Cannot install Trend Micro via grouo policy

Hi,

I have been trying to install Trend Micro via Group Policy but no luck AT ALL!
I did try with the startup or software installation. Also tried with VBScript.
Needless to say I am getting frustrated! Also applied all Security & Sharing permissions to Trend files.
What is the trick?
Please find below the link from Technet that I followed to create my policy.

https://technet.microsoft.com/en-us/magazine/dd630947.aspx



Thank you for your help
LVL 1
defreyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

defreyAuthor Commented:
found this on expert exchange that does not look encouraging:

http://www.experts-exchange.com/Software/Anti-Virus/Q_28449808.html
0
defreyAuthor Commented:
After a fair bit of troubleshooting, here is where I  stand.
The vbscript supplied by Trend is not working. The GP works on software installation but NOT for Windows 8.1
Tested on 2012 R2 & Windows 7 installed correctly

The question is now Why does the MSI not working on Windows 8.1, even when launched manually?

Error from Trend is "Installation unsuccessfull" (screen shot attached)
Capture.PNG
0
btanExec ConsultantCommented:
Key requirement
Windows Internet Explorer 11.0 if performing web setup
*Windows UI is not supported
Enable Remote Registry
Allow printer/file sharing in the Windows firewall (if enabled)
Enable default local admin
For more specific error msg for agent installation log, consider enabling debug logging before installing the OfficeScan agent. See pg 6-7 in http://docs.trendmicro.com/all/ent/officescan/v11.0/en-us/osce_11.0_iug.pdf
You will see "OFCNT.LOG" in  %windir% (For all installation methods except MSI package), or %temp% (For the MSI package installation method)

Some possibilities
If you create a login script in Active Directory and then log on as administrator on an endpoint running Windows Vista Home, Server 2008, 7, 8, or Server 2012, the OfficeScan agent cannot be installed to the endpoint and the message that displays states that the account used is not an administrator account.

The OfficeScan agent may not install correctly if Norton SystemWorks™ antivirus is installed on the endpoint. Uninstall it before installing OfficeScan agent.

To perform agent web installation on endpoints with a 64-bit processor architecture, you must use the 32-bit version of Internet Explorer. The 64-bit version of Internet Explorer is not supported.

When installing the OfficeScan agent on Windows 8 and Windows Server 2012 platforms using the browser-based installation method, the installation is unsuccessful if the user is currently in Windows UI mode. This is due to Internet Explorer 10 not allowing ActiveX controls to run.
To resolve this issue:
Switch to desktop mode on Windows 8 and Windows Server 2012 platforms while performing a browser-based installation of the OfficeScan agent.
http://docs.trendmicro.com/all/ent/officescan/v11.0/en-us/osce_11.0_server_readme.htm
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

btanExec ConsultantCommented:
Unable to perform a remote install on Windows 8
Check if the firewall is active.
Go to Control Panel > Systems and Security > Windows Firewall.
Click Turn Windows Firewall On or off.
Select Turn off Windows Firewall for both Private and Public Network settings depending on which network is attached to the Officescan Server.

Check if you are able to connect to machine's Administrative share ( \\machine_name\c$ ):
Go to Network and Sharing Center > Change Advanced Sharing Settings > select "Use user accounts and passworkds to connect to other computers."
Open REGEDIT then go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Create a QWORD (64-bit) called LocalAccountTokenFilterPolicy then set the value to "1".
REBOOT the machine.

