I am installing McAfee Endpoint Encryption for PC with the AutoDomain script on client machines via EPO 4. I created the machine install set on the MEE database and selected to run silently. I created the EPO package and included the MEE install set. I checked in the package on the EPO database. I assigned the task to my client machine group in EPO. The EPO Wake Up Agent installs and right after Endpoint Encryption on the client machine. The AutoDomain script runs and the MEE installation finishes. The problem is when I look at the AutoDomainLog html file the cached profiles were not added to the MEE database. It appears to skip the whole process on the script without any errors. I know the MEE install set works because I have tested it on machines without being part of an EPO installation package. I went the opposite way next and created another MEE install set and selected not to run silently. I also edited the EPO pkgcatalog.xml file not to run the MEE install set silently. I check in the package on EPO and try again but I get the same results....fail.
I read over the EPO Intergration Manual in the MEE Documentation. It informed me that unless I run the MEE install set silently the EPO package install would fail. I know this not to be true because I have tested successfully. The only thing that does not work is part of the AutoDomain script.
I read the AutoDomain manual and looked over the vbs script and could not find any variable to edit so that this can work. Is there a setting in EPO? Can you run AutoDomain silently? If not it would be a tough situation for many organizations that use SMS, EPO, Altiris, ect.
I am using version 3.2 which I assume that this is the latest version? Here is the autodomain log. Like I said the process of adding cached users are skipped. There are no errors noted on the log. I have two domain users and a local account that have a cached profile on the machine.
5:22:52 PM: Set my options from autodomain.ini 5:22:57 PM: -------------------------------------------------------------------------------- START! Version 3.2 5:22:57 PM: Please wait while I add everyone who has used your machine to the list of users who can login to SafeBoot.
I'm going to add them if they seem to be members of the following domain(s) NEODEV
This might take several minutes to complete so please be patient and please don't shut your machine down until I am finished. Once all the users are added, they will be able to login to SafeBoot with their normal SafeBoot userID and password.
5:22:57 PM: RandomAdminUser picked user name "admin" from 1 possible accounts for this script command 5:22:57 PM: Waiting 1 seconds before I start... 5:22:58 PM: I tested the SafeBoot API, it's working and the version is good (18.104.22.168) 5:22:58 PM: I'm going to use the group "Eng_Machines" if I have to create any machines. 5:22:58 PM: Found a good connection in the DB list for database "MEEDEV" 5:22:59 PM: SafeBoot Device Encryption is not installed 5:23:00 PM: Created a new machine entry in the database for "XPDEV3" in group "Eng_Machines" 5:23:00 PM: Using Machine Name:"XPDEV3" for future activity. 5:23:00 PM: Getting the current list of users for machine "XPDEV3" 5:23:01 PM: I will skip adding the following users for you because they are either already allocated, or on a blacklist your administrator has setAdministrator|,|LocalService|,|All Users|,|Default User|,|NetworkService|,|Guest|,|systemprofile|,|emanager|,|$autoboot$|,|Admin|
5:23:01 PM: Searching for AutoBoot users to remove.. 5:23:01 PM: As you don't have SafeBoot installed, I'm not going to bother forcing a sync of your machine. 5:23:01 PM: Removing Registry entries so I never run again... 5:23:01 PM: Removing ScriptRunner entries so I never run again... 5:23:01 PM: You can close this window, or I'll close it for you in 10 seconds... 5:23:01 PM: DONE!
For some reason the section to query the registry and add the cached users are ignored in the script. I am guessing that this part has to be run interactively on the machine instead of silent like ePO demands?
I ran a silent install set separately without the ePO package and the cached users were processed successfully. This problem only occurs while it is packaged and ran under a client task by ePO.
I have never seen the autodomain script run again after first reboot automatically. Is there a setting in the script to make this happen? I thought that this could only be done manually and this will be unwanted administrative overhead to some organizations. I can see in some situations that after the initial install the user will be given back control to the machine after first reboot and work during encryption. The user may not have local administrative rights on the machine and will be not be able to execute the script. I guess it depends on the sys admin's mood to push this script through group policy.
Autodomain is awesome to use and so is ePO. I just wish both of them could play nice. Maybe they do and I am just missing something. sad
I am reporting good news! I have obtained AutoDomain 5.10 and it runs exactly as it should on the client devices with the ePO EEPC install package. I also am fond of the UseUPNIfPossible, SecurityGroup, and ConnectorName options. I suggest that this script be an option in the database as a standard File Group in the furture.
now you should get 5.14 and try the runonlogon option - it uses the Windows Active Installer technology to make the script run once per user when they logon, so, as new people use the machine (or existing old users), it will one-time capture their credentials and ensure they are correctly set up.
some of the functionality is planned for future versions, but until that time we're using the API to do this. Though it may seem strange to use scripting to provide such essential functionality, that's what the API was designed for - whether we use the API internally to provide it, or provide a script which uses the API makes very little difference - the advantage of the script of course is that it can be easily customised to your own requirements.