We am trying to deploy SEP 12.1.4 via GPO without the NTP component, but it seems to be installed every single time.  At first, I thought the Applicaton Control or Device Control had NTP as a dependency, so I removed it as a feature, but NTP is still being installed.

GPO has been configured as described http://www.symantec.com/business/support/index?page=content&id=HOWTO55429 .  The package is supposed to install silently, removing any previous settings/configurations, then reboot without a prompt.  On the surface, the installation behaves as I would expect, but for some reason NTP is still being installed.  Like Application/Device Control, we do not want this feature installed.

If I pack as a single .exe and manually run it as an admin on the workstation, SEP is installed with the correct features and no reboot is required.  It is interesting that we are having issues with the unpacked installation.

Sample of setAid.ini:

 

; User configureable options

[CUSTOM_SMC_CONFIG]

InstallNewInstanceOnly=0

InstallUserInterfaceLevel=s

KeepPreviousSetting=0

InstallationLogDir=%TEMP%\SEP_INST.LOG

DestinationDirectory=

LaunchIt=1

AddProgramIntoStartMenu=1

 

OptOutRepSubmission=0

UIRebootMode=0

RebootSchedule=NOW

AutoReboot=true

RebootRandomize=true

RebootPromptMessage=The Symantec Endpoint Protection installation requires this computer to restart.

SnoozeInterval=60

RebootDisplayTimeout=60

RebootMethod=SERVER

RebootMinutes=180

Countdown=5

RebootDay=TODAY

RebootRandomizeHours=2

PromptType=SNOOZE

RebootMaxSnoozeCount=3

RebootPromptUser=false

HardReboot=true

[LU_CONFIG]

ServerProduct=SESM AntiVirus Client Win32

ServerLanguage=English

ServerVersion=12.1.4013

SequenceNumber=0

ServerMoniker={REDACTED}

ClientProduct=SESC AntiVirus Client Win32

ClientLanguage=English

ClientVersion=12.1.4013

ClientMoniker={REDACTED}

SequenceTag=PATCH

ShortName=spcAvClient32en_12_1

DisplayName=Symantec Endpoint Protection Win32 12.1.4013.4013 (English)

CONNECT_LU_SERVER=0

 

[FEATURE_SELECTION]

Core=1

SAVMain=1

Download=1

OutlookSnapin=1

NotesSnapin=0

Pop3Smtp=1

PTPMain=1

TruScan=1

DCMain=0

NTPMain=0

Firewall=0

ITPMain=0

Here is the workaround,

When installing SEP clients using GPO the clients get all features installed instead of only the features set in the installation package

Thank you for the reference.  After the policy is pushed, while it might "disable" NTP, as far as I can tell it will not actually remove the component.  This would be a a nightmare to attempt to fix/keep up with after the fact.  Are they any alternatives to the Software Installation GPO where we can control the feature set that is being installed?  Perhaps scripts pointing to the installation files instead?  Thanks.

It will remove the NTP, You can test it on single machine before you push it out.

https://www-secure.symantec.com/connect/forums/firewall-symantec-endpoint-protection

how many clients you have in your network?  GPO seems to install all the components need to use the migration and deployment wizard

If NTP feature are installed you can remove NTP feature on sep client with the help of SEPM

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

I understand that the NTP component can be removed after the fact, but I do not want to have to do this on all of the machines.  This basically requires two installations, the original and a second to remove unwanted components.  I don't like the idea of having all components installed up front, only to have to remove the ones we don't need afterwards.

I am looking for a way similar to the GPO Software Installation to deploy the SEP package across 1000+ computers where it will read the setAid.ini file.  Thanks again.

As the single .exe appears to be working, perhaps you could just set a simple machine starup script in GPO to do something kinda like the below:

if not exist %temp%\sepinstaller.exe
{
    xcopy \\<networklocation>\sepinstaller.exe %temp%
    %temp%\sepinstaller.exe
}

As always, test thoroughly in your own environment and blah blah blah

One more from my end

When Installing Symantec Endpoint Protection 11 by Active Directory Group Policy Object, Which Method of Deployment is Supported?

http://www.symantec.com/docs/TECH91330

About installing clients with Active Directory Group Policy Object

http://www.symantec.com/docs/HOWTO26773

 This is the direction I think we are going to go, though I will have to do some additional testing.  Thanks.

The deployment is assigned, and since that vast majority of our machines are patched Windows 7, they have the current Windows Installer.  Thanks again.

No worries, let us know if you need any help.

Also, don't forget that with SEP you get licensed to setup your very own Alritis server with the SEP Integration Component.  You may want to have a quick look at that as an alternative deployment method:

http://www.symantec.com/docs/HOWTO63157

Note: I'm assuming you've already ruled out the manual remote push methods here, and have only mentioned the fully automated method.

The plan is to do a push install with SEPM to upgrade our current clients, but the GPO script is intended for new machines that join the domain.

Hi, 

setAid.ini file won't be read by the msi through GPO installation, creating a MST will work.How about creating an MST file? Have you tried that. 

https://www-secure.symantec.com/connect/articles/creating-transform-mst-file-control-installation-symantec-endpoint-protection

I read about this briefly last night, but this seems overly complicated.  I have to install the SDK, build a custom MST, then push the Sylink because the client is unmanaged by default.  I prefer the simple method where the client is installed during one boot.

• With if statement
• Without if statement
• Executing setup.exe directly without xcopy
• Copying setup file to policies folder and running from there

test.vbs:

 

xcopy \\server\share\test1.txt %temp%

copy \\server\share\test1.txt c:\

copy test1.txt %temp%

xcopy test1.txt c:\

xcopy c:\windows\write.exe %temp%

copy c:\windows\write.exe c:\

As far as I can tell, none of these commands were run.  Most peculiar...

I've run similar scripts with sylinkdrop so conventional copying files definitely works.

Why it's failing in your environnment is very odd.  Have you tried just popping these in a batch file instead of vbs?

For whatever reason, the GPO wasn't being refreshed with script additon I made.  I was able to get the test script to run properly (copying test files), so I updated it again to copy and run the setup.exe, but when I used .vbs, the software didn't install.  Could be I was impatient, or it was broken.  In either case, I changed it to a batch script, waited, and it installed in the background just fine.

It behaved different than the Software Deployment in that it didn't sit at the Please wait screen while installing, it just started installing in the background.  Looks good so far, just need to make some tweaks to the script and do some additional testing.  Thanks SMLatCST!

No problem, and glad to be of assistance 

To be fair, it did sound like the easiest way of avoiding the whole "install it then change feature set" process you'd be stuck with otherwise.

As always, it'd be appreciated if you could mark a post as the Solution to aid others who come across the same problem, and come searching on Connect.