Silently Deploying Media Encryption
There are two popular deployment methods for large environments, with many alternatives. This guide serves as a quick-start guide, and also provides natively supported methods.
Method 1: Installation via Login Script
Step 1: Creating a Template Installation for Silent Deployment via SMS and Login Script.
To create a standard template installation for silent network deployment:
- Create a shared folder on a Windows machine does not have Endpoint Security Client installed and copy the contents of the Media Encryption folder from the Endpoint Security installation package to this location.
This folder will be referred to as [Path to server ME directory].
Run and type
- In the Command Prompt window type the following command:
>[Path to server ME directory]
\setup.exe /r /f1"[Path to server ME directory]
- There is no space after
setup.iss can be assigned to any existing folder by indicating the path in the quotation marks.
- Follow the installation wizard:
Note - It is important to select NO to a reboot when creating the
Automatic rebooting can be configured by setting BootOption to 3 in the file.
setup.iss will be created in the specified path.
Step 2: Login Script Silent Deployment via Template.
To deploy ME silently using a standard template installation and login script:
Note - Login scripts may be distributed via GPO
- Visual Studio must first be installed on the client. This available in the Endpoint package as
- Distribute the following login script on all the clients on which Media Encryption is desired:
If Not Exist %homedrive%\progra~1\CheckPoint\Pointsec Protector Client\disknet.exe goto Install
start [Path to server ME directory]
\setup.exe /S /f1"[Path to server ME directory]
\install.iss" /f2"c:\ME_status.log" /Z"/RDS"
- The file
ME_status.log will be created in the
root c: directory.
A successful installation will be indicated by ResultCode=0 in the file
Note - Other results include:
- 1 General error.
- 2 Invalid mode.
- 3 Required data not found in the Setup.iss file.
- 4 Not enough memory available.
- 5 File does not exist.
- 6 Cannot write to the response file.
- 7 Unable to write to the log file.
- 8 Invalid path to the InstallShield Silent response file.
- 9 Not a valid list type (string or number).
-10 Data type is invalid.
-11 Unknown error during setup.
-12 Dialogs are out of order.
-51 Cannot create the specified folder.
-52 Cannot access the specified file or folder.
-53 Invalid option selected.
Method 2: Deploy ME MSI client using GPO
To deploy ME MSI client silently using Group Policy Object (GPO):
- Into a shared network path, copy the entire ME client package directory located on the Endpoint Security client ISO
vc90rt.msi from the SecureAccess folder on the ISO, to the same shared network path.
- You may use the
default.xml file provided. Or modify a default profile on the ME Administrator Console and export it to over-write the original
- Edit the desired
default.xml by looking for the value "disableModules param="11" or "8" value and changing it to "1"
Note - This step is necessary in order to be able to uninstall via GPO.
- Perform customization of the ME client package by:
Config.ini to define Server Name, Port used, and users allowed to uninstall sk37805
CheckDat.xml if needed
- To create a Group Policy, use the AD User and Computers application.
- Create a group to which the Group Policy will apply.
- Assign Computers to Group.
- Create a Group Policy Object at the Domain Level.
- Edit the GPO.
- Under "Software Installation", add the following three packages:
- Select the
ISScript8.msi and select "Assigned" as the Deployment method
- Select Check Point Endpoint Security Media Encryption Client.msi click "Open" and select "Advanced":
- Deployment tab: make sure to check "Uninstall this application when it falls out of scope of management" to be able to uninstall the client
- Modifications tab: add the included transform file Protector Client GPO.mst
vc90rt.msi and select "Assigned" as the Deployment method
- Edit Properties of the GPO. Under the Security tab perform the following:
- Remove "Apply Group Policy" for "Authenticated users"
- Add the ME group you created and check "Apply Group Policy"
- After rebooting clients in the group, the GPO will apply.
- You can use the command
gpupdate /force to force the GPO to apply.
- Installation will occur before logon and a reboot will be automatically performed.
- When deploying by GPO, the default language is EN
- To define another language interface, modify the registry key
according to Microsoft's Locale ID (LCID) Chart:
Completing the Procedure
Verify connectivity to the server by hitting Test and Update in the client's GUI.
This solution is about products that are no longer supported and it will not be updated