Support Center > Search Results > SecureKnowledge Details
How to silently deploy Media Encryption via GPO Technical Level
Solution

Silently Deploying Media Encryption

There are two popular deployment methods for large environments, with many alternatives. This guide serves as a quick-start guide, and also provides natively supported methods.

Method 1: Installation via Login Script

Step 1: Creating a Template Installation for Silent Deployment via SMS and Login Script.

To create a standard template installation for silent network deployment:

  1. Create a shared folder on a Windows machine does not have Endpoint Security Client installed and copy the contents of the Media Encryption folder from the Endpoint Security installation package to this location.
    This folder will be referred to as [Path to server ME directory].
  2. Click Start > Run and type cmd.
  3. In the Command Prompt window type the following command:

    >[Path to server ME directory]\setup.exe /r /f1"[Path to server ME directory]\setup.iss"

    Notes -

    • There is no space after /f1.
    • setup.iss can be assigned to any existing folder by indicating the path in the quotation marks.
  4. Follow the installation wizard:

    Note - It is important to select NO to a reboot when creating the setup.iss file.
    Automatic rebooting can be configured by setting “BootOption” to 3 in the file.

  5. setup.iss will be created in the specified path.

Step 2: Login Script Silent Deployment via Template.

To deploy ME silently using a standard template installation and login script:

Note - Login scripts may be distributed via GPO

  1. Visual Studio must first be installed on the client. This available in the Endpoint package as vc90rt.msi.
  2. Distribute the following login script on all the clients on which Media Encryption is desired:

    If Not Exist %homedrive%\progra~1\CheckPoint\Pointsec Protector Client\disknet.exe goto Install

    Exit

    :Install

    start [Path to server ME directory]\setup.exe /S /f1"[Path to server ME directory]\install.iss" /f2"c:\ME_status.log" /Z"/RDS"

    exit

  3. The file ME_status.log will be created in the root c: directory.
    A successful installation will be indicated by ResultCode=0 in the file ME_status.log

Note - Other results include:

-  1 General error.
-  2 Invalid mode.
-  3 Required data not found in the Setup.iss file.
-  4 Not enough memory available.
-  5 File does not exist.
-  6 Cannot write to the response file.
-  7 Unable to write to the log file.
-  8 Invalid path to the InstallShield Silent response file.
-  9 Not a valid list type (string or number).
-10 Data type is invalid.
-11 Unknown error during setup.
-12 Dialogs are out of order.
-51 Cannot create the specified folder.
-52 Cannot access the specified file or folder.
-53 Invalid option selected.

Method 2: Deploy ME MSI client using GPO

To deploy ME MSI client silently using Group Policy Object (GPO):

  1. Into a shared network path, copy the entire ME client package directory located on the Endpoint Security client ISO
  2. Copy vc90rt.msi from the SecureAccess folder on the ISO, to the same shared network path.
  3. You may use the default.xml file provided. Or modify a default profile on the ME Administrator Console and export it to over-write the original default.xml.
  4. Edit the desired default.xml by looking for the value "disableModules param="11" or "8" value and changing it to "1"

    Note - This step is necessary in order to be able to uninstall via GPO.

  5. Perform customization of the ME client package by:
    1. Edit Config.ini to define Server Name, Port used, and users allowed to uninstall sk37805
    2. Modify CheckDat.xml if needed
  6. To create a Group Policy, use the AD User and Computers application.
  7. Create a group to which the Group Policy will apply.

  8. Assign Computers to Group.
  9. Create a Group Policy Object at the Domain Level.

  10. Edit the GPO.

  11. Under "Software Installation", add the following three packages:
    1. Select the ISScript8.msi and select "Assigned" as the Deployment method

    2. Select Check Point Endpoint Security – Media Encryption Client.msi click "Open" and select "Advanced":
      • Deployment tab: make sure to check "Uninstall this application when it falls out of scope of management" to be able to uninstall the client
      • Modifications tab: add the included transform file Protector Client GPO.mst

    3. Select vc90rt.msi and select "Assigned" as the Deployment method
  12. Edit Properties of the GPO. Under the Security tab perform the following:
    1. Remove "Apply Group Policy" for "Authenticated users"

    2. Add the ME group you created and check "Apply Group Policy"

  13. After rebooting clients in the group, the GPO will apply.

    Notes -

    • You can use the command gpupdate /force to force the GPO to apply.
    • Installation will occur before logon and a reboot will be automatically performed.
  14. When deploying by GPO, the default language is EN
  15. To define another language interface, modify the registry key HKLM\Software\CheckPoint\Endpoint Security\LCID
    according to Microsoft's Locale ID (LCID) Chart:
    http://msdn.microsoft.com/en-us/library/0h88fahh%28VS.85%29.aspx

Completing the Procedure

Verify connectivity to the server by hitting Test and Update in the client's GUI.

 This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment