Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 9757 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Cloud installation via GPO

mrcjc

Hello all,

I am having issues rolling out our AV via GPO/script. I followed KB:120611

 

https://community.sophos.com/kb/en-us/120611

 

What seems odd to me is, it works on some machines "Very few" but then on others not at all. I am at a point now where looking into SCCM might be an option since it has other useful benifits as a solution but figured I would ask the community here to see whatever has done to resolve this?

 

Here is our exact script:
_____________________________________________________________________

@echo off
SET MCS_ENDPOINT=Sophos\Management Communications System\Endpoint\McsClient.exe
IF "%PROCESSOR_ARCHITECTURE%" == "x86" GOTO X86_PROG
IF NOT EXIST "%ProgramFiles(x86)%\%MCS_ENDPOINT%" GOTO INSTALL
exit /b 0

:X86_PROG
IF NOT EXIST "%ProgramFiles%\%MCS_ENDPOINT%" GOTO INSTALL
exit /b 0

:INSTALL
mkdir C:\sophos
cd C:\sophos
copy "%logonserver%\netlogon\_Locations\_General\AV\SophosInstallFull.exe" "C:\sophos\SophosInstallFull.exe"
SophosInstallFull.exe -q -tps remove
goto end

:end

_____________________________________________________________________

 

We have the script being called via GPO during PC start up operation since most of our users do not have local administrator. - Some of  the PC's also have the older endpoint installed via documentation I am under the impression "-tps remove" should take care of that?

 

Appreciate any help on this!



This thread was automatically locked due to age.
Parents
  • +1

    So the script is running as SYSTEM being a startup script.  Under \windows\temp you should have a bootstrap log.  

    For a failing computer, what's in that?

    I assume that SophosInstall.exe is run?

    If not, could it be that as the SYSTEM account
    "%logonserver%\netlogon\_Locations\_General\AV\SophosInstallFull.exe" 
    is failing to "resolve" or there are permission issues?

    I would suggest as a test, on a computer you suspect to fail.  Run Process Monitor (technet.microsoft.com/.../processmonitor.aspx) and perform a boot trace.  
    I would advise removing, to enable the System process from the default filter.

    You will then see if:
    1. The batch file is launched.
    2. If the environment variable you're relying on, i.e. %logonserver% is available to the process.  
    3. There is an issue copying the file for say permissions.

    Other than that, maybe echo out to a file to prove that the batch file is indeed running.

    Regards,

    Jak

  • 0 in reply to jak

    Jak,

     

    Appreciate the tips, not sure why I didn't think of adding a simple output to the scrip as well, after doing that I was able to see it was working as intended but bombed out at copying the .exe over to the local machine. After looking into permissions a bit more you nailed it! The system account wasn't able to access our netlogon directory. I made it easy on myself and moved the .exe file to the GPO directory via AD which already allows "Domain Computers" access and this solved my problem!


    Thanks again!

Reply
  • 0 in reply to jak

    Jak,

     

    Appreciate the tips, not sure why I didn't think of adding a simple output to the scrip as well, after doing that I was able to see it was working as intended but bombed out at copying the .exe over to the local machine. After looking into permissions a bit more you nailed it! The system account wasn't able to access our netlogon directory. I made it easy on myself and moved the .exe file to the GPO directory via AD which already allows "Domain Computers" access and this solved my problem!


    Thanks again!

Children
No Data
Unfiltered HTML