Data Loss Prevention

Is there a way to add an uninstall password during the reinstall of the same DLP product version?  I've tried the following and I have not been able to get the password to stick.

• msiexec /i AgentInstall64.msi /q REINSTALL=ALL KEY="" UNINSTALLPASSWORDKEY="RANDOMKEYHERE"

I've also tried creating a MST transform while adding the UNINSTALLPASSWORDKEY to the Properies of the transform file.  I can get the product to reinstall, but it does not take the Uninstall password key.  The target workstations do not currently have an uninstall password key At the same time, I am also updating the endpoint servers within the config.

I verified that the product is being reinstalled (by renaming a few passive DLL's and watching them get installed).

Hopefully I can accomplish this without having to uninstall the client and reinstall (which would require a reboot).

See Lion Shaikh Articles

How to prevent unauthorized users from removing the Symantec DLP Agent from an endpoint computer.

https://www-secure.symantec.com/connect/articles/how-prevent-unauthorized-users-removing-symantec-dlp-agent-endpoint-computer

Thanks James.  I did try the following and it is not working. I can still uninstall without the password.

Below is the process of upgrading agents and uninstallation passwords.

You can upgrade any agents which are protected by uninstallation passwords without affecting the password. If you do not want to change the password, do not include the password parameter to the upgradecommandline. The pre-existing uninstallation password is included in the upgraded agent automatically. Only include the password parameter if you want to change the password or if you want to add a new password to an agent.To add or change a password while upgrading an agent
Add the following password parameter to the upgrade command line:
UNINSTALLPASSWORDKEY=<password key> where <password key> is the password key that you created using the password generation tool.

My full upgrade string is as follows (with password hash and server removed for security):

msiexec /i AgentInstall64.msi /q REINSTALL=ALL REINSTALLMODE=vomus UNINSTALLPASSWORDKEY="uninstall_key" ENDPOINTSERVER="server1.domain.prefix.com;server2.domain.prefix.com" KEY="" SERVICENAME="EDPA" WATCHDOGNAME="WDP" ARPSYSTEMCOMPONENT="1"

Any other suggestions?

Here is another articles

Preparing DLP Agent with Uninstallation Password

https://www-secure.symantec.com/connect/articles/preparing-dlp-agent-uninstallation-password

That does not answer my question of resolving the uninstall password during an upgrade.  I have looked through quite a few articles already and tried several solutions, but none seem to accept the uninstall password.

Installing fresh it takes the uninstall password, but running it as an upgrade (reinstalling same version), it does not.

What happend when you try to install fresh dlp agent ?

are you installing administrator account?

see same problem thread

https://www-secure.symantec.com/connect/forums/dlp-agent-installation-uninstallation-password

I'd go with the uninstall/install route instead of fighting with it. If the reboot is the issue, give your agent uninstall and agent install packages to your software distribution team. Do the uninstall/install routines when your Windows patch cycles come around. Install patches, uninstall the agent, install the agent, and then reboot as part of the normal process. Make sure you use the results of "UninstallPwdKeyGenerator.exe" for your uninstall password in your batch file, or transform.

Pg. 93 in the Windows DLP install guide, 

"Passwords can only be added to DLP Agents during agent installation or upgrade.
If you have existing agents you want to protect, you must remove the agent and
then reinstall the agent with the password."

In the case you have described, you are not upgrading agents. You have existing agents. So, your ticket to an uninstall password is, unfortunately, uninstall and install.

I am the software distribution team and application packager.  I can reinstall and upgrade the same version of the MSI all day (it takes the server change, which is the 2nd part of what I am trying to do), but for some reason it is not taking the uninstall password.  I'd like to see if there are others who may be able to respond to this thread.

On another note, the ENDPOINTSERVER install Property does not work correctly. If you have two servers (FQDN) separated by a semi-colon, they will be put on the same line in the GUI, instead of separate lines. You actually need to use ENDPOINTSERVER and ENDPOINTSERVER2 in your install properties string.

I'd like to see if anyone else has thoughts on this. I believe the MSI install is just not recognizing the UNINSTALLPASSWORDKEY string.

Instead of using

UNINSTALLPASSWORDKEY="RANDOMKEYHERE"

try using

UNINSTALLPASSWORD="RANDOMKEYHERE"

I had a similar issue of getting the agent uninstall password to stick during the install. UNINSTALLPASSWORDKEY for the agent install and uninstall scripts were changed to UNINSTALLPASSWORD. Give it shot, it may help in your situation.

Changing to UNINSTALLPASSWORD did not add the password on a reinstall.

Is this possible to do during a reinstall?  I would like confirmation from a Symantec person before considering this closed.

Seeing as how that didn't work, I'm going back to my original suggestion of uninstall / install. See if you can do it in the same push. BTW, what version of the agent are you using? Sometimes the way you would like to do it and the way that works is miles apart.

We have version 11.1.2000.11034 (yes, an old version).  We have projects planned to update later this year.

Other threads indicate the update (setting the PW) works when you actually update to a newer version of the product.  I don't yet have a new client in-house.

I was hoping to avoid the uninstall / reboot / reinstall process and make this seamless to the user.

Another thought... are you able to set the uninstall password remotely from the server?

Yes, setting an unistall password works fine when you are upgrading agents to a new version. As of v12.5.1 in the Enforce console, you provide the hashed uninstall password to the wizard that builds the agent installs. Once an agent is installed, you can't change it from Enforce. Changes have to be made at the endpoint through uninstall/install/upgrade.

I would be great if the agent tool, update_configuraton.exe, would set or change this password. Haven't seen it documented anywhere that it has that functionality.

In order to meet the requirements to keep the install silent and minimize impact I have decided to do the following.

• Uninstall the current client.
• Force the user to reboot.
• Via RunOnce, silently install the same client with switches for the new servers and uninstall passwords.

This does not provide any prompts for the users other than the required reboot.  It's not what I was hoping for, but it will have to do.