Deploying Endpoint Security and Control through Active Directory group policy

  • Article ID: 13090
  • Rating:
  • 20 customers rated this article 3.4 out of 6
  • Updated: 19 Jun 2013

You can use Active Directory in Windows Server to configure the group policy applied to a domain, so that Sophos software is automatically deployed to all Windows NT or Windows 2000+ computers that join the domain.

Known to apply to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control

Operating Systems
2000/XP/2003/Vista/Windows 7/ 2008/ 2008 R2

What to do

  1. Install Enterprise Console on your management server as described in the Quick Startup Guide.
  2. Create a batch file to run as a startup script. This checks all computers in the group when they start up, to see if Endpoint Security and Control/Sophos Anti-Virus is installed. Any computers that are unprotected will have Endpoint Security and Control/Sophos Anti-Virus installed.

You can either create a new group policy or you can edit an existing one to incorporate the commands given here.

  1. Click Start | All Programs | Administrative Tools | Active Directory Users and Computer.
    Or
    Click Start | Run | Type: dsa.msc | Press return.
  2. Select the domain name from the left-hand tree.
  3. Right-click the domain name and select 'Properties'.
  4. Select the 'Group Policy' tab.
  5. Select 'New'.
  6. Enter a name for the new Group Policy object (GPO).  Example: GPO to deploy Sophos endpoint software via script.
  7. Select the new GPO and click 'Edit'.  The Group Policy Object Editor window will open.
  8. In the Group Policy Object Editor in the left pane, browse to Computer Configuration | Windows Settings | Scripts.
  9. On the right-hand side, double-click 'Startup'.
  10. In the 'Startup Properties' dialog box, click 'Show Files'.
  11. In the window that opens, right-click and select New | Text Document.
  12. Rename this file to 'InstallSAV.bat'.
  13. Right-click on 'InstallSAV.bat' and select 'Edit'.
  14. Edit the file as follows:

    Note: Read the instructions on editing the script.

    • To deploy to Windows 2000/XP/2003, enter the commands shown below
    • To deploy to Windows NT, use the same commands, but substitute ESNT for SAVSCFXP.
    • The subscription folder number (shown as 'Sxxx' in the script below) should be changed to your associated subscription number.

    @ECHO OFF
    REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End
    REM --- Check for an existing installation of Sophos Anti-Virus on 2003/XP (the SAV adapter config file)
    IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
    REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)
    IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
    REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
    \\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP\Setup.exe -updp "\\SERVER\
    SophosUpdate\CIDs\Sxxx\SAVSCFXP" -user USER -pwd PWD -mng yes
    REM --- End of the script
    :_End

    Insert the relevant value names as follows:
    • SERVER is the name of the server that the distribution point resides on. Typically this is the server on which the console is installed.
    • USER is the username of a user that has rights to access the files in the distribution point.
    • PWD is the password of the above user.
      Note: If you do not want to use a username and password in plain text in this startup script, you can obfuscate the username and password.
    Insert the command line parameters as follows:
    • The '-updp' parameter defines the primary update location. This can also be an HTTP address.
    • The '-mng' parameter defines whether the installation will be managed by an installation of the console. If you will not use the console to manage the computers, this parameter should have the value 'no'.
    For more information, see command line parameters used by setup.exe.
  15. Save the file and close the window you were working in.
  16. In the Startup Properties dialog box, click 'Add'.
  17. In the 'Add a Script' dialog box, click 'Browse'.
  18. Select the file 'InstallSAV.bat' and click 'Open'.
  19. Click OK | Apply | OK.

Note: This script will run on every subsequent start-up unless you remove it after the initial deployment of Endpoint Security and Control.

Instructions on editing the script

When editing these scripts, please note the following:

  • When you type a command into the editing window, the whole command must be on one line.
  • If you insert a line break, the command will not run.
  • You must disable word wrap.

Commands displayed in this article may appear to be on more than one line, however this is due to text-wrapping in this window. The text editor you use in the above procedure is not constrained in this way, provided word wrap has been disabled. In every example given here, the text:

\\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP\Setup.exe -updp "\\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP" -user USER -pwd PWD -mng yes

...must all be on one line.

How to exclude certain computers from running the script

The following startup script provides an example of how to exclude two computers, called SERVER1 and SERVER2 from installing via this script.

  1. Get the exact hostname of the computer(s) to be excluded:
    1. Go to each computer that you would like to omit and open a command prompt (Start | Run | Type: cmd.exe | Press return).
    2. Type the following command, and then press the enter key:
      SET
    3. In the list of environment variables that is returned, look for the 'COMPUTERNAME=' entry.
    4. Record the exact hostname that is displayed after the equals symbol (=).
  2. Use the hostnames recorded above in place of 'SERVER1' and 'SERVER2' below.
    @ECHO OFF
    REM --- Check for an existing installation of Sophos AutoUpdate on 32-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    REM --- Check for an existing installation of Sophos AutoUpdate on 64-bit (the 'Sophos AutoUpdate Service' process)
    IF EXIST "C:\Program Files (x86)\Sophos\AutoUpdate\ALSVC.exe" goto _End
    REM --- Check for an existing installation of Sophos Anti-Virus on 2003/XP (the SAV adapter config file)
    IF EXIST "C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
    REM --- Check for an existing installation of Sophos Anti-Virus on Vista+ (the SAV adapter config file)
    IF EXIST "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\SAVAdapterConfig" goto _End
    REM --- Check for servers not to install to
    if %COMPUTERNAME% == SERVER1 goto _End
    if %COMPUTERNAME% == SERVER2 goto _End

    REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
    \\SERVER\SophosUpdate\CIDs\Sxxx\SAVSCFXP\Setup.exe -updp "\\SERVER\
    SophosUpdate\CIDs\Sxxx\SAVSCFXP" -user USER -pwd PWD -mng yes
    REM --- End of the script
    :_End

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments