|
Group Policy Startup Script Unreliable
Hello all,
We are currently switching our Anti-Virus solution from Symantec to Kaspersky. To do this we need to take Symantec off the machines and install Kaspersky once it's been taken off. Kaspersky is installed via Group Policy as per their guide, once symantec is taken off a file is copied is copied to the machine, I apply a WMI filter to the group policy that looks for this file Installation / Uninstallation This works great and hasnt failed on me......yet:) My problem lies in taking off symantec, to do this I am using a startup script. I also apply a WMI filter to this that looks for the "Symantec Antivirus" service before it runs. Script so far is below NET STOP "Symantec AntiVirus" NET STOP "DefWatch" "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U /q c:\windows\system32\reg.exe DELETE "HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\Current Version\AdministratorOnly\Security" /v UseVPUninstallPassword /f c:\windows\system32\msiexec /X {2085C617-589C-40F8-BE40-EDBC9E2CA2EB} REBOOT=ReallySuppress /qn echo "uninstall endpoint first, started main installation kasper" >> \\server\KasperDeploy\logs\machine.%1.log date /T >> \\server\KasperDeploy\logs\machine.%1.log PING -n 30 127.0.0.1>nul time /T >> \\server\KasperDeploy\logs\machine.%1.log netsh firewall delete portopening tcp 2967 IF NOT EXIST "%systemdrive%\program files\Symantec Antivirus\VPC32.exe" copy \\kasperserver\KLSHARE\Packages\KAV6-Workstation\desav.txt %windir%\ shutdown -r -t 900 -c "ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)" My problem with this is that the shutdown message often does not display and the machine is left with an Anti-Virus product on it for a considerable time. Please note we MUST prompt the user to shutdown the machine and cannot do it automatically (politics and red tape), a 15 minute timer is a compromise. A VB script may be better here but I am not fluent in VB at all. So does anyone know how I can make this script more reliable and always display the shutdown message:) |
Why not change the script so it displays a message to the user along the lines of
"Anti-Virus software is about to be installed on your computer. Your PC will require a reboot....please save all open documents and press any key" then run your script without the timer on the shutdown command There's a utility called DisplayMessage.exe which will allow you to display message boxes from a batch file, you can configure buttons and ensure it always has focus...see options below... C:\WINDOWS\Utils>displaymessage /? Displays the specified message and returns the selected button in ERRORLEVEL. DisplayMessage "text" "title" style Common styles (which can be combined) are: OK = 0 OKCANCEL = 1 ABORTRETRYIGNORE = 2 YESNOCANCEL = 3 YESNO = 4 RETRYCANCEL = 5 ICONSTOP = 16 ICONQUESTION = 32 ICONEXCLAMATION = 48 ICONINFORMATION = 64 SETFOREGROUND = 65536 TOPMOST = 262144 SERVICE_NOTIFY = 2097152 Possible return values are: 1=OK 2=CANCEL 3=ABORT 4=RETRY 5=IGNORE 6=YES 7=NO |
You've missed the GPO setting to display start up and shut down scripts. It's under Computer Configuration, Administrative templates, System, Scripts
Run startup scripts visible and set to Enabled. If this was Experts Exchange I'd get 2000 points for that ;) |
Incidentally, as an addendum. I found it useful to echo a bunch of messages to screen while the scripts run.
Stuff like: Your Anti Virus Product is being updated, please be patient. Your pc will require a reboot at the end of the process ... stopping services... uninstalling old product performing clean up tasks Installing updated Anti Virus testing installation Prompt for restart People like to see things happening and if it hangs you can ask what is the last message on the screen for troubleshooting Oh, and I **guarantee** that you'll get calls with the last message being ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)" |
Originally Posted by Kieran_Burns
(Post 8534626)
Oh, and I **guarantee** that you'll get calls with the last message being ANTIVIRUS SOFTWARE HAS BEEN INSTALLED, PLEASE REBOOT YOUR MACHINE, MACHINE WILL REBOOT IN 15 MINUTES :-)"
I have now got the script to take off Symantec and Kaspersky Anti-Virus in the one GPO even though it installs Kaspersky BEFORE Symantec is taken off:eek: ......and yes I know that's the wrong way around, I think it works as the Kaspersky engine isn't fully started anyway until its rebooted and by then Symantec "should" be fully removed. I have had a few tests where it didn't though which could be problematic. I will need to test in a lab with 30 computers all at the same time to put the server under a bit of load Hanley: Good idea but I don't trust the users to run the program, cheers for the pointer though Cheers for the tips guys:thumb: |
also if you have several scripts running at the same time, i,e, called for the same location, the local processing of them can become unreliable, as they get processed in different orders
there is a GPO setting that sets them to run synchronously, which MS take to mean one after the other, although being a slight pedant it actually means they should run together if you get my meaning |
| All times are GMT +1. The time now is 12:09 PM. |
© 2024 MH Sub I, LLC dba Internet Brands