Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Deploying SEP to Windows 8 clients

Created: 24 Jan 2013 • Updated: 24 Jan 2013 | 12 comments

Setup is this. Server is Windows Server 2012 running SEP 12.1.2015.2015. I have things pretty much setup (I mimiced the old SEP setup that was on a Server 2008 R2 box) and have successfully deployed packages to several servers, both Server 2012 and 2008 R2. However, I cannot successfully deploy to Windows 8 clients.

I've created a Workstations group in Clients and then start the Add a Client wizard. I choose New Package Deployment, on the next screen is selected the Windows package, Full Protection for Clients, Default Client Installation Settings, All content, and Computer mode.On the next screen I select Remote Push. Then I get the screen where I browse the network and expand the domain, revealing the clients. I select and client machine and click the arrow button to move it over. The login credentials box pops up and I enter the username of the domain administrator, its password, and the domain name, then click OK. The "testing connections" box appears for a minute or two, and then a window pops up that says the login failed.

This happens only with the Windows 8 clients. The Windows 7 clients have no problem being added as do the Server 2012 and 2008 R2 clients.

So what is it about the Windows 8 systems that isn't letting me add them? These are all on the domain and I can connect to any of them using \\hostname\c$.

Jonathan

Comments 12 CommentsJump to latest comment

.Brian's picture

Did you try using domain admin credentials?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JLeslie's picture

I guess you didn't notice that I said was using the domain administrator account to connect. It works on the Windows 7 systems so it should also work on the Windows 8 systems as it should work on any domain joined system.

Jonathan

.Brian's picture

Than somethig has to be different from your clients that are working. I assume you turned off the Windows fw, turned off UAC..etc.

You can look at this article which should also apply to Win8

The Symantec Endpoint Protection client will not deploy through the network to a Windows Vista, 7, or Server 2008 system

Article:TECH165133  |  Created: 2011-07-21  |  Updated: 2012-08-07  |  Article URL http://www.symantec.com/docs/TECH165133

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

How does it look like with UAC settings? Any differences here between your windows 8 clients and the others? Try to disable it - it has proven to be the culprit in the past for several systems:

http://www.symantec.com/business/support/index?page=content&id=TECH165133

JLeslie's picture

I found a few that have UAC disabled and it didn't work on them either so UAC must not be the culprit. I'm checking on other possibilities.

Jonathan

SebastianZ's picture

Sorry must have missed that. Can you check two more things:

- if network discovery is enabled? (I suppose it is though)

- if Sharing Wizard is disabled? (Folder options -> View)

JLeslie's picture

I believe I may have found the problem. On the Win 7 systems, the Remote Registry service is enabled but on the Win 8 systems it is disabled.

When a connection fails when trying to add a client, the error window contains a link to a Symantec article telling how a client must be configured to allow SEP to do its thing. One of those items is the Remote Registry service must be enabled.

I changed the service on a Win 8 box from Disabled to Manual and tried again to push the agent. The client was immediately added to the list and the wizard completed with no errors.

But now here's another twist and I'm wondering if I should start a new thread.

I created a group for servers and a group for workstations. I went through the same process to create each group and add clients to each group.

Here's the twist. Once the wizard finished pushing the agent out to the servers, the servers all showed up in the servers group I created. But none of the PCs show up in the workstations group even though the agent install wizard finished successfully with them.

Any idea why the PCs aren't showing up in the group?

Jonathan

.Brian's picture

You need to select the Workstations group and run the wizard again for them to end up in the Workstations group.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

Remote Registry should be enabled as well - have a look here as well:

http://www.symantec.com/business/support/index?pag...

... the article mentions as well LocalAccountTokenFilterPolicy registry key.

JLeslie's picture

I figured out about the remote registry from the page the error message took me to.

As soon as I changed that service from disabled to manual, the agent installed. So I don't think I'll to create that registry key unless some other clients don't install.

Jonathan

SebastianZ's picture

Without reinstalling the whole package you can simply update the client communications settings (from the desired group) per push from SEPM:

https://www-secure.symantec.com/connect/articles/s...

JLeslie's picture

I remotely connected to each PC and changed the startup type for the Remote Registry service from Disabled to Manual. Once I did that, I was able connect to and push out the client package to all of the Win7 and Win8 workstations. And they're all showing up in the console on the server.

Thanks for all of the help everyone!

Jonathan

Jonathan