Endpoint Protection

Good morning guys,

I'm trying to remove features from an exisitng SEP 12.1.4 client installation using the automatic client deployment features in SEPM. What happened is we deployed the 12.1.4 client over the top of the existing 12.1.2 clients using the auto-deployment feature and things went well (to our test group).  I didn't realise however that I had included the Outlook features and the Firewall features in this install.

No problem I thought,  just follow the instructions for re-deploying the client features to remove the ones we want.  This seems to not work as expected and I cant figure out why.

To try and remove these features I've done these steps:

1. Remove Install Packages from client group
2. Create a new install feature set (Minus Outlook and Firewall Components)
3. Add a new install package for the group using the new feature set
4. 'Update Content' on the group
5. Force a few test clients to contact the SEPM immediately to get the new policy

The deployment settings are set to go immediately but none of them seem to go.  If I upgrade an old client (12.1.2) with the new client and feature set,  this works as expected.  I've left the clients for more than 24 hours with still no change.

So basically my question is - Am I missing some steps to force an exisiting client to remove features using the same deployed version?

Did you follow the steps outlined here?

How to add or remove features to existing Symantec Endpoint Protection (SEP) client installations

I did,  thats where I began,  I should have linked it in the first post.  I've followed them to the letter.

During testing I noticed that in some cases MSIEXEC was launched on the clients,  but no change was effected (even over night).  The client logs don't seem to report anything as far as the feature change and the SEPM monitor reports 'Success' when the instructions are sent.

Any change after a reboot?

You can post SEP_INST.log file located in %temp% directory for review if you wish.

No change after a reboot unfortunatley or restarting the SMC process directly.  Though I did notice that MSIEXEC will run again after the reboot, with the same result.

The log file doesn't seem to be created,  the setting is there (as default) to the %TEMP% directory,  but nothing is created.

I've just grabbed a fresh laptop and ran through from start to finish and getting the same result:

1.  Deploy 12.1.2 (with firewll and outlook component)
2. Upgrade to 12.1.4 using auto-deploy (with firewall and Outlook component)
3. Remove Install package and follow instructions on the page you linked, minus firewall and outlook
4. MSIEXEC starts and then just hangs there with no CPU or memory usage, seemingly indefinitely

No log created,  nothing in the client side logs etc.

EDIT:  The Windows Applciation event logs do show the MSIEXEC transaction completing however there is a message inbetween the start and end with EventID 11729 "Product: Symantec Endpoint Protection -- Configuration Failed."

EDIT 2: I've also just tested going directly from 12.1.2 (with all features) --> 12.1.4 (with limited features) and the features are removed correctly.  This will cover the majority of the rollout as it was only our test groups that got 12.1.4 with full features however I would like to sort this out as we will be changing the feature set in the future.

Is there a SIS_INST.log file created in %AllUsersProfile%\Application Data\Symantec\Symantec Endpoint Protection\%currentversion%.105\Data\Install\logs

What logs do I need to gather in order to troubleshoot a failed SEP 12.1 client installation?

Cant beleive I have forgotten to thank you so far,  but thanks for the help and extra eyes!

Log you mentioned exists, though the date is months ago (when the image was created with the original 12.1.2 installation), nothing to mention anyhting about the upgrade to 12.1.4  in that or any of the other logs mentioned in the article.

No worries, always happy to help

I'm starting to wonder if this is a bug of some sort...usually, this is a cut and dry process. One other thing to verify, the correct packge is being applied, meaning 32 bit to x86 OS and 64 bit to x64 OS...I'm starting to run out of ideas

I thought that also,  so I created a test group with only x64 clients and only added the x64 package... same result unfortunately.

I did notice something in the client details in SEPM:

According to this it is rejecting the update... strange.

I'll also attach the debug logs though it looks like I might be logging a bug with Symantec.

Attachment(s)

debug_18.txt   319 KB 1 version

Check this link:

https://www-secure.symantec.com/connect/forums/problem-upgrade-clients-sep121#comment-6126291

Read thru Elisha's comments, particularly the first two, and see if that helps.

In case anyone else is looking into this same issue,  it appears that adding OR removing any components with the automatic mehtod is causing the MSIEXEC process (and Installer service) to go haywire and hang,  not just for SEP but in general.  

Other apps are not able to be added or removed until SEP is cleanwiped and the Installer service manually restarted.

Still no idea to the underlying cause,  I thought it might have something to do with the Applciation control module but even with that removed it no longer works.  So testing both of the following comes to the same result:

1. Manually install fresh SEP 12.1.4 (minus Outlook, Firewall and Application control modules)
2. Add to testing group
3. Add a new installation package for 12.1.4 with the same features except including the Outlook module (though it is the same no matter what module is chosen)
4. Update content on client
5. MSIEXEC starts but just hangs, Eventlog error mentioned above occurs and nothing happens.
6. Restart and SEP is not functioning correctly,  trying to access the GUI results in the message that the services are not started correctly.

Doing the same process in reverse results in the same issue (i.e installing with all the features and then trying to remove some).

This doesn't happen in an 'upgrade' scenario where the client is 12.1.1 or 12.1.2 and then going to 12.1.4 with a different feature set.  The installation is successful and the relevent features are either added or removed.

I think I'll need to log a bug with the support team.

Absolutely, please call up support. If you can, keep this thread updated. Would be interested in what's going on.

Ahhh finally!

Solved it.  I disabled two settings:

1. Tamper protection
2. Uninstall password

I noticed an error in one of the logs mentioning the uninstall password (though notihing specifically regarding the failure).  I cant confirm which one fixed it but I suspect it was the tamper protection.

So disabling the password and tamper protection on my test group and I can now add / remove features silently from machines with no issues.

Thanks again for your help!  Hope this thread can save someone else a bit of time!

Awesome, glad it's working.

What's interesting is I have both of these enabled and never had an issue. Have yet to try with RU4 though...

It is very strange, especially since if it was upgrading a previous version it worked without a problem.  Only 'updating' the same version.

I've just temporarilty disabled it on my test groups,  then once the upgrade completes I just re-enabled it.

You need to Uncheck "Maintain existing client features when updating" option from install packages wizard, and select the feature set which created without the feature you not required, while assigning packages to the groups.