Endpoint Protection

 View Only

  • 1.  Ensure all domain PCs have SEP

    Posted Dec 02, 2009 11:48 PM
    I am trying to nail down the best strategy to make sure all of our PCs joined to our domain have SEP loaded.

    Given our limited resources, I think the best way is to create a a software installation GPO and assign it to the OU containing our PCs.

    However, after browsing through the forums, I am still a little confused as to the best way to do this.

    The intallation guide recommends creating an administrative install point from the CD media.

    Other posts have said to export the package from SEPM and assign the MSI.

    Both work, but which is better? I will want to use the SEPM features to upgrade our groups after the initial GPO install to future releases (in other words, I do not want to keep using the GPO to upgrading clients to the latest MR/RU)

    Also, when using the MSI exported from SEPM, I am not able to restrict the install to just AV and Spyware. It always installs all of the features, even if I choose otherwise in the export options.

    Is using GPO the best option here? If so, what can I do to address the problems mentioned above?



  • 2.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 12:18 AM
    You can do the implementation with  the help of Migration and Deployment Wizard
    more details you can find in installation guide.....


  • 3.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 12:54 AM
    check this document to find why it installs all the components,
    When installing SEP clients using GPO the clients get all features installed instead of only the features set in the installation package

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008062706342848


    if you have limited number of clients you can use the migrationa and deployment wizard for handful clients at a time.
    Installing and configuring Symantec Endpoint Protection 11.0 for the first time

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007082915561148


  • 4.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 07:03 AM
    Migration and Deployment Wizard1.JPG
    Migration and Deployment Wizard2.JPG
    Migration and Deployment Wizard3.JPG
    Migration and Deployment Wizard4.JPG
    Migration and Deployment Wizard2.JPG



  • 5.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 08:08 AM
     Rahul, I had one of my guys create a GPO for me that I can add new machines created in AD to that will run a machine login script. I then created a batch file that checks to see if SEP is already installed (it just looks to see if there is a sylink.xml file in certain places) and if it isn't then it runs another batch file that copies the compressed setup.exe to a folder on the main drive and runs it. The cool thing is, using RoboCopy to transfer the file, I can set a switch that will resume the copy process if someone reboots/shuts down the machine before it finishes copying. I also set a switch that slows the copy process down to about 16KBps to keep them from hogging all the bandwidth and that's why the switch to resume copying until completed is so important.

    Let me know if you'd like more details about the batch file.


  • 6.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 08:25 AM
    Won't work for us as users don't have install rights to their computers. And login scripts run with the same rights as the users logging in.
    How do you get around that?
    Batch or VBS files are pretty easy to create that look for the existance of certain things - I've got a VB file in the login script that looks for the SEP service, AND to see if said service is started. If it's not there or not running, the login script sends me an email.
    But we can't install due to lack of rights......................
    HOWEVER, you can setup a startup or shutdown script since those can be run with system rights, not the user's rights.


  • 7.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 08:35 AM
    You're right, I called it a login script when it's actually a startup script since our users don't have rights to install software.


  • 8.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 09:56 AM
    Thanks for all the suggestions. I should have been a little more clear - i want to ensure all computers added to the domain get SEP installed automatically. So, the migration and deployment wizard will not work. The KB article Rafeeq mentioned is technically OK, but it requires many reboots until the product is up and running. I like the idea of a startup script. BadAndy, could you give me some pointers on how you created this?

    Thanks


  • 9.  RE: Ensure all domain PCs have SEP

    Posted Dec 03, 2009 10:40 AM
     I was obviously still waking up when I made my original post LoL! I said that it was a login script when I really meant to say startup script and now I'm seeing that I said the batch file looks for sylink.xml when it actually looks for smc.exe. I really should keep from posting on forums until I'm fully awake!!

    Anyways, here's what I have in the main batch file that the GPO calls at startup.

    IF EXIST "c:\program files\symantec antivirus\smc.exe" (exit)

    IF EXIST "C:\program files\symantec\symantec endpoint protection\smc.exe" (exit) else (\\sccpb301\sep\sep_test.bat)

    If smc.exe does not exist at those locations then it runs that sep_test.bat file. Here is what that file does.

    robocopy \\sccpb301\SEP\32bit c:\#istools# setup.exe /ipg:1000 /z /r:5 /w:30 > c:\#istools#\sep-install.txt
    c:\#istools#\setup.exe
    del c:\#istools#\setup.exe /q
    echo %computername% on %date% @ %time% >> \\sccpb301\sep\sep-installed.txt

    The first line with robocopy may look a bit confusing if you aren't familiar with how it works. The first portion is the location/folder of the file to be copied "\\sccpb301\sep\32bit" .... the next set is the destination "c:\#istools#" where the file is going to .... 4th is the file name, obviously... and then the switches

    /IPG:n 
    Tells Robocopy to pause 'n' milliseconds between packets for network transfers. Useful to preserve bandwidth on slow lines.

    /Z 
    Copy files in restartable mode. "Restartable" means Robocopy should write a recovery record inside an incomplete file so if the operation is interrupted or aborted, a future run of Robocopy can resume copying where the previous one left off, instead of starting over at the beginning. This is useful for reliably copying large files or many files over an unreliable network such as a VPN or the Internet. An incomplete file has the same file size as the complete file, and is noted with a date stamp in the file system being within 24 hours of 1980-01-01 00:00.

    /R:n 
    Tells Robocopy to retry 'n' times before giving up in the event of error (default is 1 million).


    /W:n 
    Wait time between retries (default is 30 seconds).

    The /ipg switch is the one that determines the speed of the download. The larger the number, the slower the transfer is.