This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installation Script for Install of Safeguard 7.00

I am looking to centrally deploy safeguard 7.00 client to around 250 Windows 7 Machines using a script within a Machine group policy in active directory.

The Safeguard client comes in 3 msi's, the pre install, the client itself and then the config packagage. I have no scripting experience or knowledge and wondered if someone has something similar that I can use as a base template script for my rollout?

The install ideally would happen on boot and be silent, and ideally would require no restarts.

any ideas or help would be much appreciated.

thanks

:57475


This thread was automatically locked due to age.
  • Hi macca1978,

    SafeGuard will require at least one reboot after installing all components. (reboot is requested after installing the client configuration, the last component).

    I've seen some customers use SCCM as well to deploy out SafeGuard, so that is another option for you if you can't readily create a script.

    Alternatively, Sophos professional services can likely whip up a custom deployment script for your environment.

    Before mass deploying out to your machines, I would heavily recommend you perform some preventative maintenance on your workstations to minimize failure rates. Errors on the disks, incompatible software programs, ect..

    Check out some bullet points below and work through them as best you can.

    • Latest version of SafeGuard is used. (Currently 7.0.0.x) Available from your MySophos account

    • Latest BIOS version has been installed to the device

    • Disable BIOS security measures including 'DriveLock' (HP) and 'Boot protection'. (Generic term)
    • Latest drivers for the machine are installed (Including firmware for HDD's if applicable)
    • Latest Windows updates installed
    • Completing chkdsk %systemdrive% /f /x /v /r, and a defrag against the machine if a mechanical disk is in use.
    • Disabling Windows UAC. (User account control) during the installation of SafeGuard. (Can be re-enabled afterwards)
    • Ensuring SafeGuard/Sophos directories are white-listed in your AV. C:\Program Files (x86)\Sophos and C:\ProgramData\Utimaco (Does not apply to Sophos AV)
    • Removing ExpressCache/Rapid Start software as both have known issues with Full Disk Encryption products
    • Install SafeGuard using the msiexec /i switch using the POADB file in Article 65700 for Non-BitLocker Systems
    • Re-imaging Windows with a clean image directly from Microsoft (Non OEM discs) or internal audited image as a last result if all else fails

    :57520

    Lee Anderson | Manager, Technical Support

    *Sign up for SMS notifications here or check the status of Sophos Central here.

  • Its a bit complicated but you can use Section "9.5.3.3 Command line options for central installation"

    this guide: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sgn_7_ig_eng_installation.pdf?la=en

    I have written a script for our distribution and changed it slightly for you. It installs all three MSI files using the deafult settings, it installs all features and also checks the POACFG. You need to make sure the script is run in the same folder as the MSI files. If you need to hard code the path you can remove "%~dp0" and replace it with the file path. You will also need to rename the third MSI file.

    It will create a folder called C:\Encryption\Logs" which only records errors encountered during the installation process. It changes the power settings so that the device never powers off when plugged into the mains and also reboots the machine once the software is installed.

    MD "C:\Encryption\Logs"

    msiexec /i "%~dp001-SGxClientPreinstall.msi" /quiet /Le c:\Encryption\Logs\01-SGxClientPreinstall.log

    msiexec /i "%~dp002-SGNClient_x64.msi" POACFG="%~dp0POACFG_as_of_6_1x.xml" /quiet /norestart /Le c:\Encryption\Logs\02-SGNClient_x64.log ADDLOCAL=Client,BaseEncryption,SectorBasedEncryption,CredentialProvider,CloudStorage,SecureDataExchange,FileShare /norestart

    msiexec /i "%~dp003-[CHANGE CLIENT CONFIG MSI].msi" /quiet /Le c:\Encryption\Logs\03-clientconfig-sgn.log /norestart

    powercfg -change -standby-timeout-ac 0


    %WINDIR%\System32\shutdown.exe /r /t/ 00

    Between this, the link and some googling on batch commands you should be able to get something to work. At the very least you can make a batch file even if you dont want to deploy centrally.

    ...

    Remember to Kudos if this helps ;)

    ...

    :57666