Hi all,

I need to run a batch on endpoint clients using the sepm console. I heard there's a method to do so but I don't seem to find it anywhere.

My company network isn't a part of a domain (so I can't use GP) and each computer has different local users (so I can't use psexec).

Thanks in advance,

Jack

See this thread and Brian comments

https://www-secure.symantec.com/connect/forums/how-run-scripts-sepm

Running a batch or executable file as the result of a notification.

If you select Run the batch or executable file as the action to take, type in
the name of the file. Path names are not allowed. The batch file or executable
file to run must be located in the following directory:

drive:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin

For this process to function properly, it is required to allow the
"Symantec Endpoint Protection Manager" (SEPM) service to interact with desktop.

To allow the SEPM service to interact with the desktop:

1. Use an administrative Login to access the machine which has SEPM installed.
2. Click Start > Run, and type services.msc, then click OK.
3. Find the "Symantec Endpoint Protection Manager" service, right click and select "Properties".
4. Select the "Log On" Tab.
5. Under "Local System Account" check the box to "Allow service to interact with desktop".
6. Click OK.
7. Restart the Machine

Creating notifications in the Symantec Endpoint Protection Manager

As you want to run scripts on client machines, then there's no way i can think off the top of my head to accomplish this with SEP.

If you have SNAC install as well however, this is easily accomplished via a custom requirement in the Host Integrity policies as below:

http://www.symantec.com/docs/HOWTO81526

Actually, I've just though of a way to do it with SEP alone, but it would be an absolute pain and is definitely not supported.

I'd recommend pursuing SNAC's HI policies if possible

Thanks for the quick replies.

James007: I need to run the batch on the clients rather than the management server, so notifications won't do much good.

SMLatCST: Unfortunately, I don't have SNAC installed, and deploying the SNAC clients to all of my endpoints whould be a pain.

I would very much like to hear of your method.

To be fair, SNAC is included in all SEP clients.  Enabling it's functionality is just a matter of adding the SNAC license onto the SEPM and assigning a HI policy.

That said, here's the method I think would allow you to push a script out.  Bear in mind that I've not tested this myself, it just popped into my head while I was pondering your request.

Essentially, SEPprep has functionality to run scripts, and the auto-upgrade functionality in SEP can be fudged to run sepprep, so I reckon you can run scripts on clients by combining the two.

Soooooooo:

1. Have a play with SEPprep to see if you can get it to run your script:
   http://www.symantec.com/docs/TECH148513
2. Then load/mount/host your renamed sepprep on a web server and point your clients at it using the auto-upgrade function in the SEPM:
   http://www.symantec.com/docs/TECH97406

Like I said, I've not tried this myself so test like crazy .  And again, I still recommend going down the SNAC route.

Thanks! Looks feasible.

Will also try SNAC

No worries, let us know how you go. 

What does that batch file do?