Endpoint Protection

Team,

I recently upgraded from 12.1.1 to 12.1.2.  I assigned the newer client package to the Clients-Install Packages and set the upgrade timeframe.  Users rec'd the upgrade notification on their PCs but nothing ever happens when they give it permission to upgrade/reboot.  The upgrade notification window continues to show up on each user's PC every morning and still the clients do not upgrade (all are sitting at 12.1.1000.157). 

Yet if I have a re-imaged PC that doesn't have SEP installed, SEPM remote installation does work w/out issue (client 12.1.2015.2015).

Also, just FYI, I never had an issue when I upgraded from 11.x to 12.x.  The upgrades worked w/out issue.

Thoughts?

Server 2008R2 Enterprise, Windows 7 Pro x64

Not meant to be a stupid question but can you confirm the right package was added? I've seen this before if the wrong package was added. Meaning, the user was on 12.1 RU1 and the 12.1 RU1 package was accidentally added instead of the latest one.

Also, on the client, can you check the %temp% directory and look for the SEP_INST.log file and post it here for review.

Any language difference between sepm and clients? are they on the same OS language?

 

@Rafeeq:  Same everything.

@Brian...never a stupid question when it comes to things like this!  ;-)

I'll get on one of the clients and pull that log file here in a second.

As far as client version...this is what shows up:

Just wanted to make sure.

Let's see what the log shows, if anything. Should give an indication of what is going on.

oh and I've even tried manually pushing the new client to the PCs that have 12.1.1 installed on them.  Yet nothing ever happens and the client shows up as this in the Clients manager:

Just a shot in the dark...should I remove the checkmark from "Maintain existing..."? 

Sorry, getting ahead of myself.  Let me get the logs for you on both the user's machine and the one that I pushed manually.

logs would give the info, lets check the logs first

OK, Brian...no such luck finding any SEP_INST.log files on either machine in the %temp% folder...

That usually means that the SEP install is not even kicking off. If it kicked off, everything would be recorded in the SEP_INST.log, success/failure, etc.

You mentioned the users need to OK the install to begin? Are they cancelling it possibly?

I would try by supressing notifcation / schedule.

do a search for SEP_inst.log under C drive

No I'm pretty sure they are not.  I don't have a screenshot of the message window at this time to answer you 100%. 

But what about the 3 machines that I did a manual push on the install?  Is it because the 12.1.1 is installed and so it won't update it?  That wouldn't explain why the Client page (see above) shows the PC needs to be rebooted (which it has several times)...they still check in and update - notice the time stamp as that continually updates the time it checks in (Last Time Status Changed)

nothing under C:\

I'll have to change the OU for the 3 machines I can test with and will report back on supressing schedule/notify

Rafeeq...so how do I get it to start the upgrade w/out the schedule enabled?

If no schedule is set, the client will check in according to its heartbeat and see the upgrade is available. It should start soon after.

Brian...it doesn't look like it's either seeing the update or performing the upgrade...I ran the command for it to update content and nothing so far...

Out of curiosity, do you have the ability to run an install locally on one affected client? Just trying to narrow it down. If it works locally, it has to be something between client/server. But it seems the install won't even kick off. Has the affected client(s) been rebooted?

The icon next to the client name in SEPM console means that the deployment failed - no SEP_INST.log would be created - apparently the already installed client rejected the upgrade package.

 - Can you run the sylink on on of the affected clients : http://www.symantec.com/docs/TECH104758  - this will possible show us bit more info.

- In SEPM console right click one of these clients and edit properties - can you post screenshot - what is listed under deployment message, deployment status and target version?

I'll give that a try here in a bit...working on a SBE issue

Give me a little bit to get the sylink set up but in the meantime here is the screenshot of one of the machines that continues to get the message popup for upgrade:

So the Win7x64 machines ARE accepting the upgrade...it's just not happening...

Hi

Can you please let us know the operating system version ?

Regards

 

 

Hi

Can please check base filter engine service is started.

Regards

 

Not sure if this was already mentioned - was this machine rebooted since the push? As SEP is based on Side by Side installation - it would always look like that when the version is installed and awaiting reboot for applying changes.

Can you check as well the SEP folder in c:\Program Data - is there only the folder for 12.1.1000.157 or was 12.1.2015.2015 already created as well?

PCs - Win7 x64

SEPM - Server 2008R2 SP1

Yes it's started on all machines

Yes, everyone clicks the Download button and they also reboot (even tho they aren't prompted) and still nothing.

As far as the SEP folder...no, there is only the 12.1.1000.157 folder listed (a couple others but none for the new version)

Here's what I get when I try to do an install directly from the install package whether it be on the SEP server or when I copy it over to the local drive:

I've even rebooted the machine and it still comes up with this message.

Ok, one more test - can you logon on one of the machines with admin account and accept the prompt for installation using that account - is the client installed then or still the same?

https://www-secure.symantec.com/connect/forums/alleged-pending-system-changes-require-reboot-errors-endpoint-installer#comment-3283371

https://www-secure.symantec.com/connect/forums/sep-121-will-not-install-detected-system-changes-requiring-reboot

Installation fails with the message "Pending system changes that require a reboot have been detected"

http://www.symantec.com/docs/TECH103109

 

Control Panel>System>Advanced

whats the value of 

“User variables C:\TMP or C:\TEMP

 

I've not seen the install popup when I'm logged in w/Admin account

as far as SYLINK...I can't seem to change the registry setting...even when I open regedit w/Admin rights in the Admin profile...?  I almost need to be in safemode to do this...

for testing purpose can you change that to C:\tmp and C:\temp and try the upgrade... any windows firewall enabled on the client?

