通过组策略部署symantec client (MST格式)

近期公司要求用户都安装symantec client,我们当前的版本是Endpoint protection 12.1.100,这样一来我们大家都会想到的是通过组策略部署软件分发到每个域用户计算机上;当然我们大家也知道,微软去年发布了windows8系统,但是我们在windows8上安装symantec client后无法正常打开或无法运行,经过跟symantec沟通说是目前symantec的版本跟windows8不兼容,需要symantec他们开发跟windows8兼容的symantec 版本;之后过了2个月,symantec也发布了新版本,Endpoint protection 12.1.2015(Ru2),该版本能支持windows8系统及2012系统;看见后非常兴奋就开始给服务器升级同时也通过SEPM策略升级symantec client;升级后没有什么大的问题,但是有很多客户都不安装symantec client客户端,说是安装后系统运行会变慢,所以他们都不会安装,但是公司为了每年的ISO审核,要求没个用户都要安装,所以我们最后通过组策略推送symantec client到没个域用户,但是在推送后有个新的问题;我在推送symantec clien安装包时,只要求安装virus spyware download protection组件,不需要安装proactive threat protection和network theate protection组件,但是通过组策略推送后发现不是按照规则安装的,三个组件都会安装;被逼无奈下给symantec打电话咨询,他们说这个问题是不应该出现的,也承认12.1.1205这个版本有很多问题,但是他们说没有接到类似的case,他们只是推卸责任的告诉我,他们的产品没有问题,双击安装都是一个组件,通过组策略推送就有三个组件,还说是微软的产品问题,当时我很无语,实话都有心想抽那个工程师的想法了……最后在纠结下他们给我推荐通过SEPM服务器给客户端远程推送,但是在尝试后也发现了问题,通过SEPM推送有一定的条件,客户端必需满足以下条件:

Incorrect user name or password
This problem can happen if the user name or password that you entered is incorrect. Enter the correct user name and password to solve the problem.    
Simple file sharing is enabled or the “Sharing and security model for local accounts” policy is set to Guest Only
This problem can occur if Simple File Sharing (or the Sharing Wizard) is enabled on the target computer, or if the client has the “Sharing and security model for local accounts” policy set to Guest Only, the manager is not able to authenticate as Administrator. To solve the problem, read the document Is the “Sharing and security model for local accounts” policy set to Guest Only?
User Account Control is enabled
If User Account Control is enabled, the manager may not be able to access the administrative shares C$ and ADMIN$. This can cause remote deployment to fail. See the document Is User Account Control enabled on the client?
The Administrator account on the target computer does not have a password
If the Administrator account on the target does not have a password set, authentication will fail. To solve this problem, read the document Does the Administrator account have a password?
Port 445 is blocked
If the Microsoft Windows Firewall is not configured to allow File and Printer Sharing (port 445), authentication will fail. To solve this problem, read the document Is the Microsoft Windows Firewall blocking port 445?
The Remote Registry Service is set to disabled on the client computer
If the Remote Registry Service is stopped and set to Disabled on the client computer, the manager cannot scan the client registry because the service cannot be started. To solve this problem, make sure that the Remote Registry Service is set either to Manual or Automatic.


首先是通过工具编辑MSI文件,我们今天用到的工具就是:orca msi editer tools


接下来就导出带MSI文件的symantec client 安装包


– Export the package from SEPM:    
In Admin/Install Package/Client Install Packages, select the package and click on “Export Client Install Package”.    
Make sure that “Create a single .EXE file for this package” is deselect.    
Also, the selection of the features will have no importance for use.    
– Open Orca    
– Click on File/Open and select the .msi package that you just create (Symantec Antivirus.msi)    
– Click on Transform/New Transform    
– Go to the “Property” table    
– Right Click on the right panel and select “Add Row”    
– Enter “ADDLOCAL” in the “Property” field    
– Select the “Value field” and enter the feature that you want separate by a coma

The list of the feature can be found in the Appendices A of the installation_guide.pdf (Table A-1)   
Note: The localized version of the documentation is faulty; refer to the English version of the document.    
For example, if you want to install only the antivirus enter    
IF you don’t want to restart the workstations after installation add row “REBOOT” with following value “REALLYSUPPRESS” to the Property Table.    
– Click on Transform/Generate Transform    
– Save the Transform as “Symantec Antivirus.mst” on the folder that contain the export package

计算机配置—软件安装;设置前将symantec client安装包共享;


我们将组策略链接到Dsgrd Computer的OU下

本文转自 高文龙 51CTO博客,原文链接:http://blog.51cto.com/gaowenlong/1201837,如需转载请自行联系原作者
