Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 8678 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC Still hasn't managed several computers on the network

DJfound

The situation I have is that SEC has successfully installed and managed 91 of the 268 machines in our AD. Unfortunately it's not well organized, so out of those 268 some connect to the network occasionally, some everyday, and some have been retired for years.

At this point I know that there are computer frequently on the network not being managed, just giving a 0x0000002e error. SEC is set to sync every 60 min, so it seems these machines should be getting pushed to. 

I've read all the documentation and every relevant kb. My GPO has every firewall exception and automatically starts every service that Sophos recomends. It's very odd how it's working perfectly for some computers and not others.

Thanks in advance for any help.

:52206


This thread was automatically locked due to age.
  • 0

    Hello DJfound,

    I understand that you are using AD sync with automatic protection, correct?

    SEC is set to sync every 60 min ... these machines should be getting pushed to

    AD sync with automatic protection is not very well suited for initial setup - while it will mirror the AD structure and import the computers protection will fail for any endpoint not online at the time of initial sync. Contrary to (your) expectations protection will not be re-attempted in case of an error.   

    One way to re-trigger protection would be to move the computers out of the sync'ed container, wait until they are moved from the sync'ed group to Unassigned, delete them from Unassigned and move them back to the original container when they are online (otherwise protection will once more fail). It's probably better to consider some alternate method like Deploying Endpoint Security and Control through Active Directory group policy.

    Christian

    :52209
  • 0

    Thank you so much, I feel like I'm on the right path now. I set up a startup script to install Sophos and it works great when there is no Sophos installed. My problem now is that all the computers have Sophos Anti Virus already, but they don't have Remote Management installed. I tried modifying the script (shown below w/ private data removed) to install whenever RMS is missing but I can't get it to work in my tests. I made another script that was supposed to uninstall and reinstall everything but that didn't work at all either.

    I feel like I'm getting closer, but I'm suprised there isn't an easier way to do this.

    @ECHO OFF
REM --- Check for an existing installation of Sophos Remote Management on 32-bit
IF EXIST "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" goto _End
REM --- Check for an existing installation of Sophos Remote Management on 64-bit
IF EXIST "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" goto _End
REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
\\<server>\SophosUpdate\CIDs\S000\SAVSCFXP\Setup.exe -updp "\\<server>\SophosUpdate\CIDs\S000\SAVSCFXP" -user  -pwd -mng yes
REM --- End of the script
:_End
    :52247
  • 0

    Attached below is a fairly old script you are welcome to use...unsupported.  Test on a test computer first.  There are notes at the top.  Have a play and see if you can get it to work but know that Technical Support won't open a case about this - I only have it because I begged our global escalation support team for it when I was on site at a customer about four years ago.

    It looks horribly long but you really only need to play with the few options at the top - you need to consider logging or not [1], consider not deploying the client firewall initially [2] even if you intend to later on, and change the obfuscated username [3] and password [4].  Plus the servername/path to shares.  Example:

    2014-07-30_16-23-19.png

    The script should have a .vbs extensions when you want to run it (i.e., cscript CheckEndpointInstall_v1.0.vbs from an administrator command prompt - think about UAC blocking the install otherwise).

    Just posting as a general example.

    :52307
  • 0

    After a couple weeks of troubleshooting I've got something working.

    I implemented a script to check if the Remote Management is installed, and if not then it runs a standalone installer. I found that the standalone installer to be more consistent than just going to the SAVCFXP/setup.exe, though both should work. The problem that I encountered then was that many endpoints had Sophos and the Remote Management installed but directed to our old location. So what I am doing now is I have a security group with another script that forces a reinstallation everytime the computer starts up, and then I pull the computer from the security group. It's not the most elegant solution, but it is getting the job done.

    A couple of other things I needed to get this working. I modified the main script GPO to ensure the computer is connected to the domain network before running scripts, and to wait two minutes before cancelling scripts.

    Here are the resources I used in case someone else has need:

    Standalone Installer - http://www.sophos.com/en-us/support/knowledgebase/67504.aspx

    Deployment Script - http://www.sophos.com/en-us/support/knowledgebase/13090.aspx

    I also implemented a logging feature in my script, this helped me greatly with troubleshooting and monitoring progress, here's my final result: 

    ECHO %time% %date% -- %computername% >> \\MyServ\SophosUpdate\StandaloneInstall\InstallLog.txt
REM --- Check for an existing installation of Sophos Remote Management on 32-bit
IF EXIST "C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" goto _End
REM --- Check for an existing installation of Sophos Remote Management on 64-bit
IF EXIST "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" goto _End
REM --- Deploy to Windows 2000/XP/2003/Vista/Windows7/2008/2008-R2
ECHO -------------  Installing Sophos on %computername%  ------------- >> \\MyServ\SophosUpdate\StandaloneInstall\InstallLog.txt
\\MyServ\SophosUpdate\StandaloneInstall\SophosEndpoint.exe 
REM --- End of the script
:_End
    :52605