Endpoint Protection

If you were going to deploy SEP 12.1 RU1 to +/- 14000 users.

Of these users +/- 4000 users will be a mix of Windows 7 32 Bit and 64 Bit machines.

Would you recommend disabling the UAC via a GPO when doing the deployment?

Would SEP 12.1 RU1 be OK when the UAC is enabled - no problems

yes disable the UAC

check this link

 The Symantec Endpoint Protection client will not deploy through the network to a Windows Vista, 7, or Server 2008 system

http://www.symantec.com/business/support/index?page=content&id=TECH165133

Hi TROYC,

It's recommended to disable UAC via GPO when doing the deployment.

Hello,

Preparing Windows Vista, Windows Server 2008, or Windows 7 computers: Windows User Access Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$.

Perform the following tasks:
■ Disable the File Sharing Wizard.
■ Enable network discovery by using the Network and Sharing Center.
■ Enable the built-in administrator account and assign a password to the account.
■ Verify that the account has administrator privileges.

Reference: Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH163112

Also, check this Thread (Comment from Paul Murgatroyd): https://www-secure.symantec.com/connect/forums/sep-121-uac-prompt

Hope that helps!!

Hi Guys - thanks for the info - it really helps - but here is now where my problem lies - my client does not want to disable the UAC via a GPO or even manually - I know that by not doing this I will run into problems with the deployment of SEP 12.1 RU1 on to +/- 6000 Windows 7 machines - is there not away that one could edit the UAC using GPedit.msc or gpmc.msc and somehow change some of the settings for UAC not to affect the SEP 121.1 RU1  from been deployed incrrectly and once deployed from working correctly - here is an example what I discovered after the SEP 12.1 client agent was installed on a Windows 7 machine which had UAC enabled - when opening the SEP 12.1 client agent... it says FIX ALL - I select FIX ALL - the SEP 12.1 client agent is green, everything works perfectly - put the Windows 7 machine off, swith it back on - when I open the SEP 12.1 client agent up - it then again says FIX ALL - selected FIX ALL again - the SEP 12.1 client agent then is freen again - everything works great untill I either reboot the manchine or swtich it of then switch it back on - the same problem is there - only to find out that if I disable the UAC the SEP 12.1 client agent works as it should - even after reboots and been switched off and then on again.

As I said my client does not want to disabled the UAC !!!!!!!!!!!!!!!!!!!!!!

Regards

Troy

what are the messages that say the end user to fix all?

We need to disable UAC then only it will work.

Please note tis is with UAC enabled - disable the UAC it goes away after the reboot

Hello,

Check this Article:

Error: "Download Insight is disabled" on a managed Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH171763

Hope that helps!!

Hi TROYC,

Why don't you schedule reboot during non production hours ?

the reboot is not the problem - it is the UAC which is enabled and as per the client cant be truned off.

Hi.

You do not need to disable UAC. UAC will only deny you the option of remotly deploying using Symantec Deploymnet Wizard (this is not something you will use on 14K computers).

Note that UAC will also disable users from opening the SMC gui.

I have deployed with UAC many times and the only thing you must make sure is that you install with elevated rights.

Regarding the Download Insight option:
You migh get the Download Insight Option error if you have disabled Download insight by policy and not checked the LOCK key next to Download Insight

Torb

.

Pushing out via SCCM without any issue. No need to disable UAC.

I have been testing doing the push from the SEPM console and did not have to disable UAC.   Which if its being done in the system context makes sense. 

SCCM does its deployment in the system context thats why UAC is not an issue when doing the push with it.

I am not that familiar with SCCM - prior to your rollout, did you have a plan in place within SCCM to uninstall SEP on a mass scale in the event you need to rollback?

Depending on the version of SCCM that your running this could be done very easy or it might be a little complex.  

If you have 2012 and the packages are build correctly you might be able to do a roll back just by making the older build superceed the new build.   If SEP provides all the correct information.

If your running an earlier version you would need to build a package to uninstall 12.1 and then another to deploy your previous version.

Ok, that makes sense.  Do you require a password to uninstall?  If so, using SCCM - Are you able to uninstall SEP 12.1 while requiring a password to uninstall on Windows 7? I'm aware that if it was a mass uninstall you would remove the password via policy but for this test the password would still applied.

Ideally (fingers crossed)- I'm hoping you are going to reply that there is a message box prompting to enter the password to begin the uninstall process utilizing the system acct...  But my guess is that the uninstall will hang and you'll never see a prompt box to enter the password. 

Since my users do not have Admin rights to the box they would not be able to remove SEP by them self so I did not feel the need to set a password.   I you do just disable that policy for the time frame your doing the upgrade and you should be fine.

One other thing you might consider is a 3rd party app like Avecto Priviledge Guard that would let you grant Admin rights to the Application and would bypass the UAC. Its a group policy extension that I have used extensively in my organization.  Comes in really handy when you run into those one or two apps that need admin rights to run and you dont want to grant your users full admin rights.

You do not need to disable UAC. make a package with winrar and install through Symantec push deployment tool.