Endpoint Protection

I'm working on this in my test lab, but hope you all could share your experiences/observations: We have ~750 computers, and of those 750, 85% have already been upgraded\migrated to our SEPM installation using the deployment wizard and the "find unmanaged computers" option in the console. The remaining 15% is going to be the trick. We're not using the firewall\IPS portion of the product. I have a Group Policy setup, per the installation guide, that does successfully install SEP correctly with the appropriate settings. However, (1) it looks like if I apply the package to computers which have been installed by another means, the GP will kick in and install SEP anyways. That's a hassle. Also (2), I'd rather not inconvenience the user by waiting for the install to complete before they can sign in and get to work. Is there a way to make this work in the background? Are there alternatives that I'm not considering to autonomously clean up the stragglers? I've compared data from AD (specifically the LLTS), so I _know_ hosts out there need to be upgraded, but... how without spending weeks chasing them? Thanks.

1. For the GPO installations, you will not necessarily be able to bypass this with a generic GPO.

Reason being:
- When you deploy an MSI package via a GPO, a flag is set on the system telling the server to complete the install.  The flag will not be removed until the install completes, Regardless if the application is already installed on the machine

Resolution:
- Create a "deployment GPO" for the machines you want to deploy to as opposed to the ones that already have the software installed.  Don't put the package in the "everyone" GPO.  This could be convenient to have kicking around for future as well.  You place the computers into a group in AD called "deployment" for example.  Deployment is the only group in your deployment GPO.  Whenever a package needs to go out, you simply add the computers/ computer groups to the deployment group and assign your package in the GPO.  When thats done, you simply remove the computers from the group.  Almost ensures no overlap.

2. For the installs, on machines that are unmanaged, and you have already created a Package for them...  The SEP installer has "quiet" options.  I can't remember exactly what they are right now, but consider /?  at the end or in the documentation.

I like, and this is me personally, an application called Purgos for installing, live apps in the background from an EXE package or MSI package...  Unfortunately, it is beyond the scope of this forum, but definitely worth looking into, as it is an Open Source app... 

Hope that helps.