Jump to content

How To: Upgrade/Migration of ESET v6 to v7 using SCCM/MCEM


Recommended Posts

We use SCCM for our software deployment and we've always had problems doing major version upgrades of ESET products with it, we've had no luck with installing new Agent in-place over the top of old Agent, trying to uninstall old products and install new ones or using agent infrastructure to send our new policies to direct to new infrastructure etc. but we finally solved our problem using SCCM Task Sequences. The purpose of this topic to help those who were in our situation from having to go through the same we did.

If this information is useful to you, or you're affected by the same problems I am, please make a comment and make your voice heard to ESET. I'm tired of the ESET upgrade/migration experience being , ESET needs to do better in both documentation and the MSI.

Notes

  • We have ERAS6, ERA6 and ESS6 and we wanted to upgrade to EMA7 and ESS7 which connects to a whole new separate and freshly installed instance of ESMC7. There is no connection between ERAS6 and ESMC7, we did a new build.
  • We're using SCCM-CB/MCEM (2008) with Windows 10 Enterprise devices.
  • We use automated packaging software to manage our SCCM Applications, to keep them source files up to date and to push updates via SCCM+WSUS. It sets up two separate Applications, one for each architecture (x86 and x64) as opposed to one application with multiple Deployment Types for each architecture. Adjust the task sequence to suit for your situation.
  • A number of our systems are laptops with user-space VPN clients, so we designed our Task Sequence to suppress reboots until the end despite potential issues that could bring. Adjust the task sequence to suit for your situation.
  • We use ESET Endpoint Security but adjust the task sequence to suit whatever applications you have installed and want to install.
  • In regards to Uninstalling existing product, it's possible to use a PowerShell script to find the the ProductCode of the installed software based on the UpgradeCode (Powershell: Uninstall application by UpgradeCode) but the process below does not take that approach and just defines a new Action for each scenario permutation.
  • Process assumes you have packaged your ESET products, including a customised install_config.ini for the ESET Management Agent.
  • We do not have Supersedence set up for any of the ESET Products SCCM Applications, we couldn't get it to work because the Uninstall step of Deployment Types didn't work for some reason. I have no idea why running the exact command in a Task Sequence works and not via Application Deployment Type Uninstall step (both operate as SYSTEM in runtime). This has the result of the ESET Management Agent 7 being installed, in place, over the top of ERA6, which doesn't actually work, but we fix this by repairing the MSI in the following step.

Task Sequence

  • Process
    • x86 (Add in Condition to only allow 32-bit editions of Windows)
      • Uninstall ESET Endpoint Security 6 (Run Command Line)
        • You can use a PowerShell script for all this logic or setup an Action for each permutation of the following:
          • Each deployed version you want to uninstall
            • Add in "Installed Software" Condition to this Action and select one of the old relevant versions of the x86 MSIs of a version you have deployed that you will be uninstalling in this Action.
              • Take note of the ProductCode for the msiexec command, it is unique to that version-architecture combination.
          • With Password
            • In the event Agents don't receive the new policy to remove password, happened to us despite ERAS6 saying policy was applied.
          • Without Password
            • If you try "Without Password" version before trying "With Password" make sure to set "Continue on error". This logic can probably be better handled by a script.
        • The command to be executed will be one of the following, depending on the situation:
          • Without Password (Product Code is just an example, use the one for the version you're uninstalling)
            • msiexec /x "{8E9AB319-74FD-490E-864F-21B29AEC6A90}" /q REBOOT=ReallySuppress
          • With Password (Product Code is just an example, use the one for the version you're uninstalling)
            • msiexec /x "{8E9AB319-74FD-490E-864F-21B29AEC6A90}" /q REBOOT=ReallySuppress PASSWORD=PassWordHere
      • Install ESET Management Agent 7 (Install Application)
      • Repair ESET Management Agent 7 (Run Command Line or Run PowerShell Script)
        • The /i is deliberate, /f didn't work despite it seemingly doing an MSI repair.
        • With Password
          • msiexec /i agent_x86.msi PASSWORD=PassWordHere
        • Without Password
          • msiexec /i agent_x86.msi
      • Install ESET Endpoint Security 7 (Install Application)
    • x64 (Add in Condition to only allow 64-bit editions of Windows)
      • Uninstall ESET Endpoint Security 6 (Run Command Line)
        • You can use a PowerShell script for all this logic or setup an Action for each permutation of the following:
          • Each deployed version you want to uninstall
            • Add in "Installed Software" Condition to this Action and select one of the old relevant versions of the x64 MSIs of a version you have deployed that you will be uninstalling in this Action.
              • Take note of the ProductCode for the msiexec command, it is unique to that version-architecture combination.
          • With Password
            • In the event Agents don't receive the new policy to remove password, happened to us despite ERAS6 saying policy was applied.
          • Without Password
            • If you try "Without Password" version before trying "With Password" make sure to set "Continue on error". This logic can probably be better handled by a script.
        • The command to be executed will be one of the following, depending on the situation:
          • Without Password (Product Code is just an example, use the one for the version you're uninstalling)
            • msiexec /x "{632B1C53-E8E5-4F68-817C-EBA1E9098FB7}" /q REBOOT=ReallySuppress
          • With Password (Product Code is just an example, use the one for the version you're uninstalling)
            • msiexec /x "{632B1C53-E8E5-4F68-817C-EBA1E9098FB7}" /q REBOOT=ReallySuppress PASSWORD=PassWordHere
      • Install ESET Management Agent 7 (Install Application)
      • Repair ESET Management Agent 7 (Run Command Line or Run PowerShell Script)
        • The /i is deliberate, /f didn't work despite it seemingly doing an MSI repair.
        • With Password
          • msiexec /i agent_x64.msi PASSWORD=PassWordHere
        • Without Password
          • msiexec /i agent_x64.msi
      • Install ESET Endpoint Security 7 (Install Application)
    • Restart Computer
      • Remember to change it to "The currently installed default operating system"
      • If you have multi-boot and the operating system running is not default you'll have to restart via a script instead.

