Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Push Install SEP 12 and UAC needing to be turned off

Created: 14 Jan 2013 • Updated: 14 Jan 2013 | 6 comments

I hope I read this wrong

http://www.symantec.com/business/support/index?page=content&id=TECH91902&act=RATE&newguid=03a03569f4e44fbd9dbb4bede98ddac2

Condensing this TID to the essence it says:

1. If a push install fails for a computer see if UAC is on.

2. Turn UAC off.

Lets imagine this in a large enterprise:  500 pc's or more and wanting to upgrade to prevent a vulnerability.  UAC should ALWAYS BE ON.

So my reading of this is that through one fashion or another I have to turn off UAC for the 500 computers to allow my push install to work.

That seems to totally destroy the concept of a push installation.  If I have to touch via remote or otherwise 500 computers, what efficiencies do I lose since I can't install via PUSH if UAC is on.

  If I have to turn off UAC what labor savings have I lost and how much more time will I burn on what used to be a fairly painless installation.

Please tell me I read the above article wrong. 

Comments 6 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Please Disable UAC.

User Account Control (UAC)

In some situations, UAC can block access to the remote computer's administrative shares if you attempt to authenticate to the remote computer with a user account local to the remote computer. (Source: http://support.microsoft.com/kb/947232)

In this situation, you can either authenticate to the remote computer using a domain administrator's account or else you can temporarily disable UAC.

Check these Articles:

The Symantec Endpoint Protection client will not deploy through the network to a Windows Vista, 7, or Server 2008 system

http://www.symantec.com/business/support/index?page=content&id=TECH165133

Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH163112

Also, check this Thread (Comment from Paul Murgatroyd): 

https://www-secure.symantec.com/connect/forums/sep-121-uac-prompt

He states,

"With SEP11, our system tray ran with admin rights, with SEP12, it runs with minimal user rights and lower integrity level requirements.

At the moment, our GUI is either all or nothing, and there are a number of items with the GUI that do need admin rights, so we have to elevate on opening, rather than for each specific item where required.

In the future, we would look to move UAC inside the GUI so that each item that requires elevation will prompt, but thats a massive change in the way our client is engineered."

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

You need to turn off UAC

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

No, you don't have to completely disable it. From the Installation and Administration Guide, "Preparing Windows operating systems for remote deployment", in the row "Prepare Windows Vista, Windows 7, or Windows Server 2008 computers" (P 128):

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL:

http://support.microsoft.com/kb/951016

I hope this helps.

Edit to add: I've just realized it seems there's a few words possibly missing out of this section of the install guide. This Microsoft document (the link) tells you how to disable remote restrictions by adding this registry value and/or setting it to 1... not disabling the key.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

jstrowe's picture

1. For the user who said: "Turn off UAC", did you read my post? (brian81) 

I included the post to indicate that I KNEW that.  My point was the "you're kidding I have to turn off UAC which destroys the concept of remote push install.

2. Mithun: Thank you, although the point you quote does point out the rather serious shortcoming of having to disable UAC and that the product SEP needs some serious re-engineering to be truly Win 7 compatible.  Turning off a core windows feature (UAC) even temporarily is a true black eye on the products "win 7" compatibility and makes deployments much more difficult.

He states,

"With SEP11, our system tray ran with admin rights, with SEP12, it runs with minimal user rights and lower integrity level requirements.

At the moment, our GUI is either all or nothing, and there are a number of items with the GUI that do need admin rights, so we have to elevate on opening, rather than for each specific item where required.

In the future, we would look to move UAC inside the GUI so that each item that requires elevation will prompt, but thats a massive change in the way our client is engineered

3. Sandra, can you expand your response a little bit.  Yours and Mithun were helpful.

.Brian's picture

Yes, I'm aware that you already knew that. My post was to let you know it was no joke. Turning off UAC is the easiest and quickest way.

Now, as you can see from the responses from the Symantec employees, you may have some workarounds. Hopefully they continue to help you as you move forward with this.

Good luck.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

sandra.g's picture

I'm not sure what further expanding I can do--the Microsoft KB says it all (the link I previously included). It allows you to disable UAC remote restrictions (allowing it to build "an elevated token") without disabling UAC altogether.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!