SEP clients won't upgrade after SEPM 12.1.2 upgrade
Created: 28 Feb 2013 | 50 comments
Team,
I recently upgraded from 12.1.1 to 12.1.2. I assigned the newer client package to the Clients-Install Packages and set the upgrade timeframe. Users rec'd the upgrade notification on their PCs but nothing ever happens when they give it permission to upgrade/reboot. The upgrade notification window continues to show up on each user's PC every morning and still the clients do not upgrade (all are sitting at 12.1.1000.157).
Yet if I have a re-imaged PC that doesn't have SEP installed, SEPM remote installation does work w/out issue (client 12.1.2015.2015).
Also, just FYI, I never had an issue when I upgraded from 11.x to 12.x. The upgrades worked w/out issue.
Thoughts?
Server 2008R2 Enterprise, Windows 7 Pro x64
Operating Systems:
Discussion Filed Under:
Comments 50 Comments • Jump to latest comment
Not meant to be a stupid question but can you confirm the right package was added? I've seen this before if the wrong package was added. Meaning, the user was on 12.1 RU1 and the 12.1 RU1 package was accidentally added instead of the latest one.
Also, on the client, can you check the %temp% directory and look for the SEP_INST.log file and post it here for review.
SEP Knowledge Base
Endpoint SWAT
Any language difference between sepm and clients? are they on the same OS language?
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
@Rafeeq: Same everything.
@Brian...never a stupid question when it comes to things like this! ;-)
I'll get on one of the clients and pull that log file here in a second.
As far as client version...this is what shows up:
Let's see what the log shows, if anything. Should give an indication of what is going on.
SEP Knowledge Base
Endpoint SWAT
oh and I've even tried manually pushing the new client to the PCs that have 12.1.1 installed on them. Yet nothing ever happens and the client shows up as this in the Clients manager:
Just a shot in the dark...should I remove the checkmark from "Maintain existing..."?
Sorry, getting ahead of myself. Let me get the logs for you on both the user's machine and the one that I pushed manually.
logs would give the info, lets check the logs first
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
OK, Brian...no such luck finding any SEP_INST.log files on either machine in the %temp% folder...
That usually means that the SEP install is not even kicking off. If it kicked off, everything would be recorded in the SEP_INST.log, success/failure, etc.
You mentioned the users need to OK the install to begin? Are they cancelling it possibly?
SEP Knowledge Base
Endpoint SWAT
No I'm pretty sure they are not. I don't have a screenshot of the message window at this time to answer you 100%.
But what about the 3 machines that I did a manual push on the install? Is it because the 12.1.1 is installed and so it won't update it? That wouldn't explain why the Client page (see above) shows the PC needs to be rebooted (which it has several times)...they still check in and update - notice the time stamp as that continually updates the time it checks in (Last Time Status Changed)
I would try by supressing notifcation / schedule.
do a search for SEP_inst.log under C drive
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
nothing under C:\
I'll have to change the OU for the 3 machines I can test with and will report back on supressing schedule/notify
Rafeeq...so how do I get it to start the upgrade w/out the schedule enabled?
If no schedule is set, the client will check in according to its heartbeat and see the upgrade is available. It should start soon after.
SEP Knowledge Base
Endpoint SWAT
Brian...it doesn't look like it's either seeing the update or performing the upgrade...I ran the command for it to update content and nothing so far...
Out of curiosity, do you have the ability to run an install locally on one affected client? Just trying to narrow it down. If it works locally, it has to be something between client/server. But it seems the install won't even kick off. Has the affected client(s) been rebooted?
SEP Knowledge Base
Endpoint SWAT
I'll give that a try here in a bit...working on a SBE issue
Here's what I get when I try to do an install directly from the install package whether it be on the SEP server or when I copy it over to the local drive:
I've even rebooted the machine and it still comes up with this message.
https://www-secure.symantec.com/connect/forums/all...
https://www-secure.symantec.com/connect/forums/sep...
Installation fails with the message "Pending system changes that require a reboot have been detected"
http://www.symantec.com/docs/TECH103109
tried this, deleted the registry entry and w/out rebooting, tried the install and still get that same error on reboot required...
Tried it on another machine and this is what I get when I try to do the install manually from the install file:
and yes, the installer activates UAC and I enter my Admin credentials (which are Domain Admin creds)
The icon next to the client name in SEPM console means that the deployment failed - no SEP_INST.log would be created - apparently the already installed client rejected the upgrade package.
