful article I have seen in a while. Thanks!
很好
谢谢,好文章.
Specifying groups?
I don't believe this can be done in the MST - but maybe you can point me in the right direction. Supposedly when you create an install package on the SEP server, the target group that you intend it to be added to will be included in the Sylink.xml file (which has to be in the installation directory for the MSI if i'm not mistaken). It doesn't seem to be happening with ours. Where in the XML are you supposed to plug in the line for specifying a group?
-----------------------------------------------
i'm no stranger to slack, but i'm not a slacker
Sylink.xml
It would go here:
<RegisterClient PreferredGroup="My_Company\My_Group" PreferredMode="1"/>
~k!P~
~k!P~
Specifying groups?
@Everyone: Thanks!
@Olvan: 谢谢 !(translation from bing.com and freetranslation.com...hope it's correct!)
@Rich: Funny you should mention that...
I've not found a way to do this with an MST. I'd love it if there was. (If Symantec knows differently, please advise!)
But if you click here:
https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together
--all will be revealed.
Do you talk about the
Do you talk about the advantages of GPM over using the Altiris Integration Component? The reason I ask is because I'm about to deploy SEP to over 3500 machines including 4 remote branches and I'd like to decide ASAP the best approach.
This method seems pretty slick.
thanks
I don't think this will be
I don't think this will be much of a revelation to anyone: GP works, it's easy to set up, as close to 100% reliable as anything ever gets in IT, and included in the OS license. (That latter point is HUGE for my clients!) OTOH, Altiris, SMS, MSSC et al give you reporting and more granular control.
Your AD design may or may not give you the granularity you need; you'll need to determine that.
Once you've puzzled out a successful install, GPO installs thereafter pretty much Just Work, so there's not much to report in businesses I support. Or you may have a 3rd-party auditing product that tells you what's installed. SEPM will tell you, for that matter. But in larger organizations and in particular those with formal compliance requirements to meet, you may need reporting integrated with your install technology, and GP won't give you that.
Nice job Jeff, very useful
Nice job Jeff, very useful
Very Helpful
Nice information, help me a lot.
Control Reboot
I have been using something similar and I cannot find where to modify the transform so that the installation suppresses the reboot needed after the installation
any ideas?
Control Reboot
Hello,
IF you don’t want to restart the workstations after installation add the following row “REBOOT” with following value “REALLYSUPPRESS” in to Property Table.
Additional info about the MSI commands for SEP:
ftp://ftp.symantec.com/public/english_us_canada/pr...
Regards,
In the property table?
Wlawacz,
Just to confirm the REBOOT property goes into the PROPERTY TABLE?
mc
Yes, it is. You have to add
Yes, it is. You have to add it in PROPERTY table.
Regards
Thnak you for this post it
Thnak you for this post it can help me in the future migration of SEP
:-)
Very usefull in managed
Very usefull in managed environment.
Thanks
Sandeep
Very good
Excellent
Would you like to reply?
Login or Register to post your comment.