We're in the final phase of migration from SEP11 to SEP12, 99% of our clients we migrated via an two stage SCCM package, firstly an install of the SEP12 client this was followed by a skylinkdrop to point the client to the new management servers.

However, for a number of reasons, 1% of machines just will not be deployed to in that way.

I've had limited success with using sylinkreplacer to point the clients to the new environment at which point the SEPM deploys the new client - the remaining machines are now all elusive to that method also, depsite being online in the SEP11 console and in some cases reachable by icmp.

Rather than resorting to contacting each user and manually installing this, using Group Policy to perform the sylinkdrop seems far more favourable.

After a little research I've found the below link reference a few times

https://www-secure.symantec.com/connect/articles/startup-scripts-and-sylinkdrop-better-together

I've tried step 2, however this policy has no effect - I've also tried placing the command line in batch file and a cmd file neither option works for me.

Running the command locally on the machine has the desired result.

Are there any other deployment methods/better ways of going about this?

Regards,

Mike

Sylinkreplacer would probably be quickest:

http://www.symantec.com/docs/TECH105211

What issues are you having when using it? Any errors?

Hi,

Thank you for posting in Symantec community.

Are you able to send fresh new package on those machines using 12.1 Client Deployement Wizard (CDW)?

As you are using 12.1

Better to use this than the gpo for the 1% clients

How to deploy/update communication settings from your SEPM to your SEP clients machines with SEP 12.1 RU2

http://www.symantec.com/business/support/index?page=content&id=TECH199124

Hello,

this article should show you the best option for such scenario:

http://www.symantec.com/business/support/index?page=content&id=TECH199124

Sylinkreplacer worked on a small portion of machine, the others it just doesn't find (some are not pingable so I'd expect that to be the case) I've tried with and without the discorvery option.

I'll give the CWD a try this afternoon and update as to the result.

I'll give that part of the CDW a try whilst I'm trying the new package part Chetan has suggested.

Another issue I've noticed with the Sylinkreplacer is it states I'm using an acocunt which isn't domain admin and doesn't have local admin rights. I've tried with both a Domain Admin and Enterprise Admin account both with local admin rights on two different machines (a Windows 7 machine and a Windows 8 machine) - perhaps this is contributing to the failure?

CDW method does work for some machines (8 out of the 35 I've tried so far), the ones which didn't (including all Windows 7 machines) state the local administrator password is wrong and won't accept domain administrator credentials....

Hi,

Thanks for the update.

Windows User Account Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, visit the following URL:

http://support.microsoft.com/kb/951016

Refer these articles to find out more details:

Preparing Windows operating systems for remote deployment

http://www.symantec.com/docs/HOWTO81300

Steps to prepare computers to install Symantec Endpoint Protection 12.1 client

http://www.symantec.com/docs/TECH163112

I'm not sure disabling that registry key is an option for us, as it lowers security on those machines (of course it can be re-enabled afterwards) - I'll do some testing on a non-production machine in order to make a decision.

I can't seem to open either of two Symantec.com urls i keep getting a message similar to:

An error occurred while processing your request.

Reference #97.48c18d3f.1384334183.49bbaca

In the meantime, are there any best practices on using Group Policy to perform the syslinkdrop function?

Hi,

You can directly disable UAC through control panel as well for testing purpose.

I can open both the Symantec.com urls, you can refresh the page if it stuck on loading.

I think there is no such best practices on using Group policy to perform the sylinkdrop function.

Hi,

Is there any update?

OR

If issue has resolved, don't forget to mark your thread as 'SOLVED' with the answer that best helps you.

After having limited success with the SCCM, SyLinkReplacer & Deploying client/communications package via SEPM we've opted to manually install the client on remaining 100 or so machines.

Thanks for the update.