Endpoint Protection

A handful of our clients need to run SEP in an unmanaged state because they rarely, if ever, connect back to our network.  I set up an install using the MSI and I use the property SYMREBOOT=ReallySuppress but the client still restarts after the install.  I believe it is the symantec software itself and not the installer which initiates the restart because of what I found n the event viewer (below).  This unexpected restart is throwing our Operating System Deployment procedure into an error state.  (We use Microsoft SCCM). 

Here is a snippet from the System event log:

Event 1074

Source User32

Detail:

The process C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.1904.0000.105\Bin\ccSvcHst.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: Legacy API shutdown
 Reason Code: 0x80070000
 Shutdown Type: restart
 Comment:

Was this package exported from the SEPM or is it the unmanaged package from the download?

No export from SEPM, just the straight up client install files from the download. 

Here is my command line....

msiexec /i "Sep64.msi" RUNLIVEUPDATE=0 ADDLOCAL=Core,SAVMain,Download,OutlookSnapin,PTPMain,TruScan,DCMain,NTPMain,ITPMain,LANG1033 SYMREBOOT=ReallySuppress /qn /L*v C:\Path-to\SEP14.0.1904.LOG

I didn't have the RUNLIVEUPDATE=0 until more recently but it has no bearinig on the restart. 

can you attach the log which is here C:\Path-to\SEP14.0.1904.LOG

Can you check the Setaid.ini from the exported package and see if reboot is supressed 

Log file attached. 

I didn't use setaid.ini because I did not export a package from SEPM.  I'm using the MSI right from the downloaded client installer files.

Attachment(s)

SEP14.0.1904.LOG_.txt   2.27 MB 1 version

Hello Christopher,

from the logs its evident that 

SYMREBOOT = ReallySuppress is present till the end of the installation , however looks like its not adhered by installation ( might be due to its from CD1\SEP and not from SEPM )

is it possible for you to create an unmanaged package install from SEPM ( if you have an existing one ) and use the same .msi with SCCM

as a work around after the SEP inst,all  can use a shutdown -a cmd in the task sequence to abort the restart.

When you created the umagged package export did you set a Client Install Policy with no reboot or did you use the standard SEPM settings? 

Admin > Install Packages > Client Install Settings > right click add policy > restart settings > No Restart

Then when creating the package use the new policy created to not force a reboot. 

I have not attempted an export from SEPM yet and I would prefer not to if that is possible.  SCCM handles MSI installers natively and they work very consistently.  In the past, the compressed installeers exported from SEPM have been less reliable than a straightforward MSI command.

If the symreboot=reallysuppress property isn't enough, is there any other way to instruct the software to suppress restarts?  Can setaid.ini be edited manually for unmanaged installs?  The first line says not to edit the config below so I don't know if I should be touching that.

Thanks for the help so far.

you can create an MSI package from SEPM. it allows this

The unmanaged client I exported from SEPM is still rebooting the computer.  Here is a section of setaid.ini with a lot of reboot options.  Unfortunately, I can't find any documentation on most of them.  Can you point me to a doc that explains optional values for settings like RebootPromptUser and PromptType and RebootSchedule? 

[CUSTOM_SMC_CONFIG]
InstallNewInstanceOnly=0
InstallUserInterfaceLevel=s
KeepPreviousSetting=1
InstallationLogDir=C:\Windows\WPU\SEP14.0.1904-unmanaged.LOG
DestinationDirectory=
LaunchIt=1
AddProgramIntoStartMenu=1

OptOutRepSubmission=1
UIRebootMode=0
DarkNetwork=0
ReducedSize=0
PromptType=SNOOZE
RebootMinutes=180
HardReboot=false
AutoReboot=false
RebootRandomize=true
RebootRandomizeHours=2
RebootMethod=NONE
SnoozeInterval=60
RebootDay=TODAY
RebootDisplayTimeout=60
Countdown=5
RebootPromptUser=true
RebootPromptMessage=The Symantec Endpoint Protection installation requires this computer to restart.
RebootMaxSnoozeCount=3
RebootSchedule=LATER

Update to date as of 1/5/17:

MSI command line reference for Symantec Endpoint Protection

Still seems to be missing some options for 14. 

Hello Christoper,

Change the reboot settings as GeoGeo suggested and then compare the setadi.Ini files

I already did that what GeoGeo instructed above.  I created a new policy and a new feature set to install the product without a reboot and that is the what setaid.ini had. 

