Group Policy Startup Script Unreliable
24 February 2009, 10:50 AM
#1
Scooby Regular
Thread Starter
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
Group Policy Startup Script Unreliable
Hello all,
We are currently switching our Anti-Virus solution from Symantec to Kaspersky. To do this we need to take Symantec off the machines and install Kaspersky once it's been taken off. Kaspersky is installed via Group Policy as per their guide, once symantec is taken off a file is copied is copied to the machine, I apply a WMI filter to the group policy that looks for this file
Installation / Uninstallation
This works great and hasnt failed on me......yet
My problem lies in taking off symantec, to do this I am using a startup script. I also apply a WMI filter to this that looks for the "Symantec Antivirus" service before it runs. Script so far is below
NET STOP "Symantec AntiVirus"
NET STOP "DefWatch"
"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U /q
c:\windows\system32\reg.exe DELETE "HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\Current Version\AdministratorOnly\Security" /v UseVPUninstallPassword /f
c:\windows\system32\msiexec /X {2085C617-589C-40F8-BE40-EDBC9E2CA2EB} REBOOT=ReallySuppress /qn
echo "uninstall endpoint first, started main installation kasper" >> \\server\KasperDeploy\logs\machine.%1.log
date /T >> \\server\KasperDeploy\logs\machine.%1.log
PING -n 30 127.0.0.1>nul
time /T >> \\server\KasperDeploy\logs\machine.%1.log
netsh firewall delete portopening tcp 2967
IF NOT EXIST "%systemdrive%\program files\Symantec Antivirus\VPC32.exe" copy \\kasperserver\KLSHARE\Packages\KAV6-Workstation\desav.txt %windir%\
shutdown -r -t 900 -c "ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)"
My problem with this is that the shutdown message often does not display and the machine is left with an Anti-Virus product on it for a considerable time. Please note we MUST prompt the user to shutdown the machine and cannot do it automatically (politics and red tape), a 15 minute timer is a compromise. A VB script may be better here but I am not fluent in VB at all. So does anyone know how I can make this script more reliable and always display the shutdown message
We are currently switching our Anti-Virus solution from Symantec to Kaspersky. To do this we need to take Symantec off the machines and install Kaspersky once it's been taken off. Kaspersky is installed via Group Policy as per their guide, once symantec is taken off a file is copied is copied to the machine, I apply a WMI filter to the group policy that looks for this file
Installation / Uninstallation
This works great and hasnt failed on me......yet
My problem lies in taking off symantec, to do this I am using a startup script. I also apply a WMI filter to this that looks for the "Symantec Antivirus" service before it runs. Script so far is below
NET STOP "Symantec AntiVirus"
NET STOP "DefWatch"
"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U /q
c:\windows\system32\reg.exe DELETE "HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\Current Version\AdministratorOnly\Security" /v UseVPUninstallPassword /f
c:\windows\system32\msiexec /X {2085C617-589C-40F8-BE40-EDBC9E2CA2EB} REBOOT=ReallySuppress /qn
echo "uninstall endpoint first, started main installation kasper" >> \\server\KasperDeploy\logs\machine.%1.log
date /T >> \\server\KasperDeploy\logs\machine.%1.log
PING -n 30 127.0.0.1>nul
time /T >> \\server\KasperDeploy\logs\machine.%1.log
netsh firewall delete portopening tcp 2967
IF NOT EXIST "%systemdrive%\program files\Symantec Antivirus\VPC32.exe" copy \\kasperserver\KLSHARE\Packages\KAV6-Workstation\desav.txt %windir%\
shutdown -r -t 900 -c "ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)"
My problem with this is that the shutdown message often does not display and the machine is left with an Anti-Virus product on it for a considerable time. Please note we MUST prompt the user to shutdown the machine and cannot do it automatically (politics and red tape), a 15 minute timer is a compromise. A VB script may be better here but I am not fluent in VB at all. So does anyone know how I can make this script more reliable and always display the shutdown message
Last edited by mike1210; 24 February 2009 at 10:52 AM.
24 February 2009, 12:48 PM
#2
Scooby Regular
Join Date: May 2002
Location: Liverpool
Posts: 3,229
Likes: 0
Received 0 Likes
on
0 Posts
Why not change the script so it displays a message to the user along the lines of
"Anti-Virus software is about to be installed on your computer. Your PC will require a reboot....please save all open documents and press any key"
then run your script without the timer on the shutdown command
There's a utility called DisplayMessage.exe which will allow you to display message boxes from a batch file, you can configure buttons and ensure it always has focus...see options below...
