Video Screencast Help

Creating a Transform (*.MST) File to control installation of Symantec Endpoint Protection

Created: 27 Jun 2009 • Updated: 27 Jul 2009 | 23 comments
Language Translations
JRV's picture
+17 17 Votes
Login to vote

This article is part of a series describing how to leverage Group Policy Software Installation to install SEP. All automatically and without touching SEPM when you deploy a computer.

GPO Installs and SEP, Part 1

How to leverage Group Policy Software Installation to install SEP Clients.
https://www-secure.symantec.com/connect/articles/creating-transform-mst-file-control-installation-symantec-endpoint-protection

GPO Installs and SEP, Part 2

How to turn GPO-installed SEP Clients into Managed Clients and assign them to the correct Group. Even if you don’t use GPO installs, this article makes your SEP installation more robust.
https://www-secure.symantec.com/connect/articles/s...

GPO Installs and SEP, Part 3

How to comply with Symantec’s supported upgrade path for MP installations.
https://www-secure.symantec.com/connect/articles/m...

___________________________________________________________________

What is a Transform?

A Transform (*.MST) file allows you to collect installation options for programs that use the Microsoft Windows Installer in a file. They can be used on the Installer (MSIEXEC.EXE) command line, or used in a software installation Group Policy in a Microsoft Active Directory domain.

How can they help me with SEP?

For Symantec Endpoint Protection (SEP), I have found MSTs most useful for controlling the features installed on SEP clients. As a bonus, when SEP is installed using MST files, it is no longer possible to install or remove individual components using Add or Remove Programs in Control Panel. This is a bonus for controlling configuration of a managed system.

How do I create one?

We will use Orca, a free utility from Microsoft, to generate the Transform. This Microsoft Knowledge Base article tells you how to obtain and install Orca:

support.microsoft.com/kb/255905

  1. Launch Orca, click File/Open, navigate to the SEP *.MSI file and click Open. For current versions of SEP, the filenames are Symantec Antivirus.msi and Symantec Antivirus Win64.msi.
  2. In the Tables pane, click Property.
  3. Symantec Antivirus Win64.msi open in ORCA
  4. Click Tables/Add Row. The Add Row dialog box opens.
  5. Click the Property row and enter ADDLOCAL.
  6. Add Row dialog box
  7. Type the names of the Features you want included in this installation, separated by commas. (See below.)
  8. Click OK.
  9. Click Transform/Generate Transform and save the MST file with a descriptive name. I use the names of the features included in the Transform as the filename.

What are the SEP features, and how do I specify them?

They are listed in the Installation Guide together with their dependencies. In the version of the Installation Guide current at this writing, (as included in SEP 11.0 MR4 MP2), they appear in Appendix A in a section entitled “Client installation features and properties.”

Use that as a guide for specifying features--except--contrary to the documentation, be aware there is no feature named “ÉmailTools”. If you include EmailTools in the list, your MST will not work. This may be relevant for using SETAID.INI, but it does not apply to the MST.

For example, to install Antivirus/Antispyware, Proactive Threat Protection, Outlook E-mail snap-in and POP/SMTP e-mail snap-in, you would type this:

Core,SAVMain,OutlookSnapin,Pop3Smtp,PTPMain,COHMain
 

How do I use the MST?

Detailed discussion is beyond the scope of this article, but assuming basic familiarity with the MSIEXEC command line and Group Policy software installations, here is what you do:
 

On the command line

MSIEXEC Symantec Antivirus.msi TRANSFORMS=MyTransform.mst

In a Group Policy Object

1. Create a new Software Installation Package in the Computer Settings node of Group Policy Object Editor.
2. Select the SEP MSI file, and then click Advanced. (This is the ONLY opportunity you will have to apply a Transform to this Package.)
3. On the Modifications tab, click Add and select the MST file you created.

Can I put x86 and x64 Packages in the same GPO?

Nothing wrong with that. On the Deployment tab of the x86 Package, click Advanced and turn off Make this 32-bit X86 application available to Win64 machines. Even if you forget, the x86 version won't install, but it will waste a minute or two during every bootup trying. At this writing, some SEP features are not supported on x64, so you'll likely need to use different MST files for the x64 product.

This installs an unmanaged SEP client. How do I make it managed?

This companion article shows you how to use Startup Scripts to drop an appropriate SYLINK.XML file on each client. It has the added benefit that your SEP installation will be more robust, because you can ensure that clients will always be able to find a SEPM without any action from you, even in situations Symantec has not anticipated.

