How to deploy Endpoint Protection to Windows Embedded with the Image Configuration Editor (ICE)

book

Article ID: 178618

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

Symantec Endpoint Protection (SEP) 12.1.6 offers improved support for Windows Embedded. The following process provides steps to deploy the reduced-size client package to Windows Embedded using the Image Configuration Editor (ICE).

The Windows Embedded Standard toolkit includes the Image Configuration Editor. Before you begin, you must install the Image Configuration Editor.

Note: The process below uses Windows Embedded Standard (WES) 7, but can also apply to Windows Embedded Standard 8.

To deploy Symantec Endpoint Protection (SEP) for Windows Embedded with the Image Configuration Editor (ICE)

This process assumes familiarity with the Image Configuration Editor. For more information on using the Image Configuration Editor, consult the documentation provided by Microsoft.

  1. Create the appropriate Symantec Endpoint Protection installation package
  2. Put the Symantec Endpoint Protection installation package on a distribution share
  3. Add the Symantec Endpoint Protection folder into the answer file
  4. Add the setup command to run the answer file during installation
  5. Create the image media with the answer file
  6. Create the ISO image
  7. Install the embedded operating system
  8. Perform an additional reboot

I. Create the appropriate Symantec Endpoint Protection installation package

In the Symantec Endpoint Protection Manager console, export a reduced-size client installation package. You can use the preconfigured Default Reduced Size Installation Settings which is an unattended installation, or you can configure another that also uses a Silent installation type. You can export it as a single .exe file, or as a collection of files in a folder.

Note: you can also use an unmanaged client installation package for Symantec Endpoint Protection, but you must configure it as an unattended installation. To do this, add /q to the setup.ini file.
 

II. Put the Symantec Endpoint Protection installation package on a distribution share

  1. On the computer that runs Image Configuration Editor, create the following subfolder within C:\Program Files (x86)\Windows Embedded Standard 7\DSSP1\$OEM$ Folders\:
    SEP\$OEM$\$1\SEP
    The designator $OEM$\$1 in the name of the subfolder indicates that the Symantec Endpoint Protection folder is copied to C: during the embedded operating system installation.
    Note: To copy the folder to a different location, see Distribution Shares in Standard 7 (Standard 7 SP1).
  2. Copy the Symantec Endpoint Protection installation files into the SEP\$OEM$\$1\SEP subfolder. Do not copy the folder containing the files, only the files themselves.
     

III. Add the Symantec Endpoint Protection folder into the answer file

  1. Open the Image Configuration Editor.
  2. Click File, then open an existing answer file (also called a configuration file) or create a new one. Verify that any other required components you need are present.
  3. In the Distribution Share pane, expand $OEM$ Folders and locate the Symantec Endpoint Protection folder.
  4. Right-click the Symantec Endpoint Protection folder and then click Insert OEM Folder Path.
  5. To verify your changes, in the Answer file pane, click Product > Operating system > Foundation Core > Windows Embedded Edition > Setup_x86. The right pane shows a new entry for Symantec Endpoint Protection in OemFolderPaths of the 1 Windows PE phase.
     

IV. Add the setup command to run the answer file during installation

The Symantec Endpoint Protection setup can run in two phases: 4 Specialize and 7 OOBE system. The differences are as follows:

4 Specialize phase 7 OOBE system phase
Symantec Endpoint Protection setup occurs after the system is installed and booted, but before any user configuration occurs. Symantec Endpoint Protection setup occurs after the user configuration is complete and an administrative user logs on to the system for the first time.
Commands run by default using the System account. Commands run only when an administrative user logs on for the first time.
Commands run during system installation, and are not visible to the end user. The system installation time may seem very long as a result. Commands run after the administrative user clicks to log on. The desktop does not load until the commands run. The length of time until the desktop load may seem very long as a result.

To install Symantec Endpoint Protection with 4 Specialize phase

  1. In the Image Configuration Editor, click Insert > Synchronous Command > pass 4 Specialize.
  2. Enter C:\SEP\setup.exe for the command line to use.
    Note: If you previously customized the folder location, use that path instead of C:\SEP\.
  3. To verify your changes, in the Answer file pane, click Product > Operating system > Foundation Core > Windows Embedded Edition > Setup_x86. You should see a new entry under RunSynchronous for the 4 Specialize phase: RunSynchronousCommand. You can configure credentials here if you do not want to use the System account to install Symantec Endpoint Protection.
     

To install Symantec Endpoint Protection with 7 OOBE system phase

  1. In the Image Configuration Editor, click Insert > Synchronous Command > pass 7 oobeSystem.
  2. Enter C:\SEP\setup.exe for the command line to use.
    Note: If you previously customized the folder location, use that path instead of C:\SEP\.
  3. To verify your changes, in the Answer file pane, click Product > Operating system > Foundation Core > Windows Embedded Edition > Shell-Setup_x86. You should see a new entry under FirstLogonCommands for the 7 OOBE system phase: SynchronousCommand. You do not need to configure credentials because the command to install Symantec Endpoint Protection runs using the credentials of the administrative user that logs on.
     

V. Create the image media with the answer file

  1. In the Image Configuration Editor, click Tools > Create Media > Create IBW Image from Answer File.
  2. Click Browse to specify the location where you want to create the media files, and then click Create Media.
  3. To verify the file creation, navigate to the location you specified. The Symantec Endpoint Protection installation files are under AutoUnattend_Files\windowsPE\$OEM$ Folders\SEP\$OEM$\$1\SEP.
     

VI. Create the ISO image

You can use any tool that creates an ISO image to complete this task. You can also use oscdimg.exe, which is included with the Windows Embedded System toolkit. In a command window, enter the following command:

C:\Program Files (x86)\Windows Embedded Standard 7\Tools\x86\oscdimg.exe -n -m -b\BOOT\ETFSBOOT.COM

For more information, see Oscdimg Command-Line Options.
 

VII. Install the embedded operating system

This task is no different than when you install the embedded operating system without Symantec Endpoint Protection in place.

If the embedded operating system installation asks you to select Build an image with IBW or Deploy an image with answer file, select the latter. Browse to the root directory of the ISO image and select AutoUnattend.xml.
 

VIII. Perform an additional reboot

Once the embedded operating system and Symantec Endpoint Protection are installed, you must reboot one more time to complete the Symantec Endpoint Protection installation. If you do not perform the extra reboot and you log on to the system after the embedded operating system installation, the Symantec Endpoint Protection notification area icon displays a warning about needing a required reboot.