Tried it on another machine and this is what I get when I try to do the install manually from the install file:

and yes, the installer activates UAC and I enter my Admin credentials (which are Domain Admin creds)

tried this, deleted the registry entry and w/out rebooting, tried the install and still get that same error on reboot required...

Windows Firewall is disabled by GPO as SEP is the firewall that is being used

 

Made the changes to TEMP and TMP, ran the install and got this error (same as before):

I went into regedit and looked for that key and there is no such entry for WGX...?

You should now have SEP_inst.log file , attach it here. I'm done with ideas, here is the last one to try

 

1. Launch Regdit.
2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SERVICES\WGX subkey.
3. In the right pane, change value data for value name Group from NDIS to PNP_TDI.

reboot and then assign the package

Ok, I did find the SEP_INST log file and have it attached.  It looks as if the log mentions that the PC needs to be rebooted...yet it's been rebooted several times?

as far as the WGX subkey...as stated earlier, that key does not exist

pending file rename ? have you delete these keys

http://www.symantec.com/connect/articles/pending-file-rename-operations

Yes I've already tried this (see above).  I've deleted those keys, ran the install, get the same error, reboot and the key is back...?

but for giggles, I'll try this again...you never know...I've seen weirder things happen.

Here's screenshots of the key and file in question

So I deleted those keys, tried to install...got the message about needing to reboot...rebooted...checked registry to make sure the Pending keys were still gone and they were...started install and got this again:

yet when I go into the registry, that key does NOT exist...???

since the key didn't "exist" I clicked Ignore and it looked like it was going to work until I got the following:

Here's the SEP_INST log for the last attempt

Error shows the same : Error 1401. Could not create key \SOFTWARE\Symantec\Symantec Endpoint Protection\{3771A34D-2132-48EA-A486-D62ECDF9D553}

Do you have any restrictions for users for registry access. can you check the SEP registry folder and see what permission is set on those? does system has full access?

 

I have it in the GPO policies to block registry access to "users".  Yet I am in the administrative profile right now and still having these issues.  Not only am I in the Domain Admin profile, but when UAC comes up for the install, I enter in my Domain Admin creds as well.

I checked the SEP folder's permissions in the registry:

...also, SEPM has a domain admin account that it uses for all installs.

my GPO restriction has been in place for quite some time and SEP 12.1 RU1 never had a problem with the update from 11.x

FYI...sorry that this is such a pain Rafeeq!  Thank you for all the thoughts and suggestions!

:) . Before we go further. Take a client out of this GPO.

Try the upgrade.I'm suspecting the GPO.

 

Here is the document for permission , Double check these

http://www.symantec.com/business/support/index?page=content&id=TECH93564

 

I don't know Rafeeq...that doesn't explain why I can install SEP on a reimaged machine that's in the same OU with the same GPOs...I can push the install from SEPM w/out issue.  Its on machines that already have it installed on that I'm having issues...

Hi Lavee383,

 

Curious to know if you have worked something out? I am seeing the exact same error on all my Windows 7 clients machine logs:

Product: Symantec Endpoint Protection -- Error 1404. Could not delete key \SYSTEM\CurrentControlSet\Services\WGX.  System error .  Verify that you have sufficient access to that key, or contact your support personnel.

Clients are currently running 12.1.2015.2015 and i am trying to upgrade them to 12.1.2100.2093

 

Unfortunately there was no solution after working for a couple of weeks with Symantec tech support and having the issue sent to "engineering". The only "solution" I was given was to manually uninstall each and every client using their CleanWipe utility. I was very upset as you could imagine. I still think the problem lies with their protection system that I have enabled. Would be curious to know if you have the protect system files enabled on your system.

Yes i do i have Auto-Protect - Enable File System Auto-Protect checked.

I will open a case and give an update if anything better than using CleanWipe.

 

 

Hi, 

Hope you having Firewall module on your system.

The some kind of issue i have faced while upgrading my systems at that time the issues is lied with the group policy while i tried to modify the SEP.

There was a group policy that “No one can change the windows firewall ". After changing the rules it got succeed.

From SEP_INST.Log also we can see that a system reboot is pending 

"That there are pending system changes that require a reboot.  Please reboot the system and rerun the installation."

And normally the error code return 1603 is related to Windows installer service.

Regards

Ajin

Good luck with that.  I hope you have better luck than I did.  I wasted a week or two on this issue and still ended up having to manually remove each and every one.

Reply back with what you get out of your ticket regardless of the solution (as I'm betting you'll get the same answer as me).

So turned out our problem was caused by Application and Device Control.

We use the default policy but i imported some settings from the SEP Hardening Policy v2.

After importing the version 3, clients are upgrading

Title:  Application and Device Control Policy Document ID:TECH132337 Web URL: http://www.symantec.com/docs/TECH132337

At the bottom of the web page you can download SEP Hardening Application and Device Control policy v3.dat