- Can you run the sylink on on of the affected clients : http://www.symantec.com/docs/TECH104758 - this will possible show us bit more info.
- In SEPM console right click one of these clients and edit properties - can you post screenshot - what is listed under deployment message, deployment status and target version?
Give me a little bit to get the sylink set up but in the meantime here is the screenshot of one of the machines that continues to get the message popup for upgrade:
So the Win7x64 machines ARE accepting the upgrade...it's just not happening...
Not sure if this was already mentioned - was this machine rebooted since the push? As SEP is based on Side by Side installation - it would always look like that when the version is installed and awaiting reboot for applying changes.
Can you check as well the SEP folder in c:\Program Data - is there only the folder for 12.1.1000.157 or was 12.1.2015.2015 already created as well?
Yes, everyone clicks the Download button and they also reboot (even tho they aren't prompted) and still nothing.
As far as the SEP folder...no, there is only the 12.1.1000.157 folder listed (a couple others but none for the new version)
as far as SYLINK...I can't seem to change the registry setting...even when I open regedit w/Admin rights in the Admin profile...? I almost need to be in safemode to do this...
Hi
Can you please let us know the operating system version ?
Regards
PCs - Win7 x64
SEPM - Server 2008R2 SP1
Hi
Can please check base filter engine service is started.
Regards
Yes it's started on all machines
Ok, one more test - can you logon on one of the machines with admin account and accept the prompt for installation using that account - is the client installed then or still the same?
I've not seen the install popup when I'm logged in w/Admin account
Control Panel>System>Advanced
whats the value of
“User variables C:\TMP or C:\TEMP
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
for testing purpose can you change that to C:\tmp and C:\temp and try the upgrade... any windows firewall enabled on the client?
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Windows Firewall is disabled by GPO as SEP is the firewall that is being used
Made the changes to TEMP and TMP, ran the install and got this error (same as before):
I went into regedit and looked for that key and there is no such entry for WGX...?
You should now have SEP_inst.log file , attach it here. I'm done with ideas, here is the last one to try
reboot and then assign the package
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Ok, I did find the SEP_INST log file and have it attached. It looks as if the log mentions that the PC needs to be rebooted...yet it's been rebooted several times?
as far as the WGX subkey...as stated earlier, that key does not exist
pending file rename ? have you delete these keys
http://www.symantec.com/connect/articles/pending-f...
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Yes I've already tried this (see above). I've deleted those keys, ran the install, get the same error, reboot and the key is back...?
but for giggles, I'll try this again...you never know...I've seen weirder things happen.
Here's screenshots of the key and file in question
So I deleted those keys, tried to install...got the message about needing to reboot...rebooted...checked registry to make sure the Pending keys were still gone and they were...started install and got this again:
yet when I go into the registry, that key does NOT exist...???
since the key didn't "exist" I clicked Ignore and it looked like it was going to work until I got the following:
Here's the SEP_INST log for the last attempt
Error shows the same : Error 1401. Could not create key \SOFTWARE\Symantec\Symantec Endpoint Protection\{3771A34D-2132-48EA-A486-D62ECDF9D553}
Do you have any restrictions for users for registry access. can you check the SEP registry folder and see what permission is set on those? does system has full access?
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
I have it in the GPO policies to block registry access to "users". Yet I am in the administrative profile right now and still having these issues. Not only am I in the Domain Admin profile, but when UAC comes up for the install, I enter in my Domain Admin creds as well.
I checked the SEP folder's permissions in the registry:
...also, SEPM has a domain admin account that it uses for all installs.
my GPO restriction has been in place for quite some time and SEP 12.1 RU1 never had a problem with the update from 11.x
FYI...sorry that this is such a pain Rafeeq! Thank you for all the thoughts and suggestions!
:) . Before we go further. Take a client out of this GPO.
Try the upgrade.I'm suspecting the GPO.
Here is the document for permission , Double check these
http://www.symantec.com/business/support/index?pag...
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
I don't know Rafeeq...that doesn't explain why I can install SEP on a reimaged machine that's in the same OU with the same GPOs...I can push the install from SEPM w/out issue. Its on machines that already have it installed on that I'm having issues...
Would you like to reply?
Login or Register to post your comment.