C:\WINDOWS\Utils>displaymessage /?
Displays the specified message and returns the selected button in ERRORLEVEL.
DisplayMessage "text" "title" style
Common styles (which can be combined) are:
OK = 0
OKCANCEL = 1
ABORTRETRYIGNORE = 2
YESNOCANCEL = 3
YESNO = 4
RETRYCANCEL = 5
ICONSTOP = 16
ICONQUESTION = 32
ICONEXCLAMATION = 48
ICONINFORMATION = 64
SETFOREGROUND = 65536
TOPMOST = 262144
SERVICE_NOTIFY = 2097152
Possible return values are:
1=OK 2=CANCEL 3=ABORT 4=RETRY 5=IGNORE 6=YES 7=NO
"Anti-Virus software is about to be installed on your computer. Your PC will require a reboot....please save all open documents and press any key"
then run your script without the timer on the shutdown command
There's a utility called DisplayMessage.exe which will allow you to display message boxes from a batch file, you can configure buttons and ensure it always has focus...see options below...
C:\WINDOWS\Utils>displaymessage /?
Displays the specified message and returns the selected button in ERRORLEVEL.
DisplayMessage "text" "title" style
Common styles (which can be combined) are:
OK = 0
OKCANCEL = 1
ABORTRETRYIGNORE = 2
YESNOCANCEL = 3
YESNO = 4
RETRYCANCEL = 5
ICONSTOP = 16
ICONQUESTION = 32
ICONEXCLAMATION = 48
ICONINFORMATION = 64
SETFOREGROUND = 65536
TOPMOST = 262144
SERVICE_NOTIFY = 2097152
Possible return values are:
1=OK 2=CANCEL 3=ABORT 4=RETRY 5=IGNORE 6=YES 7=NO
Last edited by Hanley; 24 February 2009 at 12:52 PM.
24 February 2009, 01:24 PM
#3
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
You've missed the GPO setting to display start up and shut down scripts. It's under Computer Configuration, Administrative templates, System, Scripts
Run startup scripts visible and set to Enabled.
If this was Experts Exchange I'd get 2000 points for that
Run startup scripts visible and set to Enabled.
If this was Experts Exchange I'd get 2000 points for that
Last edited by Kieran_Burns; 24 February 2009 at 01:27 PM.
24 February 2009, 01:32 PM
#4
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Incidentally, as an addendum. I found it useful to echo a bunch of messages to screen while the scripts run.
Stuff like:
Your Anti Virus Product is being updated, please be patient. Your pc will require a reboot at the end of the process
... stopping services...
uninstalling old product
performing clean up tasks
Installing updated Anti Virus
testing installation
Prompt for restart
People like to see things happening and if it hangs you can ask what is the last message on the screen for troubleshooting
Oh, and I **guarantee** that you'll get calls with the last message being ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)"
Stuff like:
Your Anti Virus Product is being updated, please be patient. Your pc will require a reboot at the end of the process
... stopping services...
uninstalling old product
performing clean up tasks
Installing updated Anti Virus
testing installation
Prompt for restart
People like to see things happening and if it hangs you can ask what is the last message on the screen for troubleshooting
Oh, and I **guarantee** that you'll get calls with the last message being ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)"
27 February 2009, 02:45 PM
#5
Scooby Regular
Thread Starter
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
I have now got the script to take off Symantec and Kaspersky Anti-Virus in the one GPO even though it installs Kaspersky BEFORE Symantec is taken off
......and yes I know that's the wrong way around, I think it works as the Kaspersky engine isn't fully started anyway until its rebooted and by then Symantec "should" be fully removed. I have had a few tests where it didn't though which could be problematic. I will need to test in a lab with 30 computers all at the same time to put the server under a bit of loadHanley: Good idea but I don't trust the users to run the program, cheers for the pointer though
Cheers for the tips guys
28 February 2009, 02:41 PM
#6
Scooby Regular
also if you have several scripts running at the same time, i,e, called for the same location, the local processing of them can become unreliable, as they get processed in different orders
there is a GPO setting that sets them to run synchronously, which MS take to mean one after the other, although being a slight pedant it actually means they should run together if you get my meaning
there is a GPO setting that sets them to run synchronously, which MS take to mean one after the other, although being a slight pedant it actually means they should run together if you get my meaning
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