If the steps above does not work, allow your Windows 8 machine to join the domain and use the Domain Administrator credentials to log in and perform the remote installation.
http://esupport.trendmicro.com/solution/en-us/1095684.aspx?name=unable%20to%20perform%20a%20remote%20install%20on%20windows%208

The installation package for Win 8.1 and Win 2012
Customers who are using Windows 8.1 and OSCE 10.6 Service Pack 3 Patch 2 or OSCE 11.0 Patch 1 may directly upgrade their operating system to Windows 8.1 August Update.
Below are the OSCE installation package locations:
OSCE 11 Patch 1 (EN)
OSCE 10.6 SP3 Patch 2 (EN)
http://esupport.trendmicro.com/solution/en-us/1103137.aspx?name=compatibility%20of%20officescan%20(osce)%20with%20windows%208.1%20and%20server%202012%20r2%20update

 If have x64 bit clients that you are also going to deploy software to, you will need to repeat the process and create another package for x64 bit installations as well. Past blog http://exchange2010admin.blogspot.sg/2013/12/trend-micro-creating-group-policies-for.html
0
defreyAuthor Commented:
btan,

Thank you for your responses.

I tried this,  
"If have x64 bit clients that you are also going to deploy software to, you will need to repeat the process and create another package for x64 bit installations as well. Past blog http://exchange2010admin.blogspot.sg/2013/12/trend-micro-creating-group-policies-for.html
 but still not working."

Just to be clear,  I am using Worry-Free Business Security Services (cloud based)

Cheers
0
btanExec ConsultantCommented:
Understand same applies though, from the TM guide
Uninstall any 3rd Party antivirus management component on the server that will host the Worry-Free Business Security Server. If this server is a Microsoft Exchange Server, uninstall any 3rd party antivirus solution for Exchange.
For computers running Windows Vista, 7, 8, 8.1, 2012 and 2012 R2 the following should be performed before the Remote Install:
○ The “Remote Registry” system service should be started.
○ User Access Control (UAC) should be disabled Allow File and Print Sharing through the Windows Firewall Exception.
○ For Windows 8, 8.1, 2012 and 2012 R2: Modify the following registry key to turn off User Account Control (Reboot is required to let setting take effect.):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] “EnableLUA”=dword:00000000.
(pdf) - http://solutionfile.trendmicro.com/solutionfile/WFBS_PDF/WFBS9_BPG_20150216.pdf
x64 platforms: A scaled down version of the Security Agent is available for the x64 platform. However, no support is currently available for the IA-64 platform
When performing remote installation on Windows 8 or 8.1, the Microsoft account cannot be used to login to the target client
A dual-stack Security Server can install the Security Agent to any client. A pure IPv6 Security Server can only install the Security Agent to pure IPv6 or dual-stack clients.
(admin pdf) http://docs.trendmicro.com/all/smb/wfbs-s/v9.0-sp1/en-us/wfbs_9.0-sp1_ag.pdf

The Client Packager tool must run the program from the Trend Micro Security Server only. Send the package only to users whose Security Agent will report to the server where the package was created.
http://esupport.trendmicro.com/solution/en-us/1057254.aspx

Ref - Different installation methods for the Security Agent or Client/Server Security Agent of Worry-Free Business Security (WFBS) http://esupport.trendmicro.com/solution/en-us/1057653.aspx

Overall Tech support ref - http://esupport.trendmicro.com/en-us/business/pages/technical-support/worry-free-business-security-9-0-support.aspx

Not intended to just "throw" those links but the pre-check req are already similar for the type of endpt stated, so better to ascertain those as the specific will still req the tech support to resolve if all are duly verified.
0
FlippCommented:
Not sure if it is related to the issue you are having, but we needed to edit the MSI and remove all the languages then leave only one language otherwise it would try and install with Arabic instead of English. This was when we used a GPO to deploy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
another point to note is the use of the Client Packager utility, Clnpack.exe. More of troubleshooting to make sure support can further assist rather leaving to user scrambling up down guessing what is wrong..

- Request a new PCCSRV/Pccnt folder with the appropriate language and version from technical support.
- Collect the debug log from C:\ClnPack.log. This is the debug log when creating package.
- Before installing, enable the debug mode.
- Create the ofcdebug.ini file on the target machine's system drive. After performing the installation to reproduce the issue, collect these files from the client machine: c:\ofcdebug.log, c:\clnextor.log
- Collect the basic CDT logs.

http://esupport.trendmicro.com/solution/en-us/1057103.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.