Endpoint Protection

Hi All its been a while since I last posted a problem.

The current problem I am facing is that I am building a master image and am following the process from this KB article

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

I am having a problem deleting the recommened registry keys below I am getting access denied even as local admin;

1. Delete HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
    
2. Delete HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostGUID

This installation is a scripted MSI install of SEP 12.1.2100.2093

I have tried a right click delete and a REG DELETE from the command line.

The local admin account has full conrol access to the Key and I cannot see any Deny permission being set. An interesting note is that I cannot create a new Value in the Symantec key hive, same problem access denied.

Can anyone offer any assistance or advise?

Have you tried disabling Tamper Protection on the master machine?

#EDIT#
What happens if you try running the ClientSideClonePrepTool?

To be fair, the steps identified in the article you linked are only required if including SEP in the base image you'll be deploying.  If you're going to be deploying SEP to your machines as an MSI after they've been imaged, then this is not required.

I have not tried the Client Side Clone Prep Tool because I need to script the process but I am going to try anyway.

##UPDATE##

I have run the Client Side Clone Prep Tool successfully run under the same security conext as what I was manually trying to delete the keys. 

It would be so much easier if Symantec made the prep tool non-ineractive or had some way of suppressing the interactive prompt!

I still need to be able to script this process.  

One thing I did not mention in my original post is that I am doing a SCM -stop prior to trying to delete the reg values.

We are including SEP in the base image due to Corperate policy.

That's the thing really, if you're including SEP in the base image, then there's no realy reason to script the process as it should only need to be performed on the "gold image" machine prior to you taking the image.  As such, I'd recommend going with the tool provided.

If you think you'll need the process to be run silently again in the future however, then you will have to disable tamper protection to start messing with the SEP reg hives (or set it to "log only")

#EDIT#

Essentially, the Tool is signed by Symantec and is therefore authorised to make the necessary reg changes.  Performing the changes manually or via a script (as you were attempting) requires disabling tamper protection.

As the article suggests, it's perfectly possible to make the changes using a script.  All you have to do as far as security goes, is make sure you re-enable tamper protection on the target group after the image has been taken.  This has the effect that when new endpoints (created from the image) check-in, they will automatically re-enable tamper protection again.

Oh yeah, if you already have endpoints out there from an image that was not properly prepared for cloning, then it's recommended to run through the below article instead:

http://www.symantec.com/docs/TECH163349

On a final note, as always, it'd be appreciated if you could mark any posts you find useful with a "Thumbs Up" or as the Solution to aid others who might be experiencing the same issues 

Thank for the suggestions SMLatCST. I do need to be able to script this. We are heavily into automation for our SOE/MOE build processes and manual intervention or post installation is not ideal or accepted.

For now I am going to use the Client Side Clone Prep Tool combined with an AutoIT script to automate the process.

No problems, I'm glad you found something that works for you.

As mentioned earlier, it'd be appreciated if you could mark any posts you find useful with a "Thumbs Up" or as the Solution to aid others who might be experiencing the same issues