Endpoint Protection

Hi,

I have problem deploying client installer of SEE using AD gpo.

Symantec support says its not their scope to comment on this.

Im really loss on how to troubleshoot this. Any1 can help? What are the possible reason that can go wrong?

hi,

you verify by creating an OU place computer in this OU. Do dot apply any GPO polices except installation package. Check if this goes smoothly. If yes, then it is definetly policy applied to those OU's. If it does not then you may need Microsoft's intervention to triubleshoot.

Cheers
Pete

Hi,

I am already creating a new GPO for the installation package. Still cant work. What are the areas to troubleshoot?

Check the Following Microsoft KB's and the last link for a more descriptive method on HOW TO deploy software using a GPO.

• How to assign software to a specific group by using Group Policy:

http://support.microsoft.com/kb/302430

• How to use Group Policy to install software remotely in Windows:

http://support.microsoft.com/kb/314934

• An Overview on Software Deployment with Group Policy:

http://www.tech-faq.com/deploying-software-through-group-policy.shtml


Hope this helps.

With all due respect, the question is too general to answer: What are the SYMPTOMS of "still can't work"?

It bothers me a bit that Symantec says GPO install is beyond scope of support when it's DOCUMENTED, however poorly and incompletely, in the Installation Guide. But SEP GPO install can work very well.

Hi,

No installation is done when I created the GPO package. I did a gpupdate/force on the client machine and restart the machine. Still no installation is done.

What relevant events are in the client computer's Application Log after the restart?

I never check.,..
I will update again when I go check

Also do the other Group Policy basic troubleshooting...for example, if it's a new GPO, did you remember to link it to the OU? I get so focused on creating the GPO and its settings that this is the step I frequently forget.

If there are multiple DCs on the computer's site, sync the DCs on that site (though it should have synced itself by now) before the GPUPDATE because the computuer may be talking to another DC that doesn't have the latest directory changes.

If you're modifying Group Policy on a DC on a different Site from the computer it could take hours to sync to the computer's site.

And run GPMC Results against the computer to make sure it knows it's supposed to install the software.

Those kinds of issues ARE out of Symantec's scope of support.

Hi, I got two errors while pushing down the installer.

These are the two errors I got from the client machine's Application Event Viewer.

Windows cannot access the file gpt.ini for GPO cn={B36AA761-D735-4508-9518-D5FF8265DA02},cn=policies,cn=system,DC=STMFS,DC=stmarine,DC=com. The file must be present at the location <\\STMFS.stmarine.com\SysVol\STMFS.stmarine.com\Policies\{B36AA761-D735-4508-9518-D5FF8265DA02}\gpt.ini>. (The system cannot find the path specified.). Group Policy processing aborted.

Event ID:1058

Another error message is:

Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Event ID:1030

Any1 saw this error message before?

Hi tanyc,

Good eve,
This looks like a sort of permission issue with the Sysvol folder.
Please check if the client is correctly configured.
Refer KB;

http://support.microsoft.com/kb/887303

Agree with BharRie to some extent, but before going through all the steps in the KB article, I'd be asking myself if any OTHER GPO installs work? Because if they do, and this one doesn't, then the easy fix may be to start over with a new SEP GPO. Also make sure to try installing SEP from this GPO with a different computer. If you've only tested with one, you may just have a flaky client computer.

If the problem persists across multiple GPOs and multiple clients, here's another source to look at:

http://eventid.net/display.asp?eventid=1058&eventno=9883&source=Microsoft-Windows-GroupPolicy&phase=1

You might also want to post to Microsoft's newsgroups, because if it IS an AD problem, the MVP's may do a better job of helping than we will. microsoft.public.windows.server.active_directory would be a good start.

HTH

Hi, thanks for all the info provided.

Seems like there are alot of things to check for pushing down SEE installer via GPO.
I will check it out 1 by 1.

My client bought 182 SEE licenses, so other than GPO and 3rd party deployment tools, are there any other deployment methods?

My client do not have any 3rd party deployment software. Are there any freeware to do it?

SEP can be installed through SEPM itself...I just don't like SEPM's installer, and I have had my most reliable results via GPO.