Video Screencast Help

General questions about SEPM - thanks in advance

Created: 06 Sep 2012 • Updated: 09 Feb 2013 | 3 comments
This issue has been solved. See solution.

I recently was "tasked" with fixing some issues with our Endpoint Protection Manager.  It runs on a Server 2008 R2 VM located on a NetApp SANS. We have around 1000 workstations, mainly XP . The servers are either Windows Server 2003 or 2008.

We are an Active Directory network, yet the directory server(s) aren't set up in SEPM.  As I understand it, I can sync SEPM with AD and assign packages to OUs and users.  If user A has a package assigned to him/her , and logs in at workstation XX that doesn't have any Endpoint Protection will it automatically install based on Active Directory sync ? Does the install package "follow" that person around ?  I'm trying to understand the full benefits of using the AD sync feature, doesn't seem like setting up at least the directory server name/login would hurt anything.

I've noticed on some domain computers we'll push an install package out with no problem, however it won't show up in the managed client list. I think I've solved that issue by doing a complete uninstall and using CCleaner to remove orphan registries and files. I created an install package with the option to remove old policy, log files, settings . It seems like Endpoint Protection isn't a big fan of having new versions installed over it without as much as it can of the old version. I've just had better luck with new installs than upgrades I suppose

Thanks for any help or advice  smiley

Comments 3 CommentsJump to latest comment

.Brian's picture

The machine should get the upgrade regardless of whether a user logs in or not. If the machine is showing up in SEPM and you've assigned an install package to the group it is in, it will get the install package.

Using AD sync will allow you to essentially setup the same structure in your SEPM as what you have in AD. Any time you add a new PC in AD, it will show in SEPM. It should be a 1:1 ratio.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

gregatkins777's picture

Thanks for the help.  Our AD structure could use some improvement right now. As I understand, even if I did do an Active Directory syn, I can still choose what computers or users are put in the SEPM groups and deploy EPM as required.

What I don't want is an AD sync, then because of that a massive deployment of install packages. I still want to be able to do a controlled deployment of packages.

.Brian's picture

The major drawback I always had was I couldn't move PCs around when synched with AD. Unless it was moved in AD, it couldn't be moved in SEPM.

You could add different install packages to different groups, controlling it that way.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.