Process

  1. Create the Task Sequence.
  2. Ensure all relevant Content is Distributed. You can do this by selecting "Distribute Content" on the Task Sequence
  3. Decide how you will be deploying the Task Sequence. Will you have separate Device Collections? Will you be using the Planned Deployments feature or do deployment manually? Will you have a test Device Collection and a production Device Collection?
  4. Using ERAS6, deploy new policies, or adjust existing ones, to change the following settings for the following applications:
    1. ESET Management Agent
      1. Unset "Password protected setup" under "Advanced Settings"
    2. ESET Endpoint for Windows etc.
      1. Disable "Enable Self-Defense" under "Detection Engine" > "HIPS"
      2. Under "User Interface" > "Access Setup"
        1. Disable "Password protect settings" for "< 6.x"
        2. Unset "Set Password" for "< 6.x"
  5. Ensure Polices are deployed to relevant Agents before continuing by checking Statuses under "Applied Polices" of relevant Computers.
  6. Deploy the Task Sequence using one of the following methods with the following considerations:
    1. Phased Deployments with test and production Device Collections or do a Deployment to a test Device Collection, review results manually, then do a new deployment to production Device Collection.
    2. Ensure Task Sequence is not deployed to any systems that are already running ESET Management Agent 7. You may want to create a superset Device Collection that has a Query Membership Rule excludes said systems and limit your test and production Device Collections to said Device Collection.
    3. Make Deployment Available and set Assignment Schedule as per your requirements. I recommend setting the "Rerun behaviour" to "Never rerun deployed program", it's doubtful just rerunning the task sequence is going to be successful if it fails, a failure will most likely require intervention.
    4. Set User Experience "outside maintenance window" options as per your requirements.
  7. Task Sequence Deployment can be monitored in Monitoring > Deployments in SCCM Console. Our experience has been fairly positive in SCCM/MCEM 2006 when it comes to reporting useful "In Progress" information. We remediated failures manually.

 

Edited by Staj
Link to post
Share on other sites

Attached is a screenshot of the hierarchy in the Task Sequence Editor. The "(P)" in the Uninstall Actions represents it was configured "With Password".

This wasn't the one we used in Production, but one for testing and the one I described in the main post.1210160870_TaskSequenceEditor.png.d041cc821bee2afd9d738d8559b63bc2.png

Link to post
Share on other sites

I forgot to mention an important point regarding the "Repair ESET Agent" step.

If you use PowerShell, you can change the "Start in" path to the UNC path of the ESET Agent source files but you'll have to contend with the PowerShell execution policy, script signing, SYSTEM computer object share permissions etc.

If you use Command Line, instead of trying to mount the the share or something using script, you could cheat and redundantly package the Agent source files into an SCCM Package that you specify in said Run Command Line step. It's a bit wasteful and redundant, but it works. You might be able to find the MSI in cache or try to get the repair step working with the ProductCode too but we didn't go down that route to test that.

Edited by Staj
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...