Hi everybody,
I've been searching for ways to install SEP clientes on almost 2000 desktops (XP and 7 mixed) in the past two weeks.
The problem here is that all these 2000 desktops have McAfee Enterprise installed, so I need to uninstall it before installing SEP.
This issue was solved by using SEPprep, exporting the package as multiple files, preparing sepprep.ini, renaming setup to sepsetup.exe and copy sepprep.exe over setup.exe. OK, it worked fine, but along all the desktops, at some branch offices many of them are turned off for weeks, maybe months and got ocasionally turned on by its users.
So, I need three deployment options:
1. Deploy using Deployment wizard in the main office where the SEP Manager is installed on a local server using the SEPpreped package. Done!
2. Deploy using PushDeploymentWizard in the branch offices to eliminate traffic between WAN links due to client package transfer. Done!
3. Deploy on demand using GPO in branch offices where the computers are always turned off and often turned on by its users. Not done...
So, my problem now is GPO deploy. These were the methods I tried:
1. Software deployment using setup.MSI file inside the exported package. This worked fine but when you use the setup.msi, it won't call the sepprep, so it won't uninstall the McAfee AV before. Ended with two AV installed. Not a suitable solution.
2. Tried to write a batch script and use it as startup script.
This is the script:
echo off
IF %PROCESSOR_ARCHITECTURE% == x86 (
GOTO Bit32
) else (
GOTO Bit64
)
:Bit32
Echo "This is 32 Bit Operating system" >> c:\temp\install32.log
reg query "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection"
if %errorlevel% == 0 ( goto exit )
\\fs1\netlogon\runas.exe -u domain\username -p password \\fs1\netlogon\32bits-SEPprep\setup.exe
goto exit
:Bit64
Echo "This is 64 Bit Operating System" >> c:\temp\install64.log
reg query "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection"
if %errorlevel% == 0 ( goto exit )
\\fs1\netlogon\runas.exe -u domain\username -p password \\fs1\netlogon\64bits-SEPprep\setup.exe
:exit
echo END
FS1 is my ad server. This worked almost perfectly, besides the fact that I would have a security issue by having an admin password in plain text inside a wide open file share like netlogon. The runas is a runas alternative that allow storing password at command line, not the windows runas.
So, I went after other tools that could allow to encrypt passwords within the command line. None of them worked when called from a startup script via GPO. Tried CPAU, lsrunas, runasspc. I edited the script above to only execute setup.exe without runas thing, wrote a second script named callinstall.bat with these lines below and set it as startup script:
echo off
\\fs1\netlogon\cpau.exe -dec -file \\fs1\netlogon\instalasep.job -lwp **** (this job is configured to execute in c:\temp, that is mandatory when using UNC paths) ****
exit
This job file contains a command line that calls the main script (the one that executes setup.exe) with administrative credentials, so it has to work. But no.
This not worked as startup script, when the OS startup nothing happens. It shows the CTRL+ALT+DEL too early and after logon I can't see any setup.exe or msiexec.exe running at task manager.
So, If I go to \\fs1\netlogon\ myself and execute callinstall.bat it will them provide the admin credentials, call the main script, detect the architecture (32 or 64) and setup SEP pretty well. The desktop computers are in the correct OU inside the AD users and computers and the GPO is linked correctly to this OU. Its worth to say that this problem seems to be particular to Windows 7 desktops. Windows XP work fine even if I set main batch script without runas or cpau command.
Really don't know what to do. It's driving me crazy.
Please help.
Henrique