MSI command line reference for Endpoint Protection
search cancel

MSI command line reference for Endpoint Protection


Article ID: 151313


Updated On:


Endpoint Protection


This is a list of the most commonly used MSI commands for Symantec Endpoint Protection (SEP).


Windows Installer (MSI) command-line parameters

  • /QN - quiet (no UI)

  • /QB - quiet (basic UI)

  • /L*V log.txt - full verbose logging to file log.txt

  • PRODUCTINSTALLDIR = path (optional)

    • Default is C:\Program Files\Symantec\Symantec Endpoint Protection (32-bit) or C:\Program Files (x86)\Symantec\Symantec Endpoint Protection (64-bit)

    • Note: On SEP products prior to version 12.1.671.4971, use: INSTALLDIR = path

  • SYMREBOOT = value (SEP 12.1.x & SEP 14.x)

    where value is one of the following options:

    • Force - Requires that the computer is restarted.

    • Suppress - Prevents most reboots.

    • ReallySuppress - Prevents all restarts as part of the installation process, even a silent installation. During migration a reboot may be required. By suppressing a required reboot, full product functionality may not be available until a reboot has taken place. This may not be apparent on a silent install or migration as no user interface messages are displayed.

Additional client installation properties

 The variable val represents the values presented beneath the property, which are valid for that property.


    • 1 - Run LiveUpdate after install (default)

    • 0 - Do not run LiveUpdate after install


    • 1 - On (default)

    • 0 - Off

  • CACHE_INSTALLER=val (SEP 12.1.x & SEP 14.x)

    • 1 - Cache the installation files (default)

    • 0 - Don't cache the installation files


    • 0 - Don't preserve settings

    • 1 - Preserve all firewall/network access settings

    • 2 - Preserve SyLink.xml and logs only


    • 0 = Do not add program to the Start Menu folder

    • 1 = Add program to Start Menu folder (default)

Managed installation - Sylink.xml

For a managed client, the Sylink.xml file that is included with its installation defines the initial server that the client will contact for policy and other updates.


Setaid.ini is primarily used in installations exported from the Symantec Endpoint Protection Manager. Setaid.ini values always take precedence. The installation uses the following settings:


  • KeepPreviousSetting=val

    • 0 = Do not keep previous settings

    • 1 = Keep previous settings 
      Note: This setting pertains to maintain existing settings in the package creation tab.

  • DestinationDirectory=installation_path

  • AddProgramIntoStartMenu=val

    • 0 = Do not an entry to the Start menu

    • 1 = Add an entry to the Start menu

  • InstallUserInterfaceLevel=val

    • u = unattended

    • s = silent

    • f = interactive

In section [LU_CONFIG]:


    • 0 = Do not run LiveUpdate at the end of the install, which overrides the RUNLIVEUPDATE property

    • 1 = Use the default behavior for running LiveUpdate

In section [FEATURE_SELECTION], the following entries are valid for SEP 12.1.x & SEP 14.x (where val is 0 = Don't install the feature and 1 = Install the feature):

  • Core (required)

  • SAVMain=val

  • Download=val

  • OutlookSnapin=val

  • NotesSnapin=val

  • Pop3Smtp=val

  • PTPMain=val

  • TruScan=val

  • DCMain=val

  • NTPMain=val

  • ITPMain=val

  • Firewall=val

  • Saep=val
  • ADDefense=val

  • LANG1033=val


In section [UIRebootMode], valid values are:

  • 0 - Display a Yes / No option if reboot is needed

  • 1 - Display pop-up and do reboot when UI level is f, u or s

  • 3 - No pop-up and no reboot when UI level is f, u, or s

Windows Security Center features

These properties allow for the configuration of the interaction between users and the Windows Security Center (WSC) running on Windows XP Service Pack 2 or Windows Service Pack 3. They do not apply to clients that run Windows Vista, and do not apply to Windows Action Center in Windows 7 and Windows 8.

Note: These properties apply to unmanaged clients only.

    Allows an administrator of a non-managed network to configure the WindowsSecurityCenterControl value.

    • 0 - No action

    • 1 - Disable once

    • 2 - Disable always

    • 3 - Restore if disabled

    Allows an administrator of a non-managed network to configure the AntiVirusDisableNotify value for Windows Security Center.

    • 0 - Enable

    • 1 - Disable (default)

    • 2 - Do not control

    Allows an administrator of a non-managed network to configure the FirewallDisableNotify value for Windows Security Center.

    • 0 - Enable

    • 1 - Disable (default)

    • 2 - Do not control

  • WSCAVUPTODATE=val  (Integer value between 1 and 90; default is 30)
    Allows an administrator of a non-managed network to configure the number of days used to determine if threat definitions are up to date for Windows Security Center.


    • 1 - Disable Windows Defender (default)

    • 0 - Do not disable Windows Defender

Adding and removing features

To remove existing features:


To add new features:

ADDLOCAL=feature1,feature2,feature3,existing feature 1,existing feature 2, ...

Note: When adding new features using ADDLOCAL, any existing features on the target computer that you want to retain must be included or the installation will remove any features on the target computer that are not listed.

For instructions on how to silently remove Symantec Endpoint Protection, see Related Articles.

MSI logging

  • When run from the setup.exe stub, Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Manager (SEPM) automatically create installer logs to the %TEMP% folder (e.g. C:\Documents and Settings\USERNAME\Local Settings\Temp) named either SEP_INST.LOG or SEPM_INST.LOG respectively.

  • When the installers are run from either the Client Deployment Wizard (SEP 12.1.x), the Push Deployment Wizard or when upgrades are deployed to client groups from the SEPM, the installer logs are automatically created in the %WINDIR%\temp folder (e.g. C:\WINDOWS\temp).

  • These installer logs are vital in determining which installer failures are installed.

Please have these logs available when contacting Symantec Support.

Note: Localized operating systems may have slightly different folders for the log files. You can determine what these paths actually are by following the below steps:

  1. Click Start > Run and type one of the following environmental variables:
    • %TEMP% for the user's temp folder
    • %WINDIR%\temp for the Windows temp folder
  2. Press Enter.

Important consideration when selecting features

As documented in our installation guide, we have a number of dependencies when it comes to the selection of features in the SEP client installation. Specifically: "COHMain and DCMain require two parents. COHMain is Proactive Threat Scan and requires PTPMain and SAVMain. DCMain, which is Application and Device Control, requires PTPMain and ITPMain."

The MSI installer will not compensate for these dependencies, and any lacking feature not only will result in a broken installation, but MSIEXEC will not return any fault condition on the missing components.

The diagram below shows the various dependencies:


Related Article