This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deploying via GPO software installation

Hello,
I am looking at automating the Safeguard install for our institution through Group Policy using a software installation GPO. But I cannot pass the MSIEXEC commands this way - a transform / MST file must be created. How do I translate the MSIEXEC commands into the parameters I need to change in the MST?



This thread was automatically locked due to age.
  • I'm not super familiar with Safeguard but one way is to use Orca to create a MST.  A quick Google for MSI ORCA Transform has thrown up this:

    http://tonyle.ca/blog/?p=33

    There are plenty of pages detailing this approach:

    http://www.geekshangout.com/customising-an-msi-install-using-orca/

    I hope it's of use.

    Regards,

    Jak

  • Thank you Jak, I did grab Orca earlier today, but I am having trouble finding the right parameters to modify to mimic the MSIEXEC command below,

     

    msiexec /i [install location]\SGNClient_x64.msi /qn /log C:\Temp\SGNClient.log ADDLOCAL=Client,CredentialProvider,BaseEncryption,SectorBasedEncryption Installdir=C:\Program Files\Sophos\SafeGuard Enterprise

     

    I managed to find instances of ADDLOCAL but I don't know if it's the right spot to modify. Has anyone here done this with Orca?

  • It looks like you need to set two Properties:

    ADDLOCAL

    Installdir

    You should find these in the Property Table, if not you can add them.

    Once you have generated the MST and applied it to the MSI, for a test install, you can check the MSI log file (in the example above: C:\Temp\SGNClient.log) to see that the Properties have been set.

    Regards,

    Jak

  • Thanks for that, but I think I am going to try another method. Apparently, according to Sophos support, using Group Policy is not supported. Even though right in the Administrator guide it mentions centrally deploying through GPO. But, the recommended method is manual....I am not sure how organizations with hundreds of PCs deploy this product but they sure aren't doing it manually.

  • Hi Sandra - We've created an EXE that ...

     

    Changes PC Name

    Disables local accounts

    Reboots

    Binds to AD (with encrypted embedded creds)

    Reboots

    Installs Inventory software

    Installs Sophos SafeGuard (with MSI switches)

    Reboots

     

    It's a bit long winded and can cause some issues as there's a lot of varied hardware but generally it works well. There's just a few questions for the technician to do and then it's all automated. If our laptops were AD already (they're workgrouped in different groups) and don't have a image/software build on them either) we would go down the AD/GPO route but this was our best solution given our environment challenges!

  • I got it to work by using 4 gpo's.

    first 3 gpo's in order: preinstall, client, config install the basic applications.

    Then the forth gpo contains a startup script which checks for a specific dll that is installed as an option.

    If the dll is missing it starts the client msiexec again including the addlocal options.

  • Could you share some more details on those GPOs?

     

    I'm trying to accomplish the same thing and so far I can get the Pre-install to work, but the Client install and Configuration install don't run. They do create logs files, but those logs are empty.

  • What's causing your empty logs i don't know.
    Have you set the option "Always wait for the network at computer startup and logon" in your GPO?
    Make sure the computer reboots after each install.

    For us in practice there was a problem, if you use gpo's for installation the computer gets no owner, because gpo installation occurs before login.
    Which caused the issue that we were unable to log on to the computer. So in the end i decided to install the msi's by script and not to use gpo's.

  • Mind sharing how you set up the scripts?

     

    My empty logs were due to typos. Right now I've managed to get the pre-install and the client install working, but running into issues with the configuration.

  • sure...
     
    the SGN install is part of a larger install script. Here's the SGN part.

    I basically have two scripts for installation; 1st part installs the pre-install and the client:

    msiexec /i  \\server\SoftwareDeployment\SGN\SGxClientPreinstall.msi /qn /log C:\logs\SGxClientPreinstall.log
    msiexec /i \\server\SoftwareDeployment\SGN\SGNClient_x64.msi /qn /log c:\logs\SGNClient.log ADDLOCAL=Client,CredentialProvider,BaseEncryption,SectorBasedEncryption,LocationBasedEncryption,SecureDataExchange,CloudStorage

    after a reboot the second script kicks off:
    msiexec /i  \\server\SoftwareDeployment\SGN\ConfigPackage.msi /qn /log C:\logs\SGNConfig.log
     
    See if this helps you.