You don't need to use fancy scripts in order to create custom installations or feature sets. This is built into the SEPM. Please see the document below:

Title: 'How to Deploy Symantec Endpoint Protection to your client computers using the Migration and Deployment Wizard.'
Document ID: 2007111409432848
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111409432848?Open&seg=ent

In order to change the feature sets for computers in a cleint group. Simply go to that group in the SEPM, click on the Install Packages tab and apply a package to the group using the features you wish. uncheck the Maintain existing features when updating in order to be able to change the feature set. also uncheck the upgrade schedule before clicking the OK button.

The next time the clients check in to the SEPM, they will see the new package with different features and update themselves. 

Well, thanks, Ted, but I don't need to use the Migration and Deployment Wizard, either!

I'd much prefer to deploy through GPO, and take advantage of the installation infrastructure I've been using for years. Not to mention that deployment by GPO is documented and supported by Symantec. Once we've figured out what we want, GPO install puts it on auto-pilot. Plug in the computer, come back in an hour, and we're done.

And no "fancy scripting" is required, either, provided the mfr offers complete documentation. SEP install documentation is approaching complete, but not quite there.

And since we're headed for 2 or 3 installation types that differ ONLY in which components are installed, I don't need to maintain 2 or 3 complete copies if I can just use 2 or 3 tiny MST files to modify the installation.

And we have 6 branch offices so we can't use your push installer. The BOs don't have SEPM servers, but they do have file servers on which to host a replicated copy of the install files in a DFS share.

All that well-tested, known-reliable infrastructure is ready and waiting to push SEP out--if I can just get these few questions answered.

So your suggestions are appreciated, but you can see that there's a lot of factors to consider in choosing a deployment method. Including customer preference. And with a GPO install, we are within Symantec's supported install technologies. So, again, now in summary form, and staying on-topic with GPO software installation as the method of choice--

1. If change the components to be installed by editing SETAID.INI, do I need to do a "Redeploy Application" or treat it as an "Upgrade" with uninstall of the "old" version preceding install of the "new" version?

2A. If my MST consists of an ADDLOCAL entry in the Property table in Orca, can I use the Installation Guide's table A-1 Feature Selection in a list form similar to the syntax in the 2nd example of table A-5, to install the features I want. The ADDLOCAL entry for the MST that installs everything but Notes Snapin & Firewall would then be--

Core,SAVMain,EmailTools,OutlookSnapin,Pop3Smtp,PTPMain,COHMain

2B. If I can use MST files, do I just need to do a "Redeploy Application" or treat it as an "Upgrade" preceded by an uninstall of the prior version?

Just realized question 2B won't be relevant until I've deployed at least once with an MST file. The original install was modified by SETAID.INI and there was no MST because there was no guidance in the Installation Guide. So this time, at least, I'll have to do an "Upgrade".

Questions 1 & 2A remain immediately relevant, though it's looking at this point like I may have to provide my own expertise through trial-and-error<sigh>.

I found that the "EMailTools" feature was case sensitive when used as an ADDLOCAL property.

For example, the following seems to work as an ADDLOCAL string:

Core,SAVMain,EMailTools,OutlookSnapin,SymProtectManifest,PTPMain,COHMain,DCMain,ITPMain,Firewall