Well the two killers here are to consider are this:
Once the client is joined to the new SEPM - it's policies and actions are dictated by that console - meaning if a bad policy or if something arrises there on that end, that can be a focal point of disaster; so simply skipping over the testing on this area isn't such a hot idea.
At that phase, when you are ready for the migration from 11.x to 12.1 RU4 that obviously sets in a different set of problems, namely deployment success/failures, engine changes that could result in other issues - however most modern and common applications have been successful in over-all migrations w/o any issues. Actually, I find that most overall upgrades are the easy part, it's the policies that are the 'hard' part - what comes out of the box are fair on 12.1.x, but they aren't production sets by any means.
Back to the deployments though, the SEPM is great for the masses, but I generally factor in (and I did this back in my consulting days) a 10% exception/failure rate for upgrades - so a couple things to keep handy with you:
++Cleanwipe 12.1 RU4 (It is now part of the Part 2: Tools download) useful for pulling any defunct clients out or for failed migrations (just requires one reboot to purge out the client, however cannot be ran via script, must be ran locally [or console remote session])
++A Network share install package (both a 32-bit and 64-bit client of 12.1.4 - pointing to the Default group with Full Server install feature set, which contain the more common techs of SEP, this can be changed later in the SEPM, the content type: Basic - if there were bad defs in there, after install LU would just run, and it keeps the size of the packages down)
The only thing that I would watch out for is (and this is more predominately on the older WinXP/2003 machines) old NIC card drivers, SEP doesn't play well with old NIC drivers - I recommend visiting the chipset manufacturers website to get drivers (such as BroadCom, Intel, etc) and not so much the OEMs (HP, DELL, etc) but if you do not have a choice on that, any updates are good updates there.
Also when choosing feature sets - I know in the past support has done a great job of not defending the need for the advanced protection components of SEP and we have allowed on frequent occasions in here and on third party sites, to scare our clients in using our advanced features..."Oh just install AV only and you will be okay..." - Gosh if that were true, I'd be using Microsoft Security Essnentials or Free AVG at home - why would we even need to pay for AV...Proper configuration is what is needed - please do yourself a favor and prevent doo-doo duty having to clean up messes from after the facts...run full feature sets on those client workstations, configure the FW rules if you have to. Run full feature sets on Servers, I can understand if you have datacenters where you need blazing speed, or if a fileserver isn't liking the firewall, but only take off what you HAVE to.
Anti-Virus and Anti-Spyware, Download Insight (kind of misleading, should just be called reputational insight, it is not limited to just your traditional browser downloads), Email Client (workstations), Intrusion Prevention (life saver), Application and Device control (great for not USB blocking, but threat containment and system hardening) - this is a minimum install level - I would encorage usage of our Firewall (just make sure that you set ALL of the blocking rules to log everytime a rule is matched for blocking - that way you can filter legitmate rules back in if need be)