The Symantec Endpoint Protection client will not deploy through the network to a Windows Vista, 7, or Server 2008 system

Article:TECH165133  |  Created: 2011-07-21  |  Updated: 2012-08-07  |  Article URL http://www.symantec.com/docs/TECH165133
Article Type
Technical Solution



Issue



When using the Migration and Deployment Wizard to deploy the Symantec Endpoint Protection (SEP) client across the network to Windows Vista, Windows 7, or Windows Server 2008 system, the deployment fails.


Cause



There are several Windows settings which can cause the remote deployment to fail. The most common of these, and their solutions, are listed below.


Solution



Disable the Windows Sharing Wizard

The Windows Sharing Wizard must be disabled in order for the deployment to succeed.

Note: If the computer is joined to a domain, this may already be disabled.

  1. Click Start
  2. Click Computer
  3. Click Organize
  4. Click Folder and search options
  5. Click the tab View
  6. Remove the checkmark from Use Sharing Wizard

Windows Firewall

In some situations, the Windows Firewall may cause the deployment to fail. It may be worthwhile to temporarily disable the Windows Firewall to rule it out as a cause of the deployment problem. If the Windows Firewall needs to be used going forward, it may be re-enabled after the SEP client is deployed.

Administrative Shares

The Migration and Deployment wizard requires access to the built-in Windows administrative shares (e.g., C$ and admin$) in order to copy files to the remote computer.

Please confirm that the administrative shares are enabled and accessible.

Example: \\<ip address of remote machine>\c$

User Account Control (UAC)

In some situations, UAC can block access to the remote computer's administrative shares if the account used to authenticate to the remote computer is a user account local to that computer. (Source: http://support.microsoft.com/kb/947232)

In this situation, either authenticate to the remote computer using a domain administrator's account or temporarily disable UAC.

Account Privileges

Please ensure the account being used to deploy the SEP client has sufficient privileges and is not a restricted account. In most situations, it is most appropriate to use a domain administrator account. If this is not possible, use a local administrative account for the remote computer, but be aware of the UAC restriction (above).

Remote deployment of SEP 11 clients from the SEPM to other domain member computers may fail due to Microsoft changes in the networking defaults of Windows 7 and above. When the local system account connects to other computers that are not in the same domain it uses a NULL session (which allows SEP client deployment).  When local system connects to other computers that are in the same domain it tries to use the computer name to authenticate. In older Windows versions this connection could by default fallback to a NULL session. In Windows 7 and above the default behavior does NOT allow this fallback. The solution is to updgrade the SEPM to SEP 12.1; a workaround for SEP 11 is to run the SEPM service as domain administrator or add the SEPM's Active Directory computer account to an Administrative Group. 


Supplemental Materials

SourceETrack
Value1999372
Description

SEPM on W2008 R2 cannot use "Find Unmanaged Clients" to deploy new clients is SEPM and client are domain members


SourceETrack
Value2248859
Description

Remote push install to domain Windows 7 clients fails.




Article URL http://www.symantec.com/docs/TECH165133


Terms of use for this information are found in Legal Notices