通过组策略部署symantec client (MST格式)

简介:

近期公司要求用户都安装symantec client,我们当前的版本是Endpoint protection 12.1.100,这样一来我们大家都会想到的是通过组策略部署软件分发到每个域用户计算机上;当然我们大家也知道,微软去年发布了windows8系统,但是我们在windows8上安装symantec client后无法正常打开或无法运行,经过跟symantec沟通说是目前symantec的版本跟windows8不兼容,需要symantec他们开发跟windows8兼容的symantec 版本;之后过了2个月,symantec也发布了新版本,Endpoint protection 12.1.2015(Ru2),该版本能支持windows8系统及2012系统;看见后非常兴奋就开始给服务器升级同时也通过SEPM策略升级symantec client;升级后没有什么大的问题,但是有很多客户都不安装symantec client客户端,说是安装后系统运行会变慢,所以他们都不会安装,但是公司为了每年的ISO审核,要求没个用户都要安装,所以我们最后通过组策略推送symantec client到没个域用户,但是在推送后有个新的问题;我在推送symantec clien安装包时,只要求安装virus spyware download protection组件,不需要安装proactive threat protection和network theate protection组件,但是通过组策略推送后发现不是按照规则安装的,三个组件都会安装;被逼无奈下给symantec打电话咨询,他们说这个问题是不应该出现的,也承认12.1.1205这个版本有很多问题,但是他们说没有接到类似的case,他们只是推卸责任的告诉我,他们的产品没有问题,双击安装都是一个组件,通过组策略推送就有三个组件,还说是微软的产品问题,当时我很无语,实话都有心想抽那个工程师的想法了……最后在纠结下他们给我推荐通过SEPM服务器给客户端远程推送,但是在尝试后也发现了问题,通过SEPM推送有一定的条件,客户端必需满足以下条件:

Incorrect user name or password
This problem can happen if the user name or password that you entered is incorrect. Enter the correct user name and password to solve the problem.    
Simple file sharing is enabled or the "Sharing and security model for local accounts" policy is set to Guest Only
This problem can occur if Simple File Sharing (or the Sharing Wizard) is enabled on the target computer, or if the client has the "Sharing and security model for local accounts" policy set to Guest Only, the manager is not able to authenticate as Administrator. To solve the problem, read the document Is the "Sharing and security model for local accounts" policy set to Guest Only?
User Account Control is enabled
If User Account Control is enabled, the manager may not be able to access the administrative shares C$ and ADMIN$. This can cause remote deployment to fail. See the document Is User Account Control enabled on the client?
The Administrator account on the target computer does not have a password
If the Administrator account on the target does not have a password set, authentication will fail. To solve this problem, read the document Does the Administrator account have a password?
Port 445 is blocked
If the Microsoft Windows Firewall is not configured to allow File and Printer Sharing (port 445), authentication will fail. To solve this problem, read the document Is the Microsoft Windows Firewall blocking port 445?
The Remote Registry Service is set to disabled on the client computer
If the Remote Registry Service is stopped and set to Disabled on the client computer, the manager cannot scan the client registry because the service cannot be started. To solve this problem, make sure that the Remote Registry Service is set either to Manual or Automatic.

我们大家也知道,这样肯定是不行的,作为一个管理员怎么为了满足安装SEP的条件去检查客户机是否满足以上条件或者更改客户机来满足安装SEP的条件,最后他们说那就没有更好的办法了…..听了后很无语,所以在网上就看有没有什么好的办法;最后还是找到了很好的方法,我一直相信,一切都是天意、车到山前必有路,船到桥头自然直….那就是通过MST文件来部署,通过MST部署后该问题就都解决了,具体见下:

首先是通过工具编辑MSI文件,我们今天用到的工具就是:orca msi editer tools

该文件非常小,只有1.8M

clip_image002

接下来就导出带MSI文件的symantec client 安装包

我们设置导出的安装只有一个反病毒组件

clip_image004

将32bits很64bits安装包导出到指定位置;注意将导出的文件不做压缩(exe)

clip_image006

导出64bits安装包

clip_image008

接下来安装orca工具

编辑msi文件,生成mst:   
- Export the package from SEPM:    
In Admin/Install Package/Client Install Packages, select the package and click on "Export Client Install Package".    
Make sure that "Create a single .EXE file for this package" is deselect.    
Also, the selection of the features will have no importance for use.    
- Open Orca    
- Click on File/Open and select the .msi package that you just create (Symantec Antivirus.msi)    
- Click on Transform/New Transform    
- Go to the "Property" table    
- Right Click on the right panel and select "Add Row"    
- Enter "ADDLOCAL" in the "Property" field    
- Select the "Value field" and enter the feature that you want separate by a coma

The list of the feature can be found in the Appendices A of the installation_guide.pdf (Table A-1)   
Note: The localized version of the documentation is faulty; refer to the English version of the document.    
For example, if you want to install only the antivirus enter    
"Core,SAVMain"    
IF you don’t want to restart the workstations after installation add row “REBOOT” with following value “REALLYSUPPRESS” to the Property Table.    
- Click on Transform/Generate Transform    
- Save the Transform as "Symantec Antivirus.mst" on the folder that contain the export package

clip_image009

打开orca工具

clip_image011

clip_image013

clip_image015

clip_image017

clip_image019

clip_image021

clip_image023

clip_image025

然后保存到MSI目录

clip_image027

clip_image029

然后我们新建一个组策略然后链接到指定OU,编辑

计算机配置---软件安装;设置前将symantec client安装包共享;

将软件包共享:

clip_image031

右击软件安装—属性

clip_image033

输入共享的软件包网络路径(MSI);然后单击确认

clip_image035

右击软件安装—新建---数据包

clip_image037

选择SEP.msi的安装包;然后单击打开

clip_image039

打开后自动弹出软件包属性,切换到部署—已经分配,勾选在登陆时安装此应用程序;

因为我们是windows2008R2系统,在windows2003中有没有以下选项,只有已发布和指派;

发布和指派的区别就是以下总结:

发布:安装与不安装取决于自己(控制面板可以安装)

指派:必需安装

clip_image041

切换到修改标签—添加

clip_image043

clip_image045

clip_image047

clip_image049

clip_image051

我们将组策略链接到Dsgrd Computer的OU下

clip_image053

clip_image055

刷新组策略重启,用户登陆开始安装。

clip_image057



本文转自 高文龙 51CTO博客,原文链接:http://blog.51cto.com/gaowenlong/1201837,如需转载请自行联系原作者

相关文章