Endpoint Protection

Due to software conflicts, we recently rolled back to an older version of Symantec Endpoint Protection (12.1.1101.401). This required removing the newer version locally (at each client machine) then redeploying the older version through SEP Manager (local installs don't seem to be allowed). This method was required because - for obvious reasons - SEP doesn't like going from new to old versions.

My problem is that on one machine I am unable to push the client software. I successfully removed other version, but when deploying 12.1.1... it just hangs on the "Deploying Client Remotely" screen with "0% finished" for hours. No error message, just hangs.

Any thoughts are much appreciated!

Is this the only client that's having the issue?

Have you seen this?

Preparing Windows operating systems for remote deployment

Yes, this is the only client having a problem (all our machine of the same model share the same ghost image, so you would think they would share the same problems as well). Thank you for the link! In response to that article: I am using a domain admin to push the client (as they advise) and it's going to a Win7 machine.

Prepare Windows Vista, Windows Server 2008, or Windows 7 computers: Windows User Access Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/951016

If the Windows client computer is part of an Active Directory domain, you should use domain administrator account credentials for Remote Push.

In addition, perform the following tasks:

• Disable the Windows Firewall, or configure the firewall to allow the required traffic.
• Disable the Sharing Wizard.
• Enable network discovery by using the Network and Sharing Center.
• Enable the built-in administrator account and assign a password to the account.
• Verify that the account has administrator privileges.
• Disable or remove Windows Defender

Steps to prepare computers to install Symantec Endpoint Protection 12.1.x client

Upgrade clients to SEP 12.1 by Auto upgrade feature

http://www.symantec.com/connect/articles/upgrade-clients-sep-121-auto-upgrade-feature

Can you explain what you meant by local installs not allowed ? 

when you push the package it gets copied on the local machine %temp% folder

runs the install which the account used for push.

if they are not allowed to run ( locally) remote will also not work

is the windows firewall /uac disabled and admin$ share is accessible?

Does the same thing happen if you use the "Push Deployment Wizard" rather than the wizard built into the SEPM Console?

http://www.symantec.com/docs/TECH195705

They should operate in the same way, so I'd be curious to see what happens.  The fact that it's stuck on 0% seems to suggest the ports are open and a connection is established, but it cannot copy the files across (or is doing so reaaaaaaaly slowly).

Thank you for the good info and links. I check, and we don't have the LocalAccountTokenFilterPolicy registry key on our systems. All the other tasks you listed are controlled by our Group Policy which didn't prevent our installing clients on other machines. Unfortunately, we are trying to roll-back to an older SEP version, not 12.1. And we are on an isolated network, so Auto upgrade is not possible.

I only meant that SEP tells me I shouldn't install the client locally, I should do it through SEP Manager.

Can you tell me what files I am looking for in %temp% folder? Should I delete any old files in temp before attempting to install the client?

Thanks!

You can do it locally, no reason you can't other than you will have to physically be at the machine (or another admin)

That would be excellent if it works. Is the Push Deployment Wizard included in the SEPM software or do you have to download it from the link you gave?

seems You are trying to install a managed version of SEPM from CD1, 

You need to export a manged package from SEPM and install it locall on the client

here is the link

http://www.symantec.com/business/support/index?page=content&id=HOWTO59431

It's a standalone app on the download ISO under the Tools directory or just grab it from the link that was provided as its at the bottom to download for free.

If it's not in the path described in the article, then you can find it in the "Part_2_Tools" download from FileConnect

That utility failed with the following error: API error: 1726 "error accessing remote machine using remote registry service."

Remote registry service , should be strated on the machine

its one of the pre-requisites...

Hello, 

You can ue push installation wizard which can be downloaded from fileconnect.

Makw sure that 445 port is open from the Pushing node.

Regards

Ajin