Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agent Deployment via AD/GPO?

My company is getting rid of login scripts and taking admin access away from users.

Currently I deploy the agent to PCs via login script, so any new PC that logs onto the domain gets the agent straight away.

As I won't be able to keep using login script, and users will not have adminm rights now, I was wondering how it can be done using AD or GPO?

I am hoping somebody has actually done this ok with McAfee Agent now?
13 Replies

RE: Agent Deployment via AD/GPO?

Well you could use RSD to deploy the agent...but if that's not an option, I'll just keep my eye on this thread too.

I use startup scripts...(if that's an option let me know and I can definitely help with that). I find startup much better than logon because they don't wait for a user to all happens as soon as a machine is added to the domain.

RE: Agent Deployment via AD/GPO?

Thanks for that. Yea, using a startup script from AD/GPO is the way I will need to go I think.
Unless somebody has worked out a better way?

RSD isn't an option right now, though I have that on my want to implement list I can't at the momment.
(Though I have done some testing with it and want to use it)

For my logon script at the momment it is done with a VBScript and it works fine.
It just checks if the correct version of agent is installed and if not it runs the framepkg from the users local file and print server.

If you (or others) have any good tips for deploying the agent from a startup script that would be great if you want to pass some info along? It looks like that is what I will be doing I think.


RE: Agent Deployment via AD/GPO?

Here's a snippet of my startup script with the releated info...I don't check version but just the existence of EvtFiltr.ini to determine if the machine is managed or not. The version can be easily updated by the agent with an update task so that part is not necessary.

** Keep in mind that I am assuming that all AD computers other than XPe thin clients are candidates for the McAfee Agent here.

HTH...(comments/criticism/pointers welcome!)

@echo off
rem Startup script to check for McAfee Agent and current ePO Server name
rem If MA does not exist, install it, if exists, poke it
rem ** Note: if logging, log file must exist and be writeable by the process involved as all the log file entries assume appending to the file **

rem Test if client is XPe Thin Client
if /i %runtimeskucode% == XPeCli goto thin_client

rem Set MADir variable to location of Common Framework directory
if exist "%ProgramFiles%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee\Common Framework
if exist "%ProgramFiles(x86)%\McAfee\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles^(x86^)%\McAfee\Common Framework
if exist "%ProgramFiles%\McAfee\CmdAgent.exe" set MADir=%ProgramFiles%\McAfee
if exist "%ProgramFiles%\Network Associates\Common Framework\CmdAgent.exe" set MADir=%ProgramFiles%\Network Associates\Common Framework
if exist "%SystemDrive%\ePOAgent\CmdAgent.exe" set MADir=%SystemDrive%\ePOAgent
if exist "%ProgramFiles%\ePOAgent\CmdAgent.exe" set MADir=%ProgramFiles%\ePOAgent

rem Test if client is ePO managed (EvtFiltr.ini only exists on ePO managed machines)
if exist "%ALLUSERSPROFILE%\Application Data\McAfee\Common Framework\EvtFiltr.ini" goto check_epo_server
if exist "%ALLUSERSPROFILE%\Application Data\Network Associates\Common Framework\EvtFiltr.ini" goto check_epo_server

rem If we're here we need to install agent (uses system credentials when run as a startup script)
"\\myad.dom\netlogon\FramePkg_AD.exe" /FORCEINSTALL /INSTALL=AGENT /SILENT
echo ***** %date% %time%: MA was NOT detected on %computername% ***** >> "\\\pub\pub\ePO_Inst_Logs\general.log"
echo %date% %time%: Attempted to install MA on %computername% > \\\pub\pub\ePO_Inst_Logs\%computername%.log
goto end_epo_inst

rem Check registry key for existence of current ePO server name - if pointing to old ePO server, update sitelist with new version
REG QUERY "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v ePOServerList | find /i "my_active_ePO_server_name" > nul
if %errorlevel% == 1 (
"%MADir%\FrmInst.exe" /Silent /siteinfo=\\myad.dom\netlogon\epo\SiteList.xml
echo %date% %time%: Updated ePO SiteList.xml on %computername% >> "\\\pub\pub\ePO_Inst_Logs\general.log"

rem Wakeup agent and log computer name (if log desired remove "rem" on next line)
rem echo %date% %time%: MA exists on %computername% >> "\\\pub\pub\ePO_Inst_Logs\general.log"
"%MADir%\CmdAgent.exe" /p /c
goto quit

rem Log computer is a thin client if desired
rem echo %date% %time%: %computername% is an %runtimeskucode% - skipping... >> "\\\pub\pub\ePO_Inst_Logs\general.log"

goto quit


RE: Agent Deployment via AD/GPO?

Thanks for that, it is usefull to see what others are doing.

I haven't done much research (i mean googling) yet, but I think I am going to just modify my current VB script and use that as a startup script. I haven't done that before, just used them as logon scripts, but do you know of any tips or things to look out for if I do this?

Currently I use a framepgk with no credentials embeded into it and that just runs as the logged on user from the login script.

I like to check the version of the agent just so that if for some reason there are systems that have not been updated via ePO (for whatever reason) it will try and run the framepkg again when that system logs on.
I could probbaly get away with out it, as I don't have any problems with that actually, but I like it just as a kind of a backup method etc.

If I modifiy the VBS and make that as a startup script what user will it run as?
Will it still be ok to use a framepkg with no credentials?

RE: Agent Deployment via AD/GPO?

If the install is using current logged on user credentials, then they would have to have local admin rights. The embeded credential agent package has been posted for download so you could create a custom install package.

The user that runs the installer just needs to have local admin rights.

RE: Agent Deployment via AD/GPO?

Thanks Jeff, yup, currently users have local admin rights which is why I get away with no embeded credentials.

We will be killing local admin rights too.

So I guess what I was wondering is what happens when you use a script as startup instead of logon.
The logon runs as the user who is logging on, but do you know what would be the default user for when a script is run on startup instead of logon?

heh, I still haven't googled this yet 🙂

I did used to use a package with embeded credentials in the past, but somebody complained about the security issues, so canned that, because I could get away with doing so. So I would prefer not to embed credentials if I don't have to.

RE: Agent Deployment via AD/GPO?

Well, seeing as MA P2 came out without embedded cred options, I ended up using a non-cred package for deploying via startup. It works fine. I believe the system account is used at this point of the bootup process so you should be good with a non-cred'd install with startup.

RE: Agent Deployment via AD/GPO?

Excellent, thanks for the info, it's just good to know somebody else got that to work ok before I waste too much time on it, as you know, thats the one things that's hard to come by 🙂

Once I get a chance I will make a start on this side of things.

Thanks again.

If anyone else has any info feel free to chip in happy

RE: Agent Deployment via AD/GPO?

oh yea, and thanks for the tip on the new package being available, I am downloading it now.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community