Administrators of the SEP SBE cloud accounts that are provisioned through eStore, must ensure that they have adequate licenses for the number of computers targeted in the Active Directory deployment. If you run out of licenses during your Active Directory deployment, the installations fail for computers without licenses. Active Directory reports a successful install, but that is a false-positive.
Downloading the package
During the download of the Active Directory-ready redistributable installer package, three files are compiled for use by the organization's IT department. These files must always reside in the same folder to function properly and should not be mixed with different downloads of the redistributable package:
SYMGroupPolicyDeployment.mst is now saved as GPO-YYYYMMDDHHMM.mst.
For more information about using MST files, see the Microsoft documentation for:
To download a redistributable installer package for Active Directory deployment
In the SEP SBE Management Console, click Computers.
In the Computers page, click Add Computer.
In the Protect Computer page, use the groups drop-down to select a computer group to populate with this install package.
In the Download Windows Installer > Download a Redistributable Package section, click Download.
Depending on your browser, the file is automatically downloaded or you may be asked to run or save the file.
When the SymantecPackageCreator.exe file download is complete, run the file.
When the Package Creator dialog box opens, click edit to identify where to save the redistributable package.
In the Advanced section, click edit next to Operating Systems to choose the Windows versions that you want your package to support. Click Save.
The latest version of SEP SBE is compatible on Windows Server 2016, but it is not certified. A certified version will be available in the near future.
In the Advanced section, click edit next to Proxy Settings to enter your organization's proxy settings for use by the Package Creator. This step is optional and only necessary when these settings are required for Internet access. Click Save.
You may create a number of distribution packages to fit the needs of your organization's different network locations.
In the Advanced section, check Create Active Directory Group Policy deployment.
The following options are available when Create Active Directory Group Policy deployment is selected.
Restart computers automatically - The computer automatically restarts to complete installation if required. User interaction is not required. If you are logged on to the computer during the installation process and if a restart is required, a message is displayed notifying you of the restart.
Upgrade outdated computers - Reinstalls only if the installed files are outdated compared to the files in the redistributable. The computer automatically restarts during the process if required. This option works regardless of if SEP SBE was first installed manually or by Group Policy.
If you have deployed software package using Group Policy before this installation, you can add this upgrade version to the Active Directory Server. You can add either alongside older packages or mark as an upgrade of the older packages to avoid installing the old version to computers that have been newly added to the group.
Because servers require two restarts, we recommend that you also select Restart computers automatically to complete server installations without user interaction.
Selecting both the options ensures that the new installations automatically restart and the existing installations are upgraded if required.
The selected files are downloaded and then the package is created. The redistributable package files are associated with a specific organization and should not be used outside of that organization.
When the download is complete, click Finish.
The files: SYMRedistributable.exe, SYMGroupPolicyDeployment.msi, and GPO-YYYYMMDDHHMM.mst are in the destination directory. These files must be kept together as a single package; mixing different versions of these files breaks the redistributable package.
Setting up a domain controller for deployment
When the download is complete, the domain controller must be set up for the SEP SBE cloud deployment. The procedures for accomplishing this task are well documented in the following Microsoft knowledge base article:
When you add a new SEP SBE package to GPO you must select Advanced rather than Published or Assigned. You then select the Modifications tab of the GPO deployment properties and add the MST file from the SEP SBE package. The Microsoft's article does not mention this scenario.
GPO deployment and other installation logs can be found on client's end at C:\ProgramData\Symantec.cloud\syminstall\
The default SEP SBE GPO deployment does not uninstall or upgrade other versions except in limited cases, and the MST file must first be modified to add the -force or -refresh/refreshall command line options.