Good day all,

From what I've been reading this week here, I think I can do what I'm about to ask, but I'm unclear on the process.

In a gist, I have our latest SEP installer (v14) that I want to begin rolling out. Our WSUS server has been a slow pain in upgrading checking in clients, so I want to try and manage it via Kace. I have a managed installation that deploys exactly as I want, as is, but when I tried to use Security Enforcement in Kace to deploy it, I kept receiving an MSI Error 2711. So now I want to try and use a custom inventory report to be able to target computers that check in with an older version of SEP, with an upgrade.

Here's where I'm at. I created a new Inventory Record, associated my SEP installer zip file, and have a custom inventory rule with the following criteria:
RegistryValueLessThan(HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion, PRODUCTVERSION, 14.0.1904.0000)

It appears to be working wonderfully, as I have double digits reporting to it within just a few minutes of it being saved.

I assigned this custom inventory record to a label, "SEP Needs Update", but the label itself has no devices, I can't pull this label up in Inventory, and at this point, I'm not sure how to take my custom inventory record and associate the computers checking in with that rule to a label, which I can then use to deploy my updated SEP installer.

Does that make sense? What likely tiny detail am I missing here?

Thanks,

-- Ray
 
(Update - This is the error I get using the security policy)


0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

2
You do not want to use CIR to deploy software, I do a lot of tricky things with CIR's but that is not one I would recommend.  That will cause kace to hold up tasks in some background processes till things complete.  You need to fix your managed install to work correctly.  Can you post your managed install so we can see the settings.  It could as simple to fix as unchecking "Delete Downloaded Files" in the distribution.
Answered 03/06/2017 by: SMal.tmcc
Red Belt

  • SMal,

    Apologies up front about the length of this below.

    My MIs works fine for both SEP 12.x and 14.x, both initial deployments, as well as deploying 14 on top of 12. I deploy my ZIP, Kace extracts, and installs with the following command

    setup.exe /s /v"/l*v log.txt /qn RUNLIVEUPDATE=1 SYMREBOOT=REALLYSUPPRESS"

    No downloaded files are deleted.

    The screenshot error above I get when I use the SEP enforcement policy, which generates a script. There's a couple things I'm having issue with now. Here's the vanilla script as generated by Kace:

    Verify:
    Verify that “HKLM\SOFTWARE\Kace\MSIWizard\21275!MSIConfigHash” is equal to “1732703484”.

    Remediation:
    Install “Symantec Endpoint Protection 14.0.1904.0” with arguments “$(KBOX_SYS_DIR)\msiexec.exe /qn /l* ”log.txt“ /i sep64.msi INSTALLDIR=”C:\Program Files (x86)“ REBOOT=ReallySuppress NETWORKTYPE=2 ENABLEAUTOPROTECT=1 RUNLIVEUPDATE=1 ADDLOCAL= ”.

    Set “HKLM\SOFTWARE\Kace\MSIWizard\21275!MSIConfigHash” to “1732703484”.

    Log:
    Log “Symantec Endpoint Protection 14.0.1904.0 installed with $(KBOX_SYS_DIR)\msiexec.exe /qn /l* ”log.txt“ /i sep64.msi INSTALLDIR=”C:\Program Files (x86)“ REBOOT=ReallySuppress NETWORKTYPE=2 ENABLEAUTOPROTECT=1 RUNLIVEUPDATE=1 ADDLOCAL= ” to “output”

    Log Remdediation:
    Log “Symantec Endpoint Protection 14.0.1904.0 FAILED to install with $(KBOX_SYS_DIR)\msiexec.exe /qn /l* ”log.txt“ /i sep64.msi INSTALLDIR=”C:\Program Files (x86)“ REBOOT=ReallySuppress NETWORKTYPE=2 ENABLEAUTOPROTECT=1 RUNLIVEUPDATE=1 ADDLOCAL= ” to “output”

    Here's the issues I have.
    1. If I use $(KBOX_SYS_DIR), I get the error above.
    2. If I strip that out. and substitute the same cmd from my MI, it installs just fine. However, the key HKLM\SOFTWARE\Kace\MSIWizard\21275!MSIConfigHash is never set. This creates the problem that it can't verify the key if it never gets set in the first place.

    My current workaround for scripting this, in place of the Kace generates script, is as follows:

    Verify:
    Verify that “HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion!PRODUCTVERSION” is less than “14.0.1904.0000”

    On Success:
    Install “Symantec Endpoint Protection 14.0.1904.0” with arguments “setup.exe /s /v”/l*v log.txt /qn RUNLIVEUPDATE=1 SYMREBOOT=REALLYSUPPRESS“

    This works, but it doesn't really have a solid verification test, nor does it leave a marker for future scripts to NOT install the same product as second time. I had the same error above, where it wouldn't set the Key Hash, so I just took it out for the time being while I continue testing.
Please log in to comment

Answers

1
If its a smart label you have created, no machines will populate the label until they have successfully carried out an inventory.
Smart labels will not show up in the device tab of the K1000 until there is at least one device in it.

One last thing with smart labels, one the machine inventories, the label will be populated with that machine, however the software deployment that the label is applied to, wont be carried out till the next check in of that machine.

If you don't have a smart label, then simply create one, make the conditions where SEP Custom Inv < 14.0.1904.0000.

One last thing is we don't use SEP but the software tab in KACE should show the versions? 
If it does you could just make a smart label that groups all machines where their software version either doesn't match the one you are deploying, or has a value less than the one you are deploying.


Answered 03/03/2017 by: trevorhalse
Yellow Belt

  • I was using a manual label, but I get what you're saying.

    Basically - tag all my non-current SEP with a label (Not Current SEP), for example, and then tag my latest SEP deployment to all computers with the 'Not Current SEP' label.

    What confuses me is the use of negatives to create a positive in situations like this, that's all.
    • If the software versions are correct in KACE, then you can do all the validation in the smart label. Even using the smart label wizard, just make one that either adds all machines where Software Title = SEP(use the exact name in the software tab) AND Software Version != 14.0.1904.0
      This will make the device label only have machines where the above condition is true. You can then add this label to your script or managed install. As soon as a machine has the correct version, it will be removed from the label so you do not need to worry about it getting installed again.

      Even if the versions are not showing up in the software tab, you can make the smart label only show machines where your custom inventory is true. We use custom inventories often to get the version of software when it doesn't show up in software.
Please log in to comment
Answer this question or Comment on this question for clarity