Deploying Symantec Endpoint Protection Small Business Edition (SEP SBE) cloud with Microsoft Active Directory involves the following steps:
All antivirus products and firewall products must be removed from your computers before you install SEP SBE cloud.
Administrators of the SEP SBE cloud accounts that are provisioned through eStore, must ensure that they have adequate licenses for the number of computers targeted in the Active Directory deployment. If you run out of licenses during your Active Directory deployment, the installations fail for computers without licenses. Active Directory reports a successful install, but that is a false-positive.
During the download of the Active Directory-ready redistributable installer package, three files are compiled for use by the organization's IT department. These files must always reside in the same folder to function properly and should not be mixed with different downloads of the redistributable package:
SYMGroupPolicyDeployment.mst is now saved as GPO-YYYYMMDDHHMM.mst.
For more information about using MST files, see the Microsoft documentation for:
Another Microsoft article that may be useful in preparing for an Active Directory deployment is: How to assign software to a specific group by using Group Policy
To download a redistributable installer package for Active Directory deployment
In the SEP SBE Management Console, click Computers.
In the Computers page, click Add Computer.
In the Protect Computer page, use the groups drop-down to select a computer group to populate with this install package.
In the Download Windows Installer > Download a Redistributable Package section, click Download.
Depending on your browser, the file is automatically downloaded or you may be asked to run or save the file.
When the SymantecPackageCreator.exe file download is complete, run the file.
When the Package Creator dialog box opens, click edit to identify where to save the redistributable package.
In the Advanced section, click edit next to Operating Systems to choose the Windows versions that you want your package to support. Click Save.
The latest version of SEP SBE is compatible on Windows Server 2016, but it is not certified. A certified version will be available in the near future.
In the Advanced section, click edit next to Proxy Settings to enter your organization's proxy settings for use by the Package Creator. This step is optional and only necessary when these settings are required for Internet access. Click Save.
You may create a number of distribution packages to fit the needs of your organization's different network locations.
In the Advanced section, check Create Active Directory Group Policy deployment.
The following options are available when Create Active Directory Group Policy deployment is selected.
Restart computers automatically - The computer automatically restarts to complete installation if required. User interaction is not required. If you are logged on to the computer during the installation process and if a restart is required, a message is displayed notifying you of the restart.
Upgrade outdated computers - Reinstalls only if the installed files are outdated compared to the files in the redistributable. The computer automatically restarts during the process if required. This option works regardless of if SEP SBE was first installed manually or by Group Policy.
If you have deployed software package using Group Policy before this installation, you can add this upgrade version to the Active Directory Server. You can add either alongside older packages or mark as an upgrade of the older packages to avoid installing the old version to computers that have been newly added to the group.
Because servers require two restarts, we recommend that you also select Restart computers automatically to complete server installations without user interaction.
Selecting both the options ensures that the new installations automatically restart and the existing installations are upgraded if required.
The selected files are downloaded and then the package is created. The redistributable package files are associated with a specific organization and should not be used outside of that organization.
When the download is complete, click Finish.
The files: SYMRedistributable.exe, SYMGroupPolicyDeployment.msi, and GPO-YYYYMMDDHHMM.mst are in the destination directory. These files must be kept together as a single package; mixing different versions of these files breaks the redistributable package.
When the download is complete, the domain controller must be set up for the SEP SBE cloud deployment. The procedures for accomplishing this task are well documented in the following Microsoft knowledge base article:
When you add a new SEP SBE package to GPO you must select Advanced rather than Published or Assigned. You then select the Modifications tab of the GPO deployment properties and add the MST file from the SEP SBE package. The Microsoft's article does not mention this scenario.
GPO deployment and other installation logs can be found on client's end at C:\ProgramData\Symantec.cloud\syminstall\
The default SEP SBE GPO deployment does not uninstall or upgrade other versions except in limited cases, and the MST file must first be modified to add the -force or -refresh/refreshall command line options.
To go to Software Settings in Group Policy Management
1. Under Administrative Tools, open Group Policy Management.
2. Right click Default Domain Policy or the name of the policy the GPO is to be added to.
3. Select Edit.
4. If the software is to be installed per computer, select Computer Configuration->Policies->Software Settings.
If the software is to be installed per user, select User Configuration->Policies->Software Settings.
Symantec recommends installing per computer as this option allows all windows systems on the network to get the install package.
To install Orca
The Orca installer editor can be installed from "MSI Tools" of Windows SDK.
Using Orca, open the MSI file from the SymADFiles_Cloud files.
Select Apply Transform from the Transform menu, and then choose the MST from the same files.
Go to Property table, and modify SHS_PARAM_REDIST_COMMAND_ARGS property to include desired command-line option(s)
Go to Transform menu and select Generate Transform and save the new transform to the same location, but with a different file name (e.g. GPO-201611201532-force.mst).
Add your package to GPO as before, but use modified MST file.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.