Sophos Automated Software Rollout

I recently had to install the Sophos Anti-Virus suite at a client office and had issues with a few PCs during the automated rollout of the software. The problem seemed to be that the server with Sophos Control Center was not able to remotely administer several client PCs. The way I was able to test this out was by using Computer Manager to test connecting to each one of the PCs I was having problems installing the software on.

On each PC experiencing the issue, I was not able to remotely connect with Computer Manger. Once I was able to connect with Computer Manager, the Sophos software installed successfully.

There were two reasons this was failing in our environment consisting of Windows XP and Windows 7 workstations.

The problem with Windows XP was that the XP firewall as blocking remote administration. I solved this problem by setting the firewall to allow remote administration through group policy. To do this:

  1. From the server desktop, click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. On the Standalone tab, click Add.
  4. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
  5. In the Select Group Policy Object dialog box, click Browse.
  6. In the Browse for a Group Policy Object, click the Group Policy object that you want to update with the new Windows Firewall settings. I decided to choose Default Domain Policy since then it would apply to all PCs in the domain.
  7. Click OK.
  8. Click Finish to complete the Group Policy Wizard.
  9. In the Add Standalone Snap-in dialog box, click Close.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. In the console tree, open Computer ConfigurationAdministrative TemplatesNetworkNetwork Connections, Windows Firewall, and then Domain Profile.
  12. Edit the properties for Windows Firewall: Allow Remote Administration Exception.
  13. Select enable and enter the IP of your server so that you don’t open up remote administration to everyone.

After a restart of the PC, you should be able to deploy Sophos or any other remotely installed software.

For Windows 7 PCs, the problem was that remote administration and installation of software requires the remote registry service to be running. It is set to Automatic startup on Windows XP but set to Manual startup on Windows 7. After changing the startup type to Automatic and starting the service I was able to easily deploy Sophos.