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

How do I meet Symantec's requirements for installing MPs only over their corresponding MRs with GPO installs?

An upcoming article discusses this very issue.

Can you share the MSTs you've used, to save us some time?

Sure! https://www-secure.symantec.com/connect/downloads/sample-mst-files-use-group-policy-or-msiexec-command-line-sep-installs

Comments 23 CommentsJump to latest comment

Aniket Amdekar's picture

Very good article!

Thanks for sharing this information.

Cheers,
Aniket

0
Login to vote
Fatih Teke's picture

Thank you for this Article!
Realy thank you for write this.
I Hope You will continue
Best Regards.

 Everything works better when everything works together.

-1
Login to vote
Ranga Abeyratne's picture

Thank you for this very helpful article,

Need this kind of help in future even.

I realy hope you will continue.

Thanks & regards

Ranga Abeyratne

0
Login to vote
-The GodFather-'s picture
wow! This is a great article, A useful one! Thanks! :D

John Optimus

0
Login to vote
profman's picture

Thanks! Have been wondering how I could bundle a flavor of SEP into the corp deployment. This is probably the most useful article I have seen in a while. Thanks!

0
Login to vote
RichC's picture

I don't believe this can be done in the MST - but maybe you can point me in the right direction.  Supposedly when you create an install package on the SEP server, the target group that you intend it to be added to will be included in the Sylink.xml file (which has to be in the installation directory for the MSI if i'm not mistaken).   It doesn't seem to be happening with ours.  Where in the XML are you supposed to plug in the line for specifying a group?

--->    i'm no stranger to slack, but i'm not a slacker

0
Login to vote
KiPTeK 2's picture

It would go here:

<RegisterClient PreferredGroup="My_Company\My_Group" PreferredMode="1"/>

~k!P~

~k!P~

0
Login to vote
JRV's picture

@Everyone: Thanks!

@Olvan: 谢谢 !(translation from bing.com and freetranslation.com...hope it's correct!)

@Rich: Funny you should mention that...

I've not found a way to do this with an MST. I'd love it if there was. (If Symantec knows differently, please advise!)

But if you click here:

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

--all will be revealed.

+1
Login to vote
early_morning's picture

Do you talk about the advantages of GPM over using the Altiris Integration Component?  The reason I ask is because I'm about to deploy SEP to over 3500 machines including 4 remote branches and I'd like to decide ASAP the best approach.

This method seems pretty slick.

thanks

0
Login to vote
JRV's picture

I don't think this will be much of a revelation to anyone: GP works, it's easy to set up, as close to 100% reliable as anything ever gets in IT, and included in the OS license. (That latter point is HUGE for my clients!) OTOH, Altiris, SMS, MSSC et al give you reporting and more granular control.

Your AD design may or may not give you the granularity you need; you'll need to determine that.

Once you've puzzled out a successful install, GPO installs thereafter pretty much Just Work, so there's not much to report in businesses I support. Or you may have a 3rd-party auditing product that tells you what's installed. SEPM will tell you, for that matter. But in larger organizations and in particular those with formal compliance requirements to meet, you may need reporting integrated with your install technology, and GP won't give you that.

0
Login to vote
binayak's picture

Nice information, help me a lot.

0
Login to vote
Marc C's picture

I have been using something similar and I cannot find where to modify the transform so that the installation suppresses the reboot needed after the installation
any ideas?

0
Login to vote
wlawacz's picture

 Hello,

IF you don’t want to restart the workstations after installation add the following row “REBOOT” with following value “REALLYSUPPRESS” in to Property Table.

Additional info about the MSI commands for SEP:
ftp://ftp.symantec.com/public/english_us_canada/pr...

Regards,

0
Login to vote
Marc C's picture

 Wlawacz, 

Just to confirm the REBOOT property goes into the PROPERTY TABLE?

mc

0
Login to vote
wlawacz's picture

 Yes, it is. You have to add it in PROPERTY table.

Regards

+1
Login to vote
Peterpan's picture

Thnak you for this post it can help me in the future migration of SEP

:-)

0
Login to vote
sansri's picture

Very usefull in managed environment.

Thanks

Sandeep

0
Login to vote
nanya's picture

 

good artical ..ths helped me lot. i have doubt it that. when we need to create mst,wheathre the application has been installed in the system?? or without installing the application we can create .mst??
0
Login to vote
dave_fraleigh's picture

JRV, I work for Symantec, and you're the best resource I've seen on this to date.

Bravo!

0
Login to vote