; User configureable options
[CUSTOM_SMC_CONFIG]
InstallNewInstanceOnly=0
InstallUserInterfaceLevel=s
KeepPreviousSetting=1
InstallationLogDir=C:\Windows\WPU\SEP14.0.1904-unmanaged.LOG
DestinationDirectory=
LaunchIt=1
AddProgramIntoStartMenu=1

OptOutRepSubmission=1
UIRebootMode=0
DarkNetwork=0
ReducedSize=0
PromptType=SNOOZE
RebootMinutes=180
HardReboot=false
AutoReboot=false
RebootRandomize=true
RebootRandomizeHours=2
RebootMethod=NONE
SnoozeInterval=60
RebootDay=TODAY
RebootDisplayTimeout=60
Countdown=5
RebootPromptUser=true
RebootPromptMessage=The Symantec Endpoint Protection installation requires this computer to restart.
RebootMaxSnoozeCount=3
RebootSchedule=LATER
[LU_CONFIG]
ServerProduct=SESM AntiVirus Client Win64
ServerLanguage=English
ServerVersion=14.0.1904
SequenceNumber=0
ServerMoniker={227B4B25-0ADA-155E-7F9B-FC5FF764804D}
ClientProduct=SESC AntiVirus Client Win64
ClientLanguage=English
ClientVersion=14.0.1904
ClientMoniker={57201BD7-52EE-4841-8368-05C54B1F44DC}
SequenceTag=PATCH
ShortName=spcAvClient64en_14_0
DisplayName=Symantec Endpoint Protection Win64 14.0.1904.0000 (English)
Language=en_us
CONNECT_LU_SERVER=0

[FEATURE_SELECTION]
Core=1
SAVMain=1
Download=1
OutlookSnapin=1
NotesSnapin=0
Pop3Smtp=1
PTPMain=1
TruScan=1
DCMain=1
NTPMain=1
Firewall=0
ITPMain=1

I'm hoping setaid.ini holds the solution to preventing these restarts but documentation on the parameters seems scarce.  I found this post but it didn't go anywhere.

https://www.symantec.com/connect/forums/setaidini-all-possible-settings-and-what-they-mean

I already tried changing UIRebootMode=0 to UIRebootMode=3 but that didn't prevent it so maybe one of these settings holds the key.  Can anyone find information on valid settings for the following?

UIRebootMode=0
PromptType=SNOOZE
RebootMinutes=180
HardReboot=false
AutoReboot=false
RebootRandomize=true
RebootRandomizeHours=2
RebootMethod=NONE
SnoozeInterval=60
RebootDay=TODAY
RebootDisplayTimeout=60
Countdown=5
RebootPromptUser=true
RebootPromptMessage=The Symantec Endpoint Protection installation requires this computer to restart.
RebootMaxSnoozeCount=3
RebootSchedule=LATER

I've been banging my head against the wall with this for several days now and I'm still not convinced that the installer is causing the restarts because the event log says ccSvcHst.exe initiated it. 

Going on that thread, I searched the administration guide and found a registry key that is supposed to suppress client restarts.  (see attached pic)

I added this reg key before installing Symantec Endpoint Protection but it still restarts the computer just after the installation completes successfully.  Does anyone else have a method of preventing client restarts on an unmanaged client?

After the SEP 14.0.1904 client is installed, I can go into "Change Settings" and click Client Management Settings.  There is a button to "Configurew Reboot Options..."  Is there a way to configure these options for an unmanaged client either before installing it or as part of the installation?  Specifically I need to set Restart Type to "Do not restart" and disable "hard restart". 

The only way I know of adjusting the reboot for unmanaged client prior to installation is the way I mentioned earlier in the thread and building it into the package. If this isn't working I'd recommend raising a case with symantec directly to investigate why this isn't working properly in your environment. 

Seen this?

https://support.symantec.com/en_US/article.TECH236454.embed.html

bug in the product with no workaround so you're SOL until new version is out. I opened case a few days ago.

Thanks for the updates, people.  It's nice to know I'm not the only person slamming his head against the wall trying to figure this out.  Because I am able to suppress the restarts with a managed install, I am going to try using Location Switching to allow my disconnected clients to get updates directly from Symantec.  That way they I can still use a managed install and not worry about them staying away from my network.  The doc is for an older version but I'm hopeful the procedure is similar.

https://support.symantec.com/en_US/article.TECH177361.html

Symantec Endpoint Protection 14 MP1 appears to have fixed my issue.  Thanks for everyone's assistance.