Endpoint Protection

 View Only
  • 1.  SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 15, 2016 05:25 PM

    Hello,

    I have attempted today to push Symantec Endpoint Protection v12.1.6608.6300 (12.1 RU6 MP3) to a Windows 10 Enterprise client.  This is the first attempt to push SEP of any version to any Windows 10 client.  We have used the same general procedure for years to successfully push to Windows 7 Enterprise clients.

    The first hurdle was getting the Deployment Wizard remote authentication to succeed.  After manually starting the RemoteRegistry service on the target client, the authentication step finally succeeded.                   

    The next step, where the install package is sent to the client, begins promisingly, but several seconds after clicking ‘Send’ the process fails with a red X in the Deployment Status box.  The SEPM Deployment Report offers no further information.  The client event log does not appear to have any record of the install failure.

    Open ports on the Windows 10 client are as follows;

    135/TCP

    139/TCP

    445/TCP

    3389/TCP

     

    The Win 10 client is a clean installation from Win 10 Enterprise media.  No other third party software has yet been installed.

    Are there some further special steps required for a successful push to Win 10 Enterprise clients?

     

    Thank You,

    Dale



  • 2.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 15, 2016 05:28 PM

    The steps for what is needed are outlined in this article:

    Preparing Windows and Mac computers for remote deployment

    Is the remote registry service running? Make sure it is as this is usually the culprit.



  • 3.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 15, 2016 05:39 PM

    Brian,

    Thank you for the response.  As it turns out, the remote registry service was set to Automatic (Trigger Start) but was not actually running.  I manually started the service and reattempted the remote push.  Same results.  For good measure I tried it again - same results.

    Dale

     



  • 4.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 15, 2016 05:49 PM

    Is UAC and Windows Disabled? Is the registry key 'LocalAccountTokenFilterPolicy' disabled?



  • 5.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 16, 2016 05:04 AM

    Keep this post updated please as what was the actual reason causing this failure.  Thanks



  • 6.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 16, 2016 12:32 PM

    Following up on this issue…

    The registry key “LocalAccountTokenFilterPolicy” does not natively exist.  Following guidance from the Microsoft site you linked earlier, I’ve added the key in the following location as a DWORD with value 1;

         HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

    To permanently disable Windows Defender I’ve created an AD group policy entry and applied it to this one workstation.  Windows Defender is confirmed disabled.

    With the above done, and the remote registry service confirmed running, the remote push still fails exactly as before.

    As a further step I’ve created an AD group policy to completely disable the Windows Firewall in the domain profile of this client.  With the firewall confirmed disabled I attempted the push once again – same result.

    Dale M.



  • 7.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 16, 2016 12:51 PM

    May want to get support dialed up then.



  • 8.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 16, 2016 06:10 PM

    Further update...

    It appears the scope of this problem may be somewhat greater than I thought.  After talking with my IT associate here in the office, it turns out that since our fairly recent upgrade to 12.1.6608.6300 pushes to new Windows 7 clients from the Client Deployment Wizard have stopped working as well.  I tested this by attempting a push to a fresh Windows 7 Enterprise client and received the same failure as described above. 

    In doing the Windows 7 test I noted one more detail – Everytime the push is attempted from SEPM, an entry is created in the client’s Security Event Log indicating an audit failure.  The details are;

                    Logon Account:                NT Authority\Network Service

                    Source Workstation:       vBobcat    (name of SEPM server)

                    Error Code:                      0xc0000064

     

    This happens despite the fact that the authentication credentials entered into the Deployment Wizard just before the start of the push are accepted.

    I did log a ticket with tech support.  They have asked me to attempt a push using the alternate tool, “ClientRemote.exe” which I have not yet attempted.

    At this point, clients that had been at the prior version (12.1.6168.6000) have updated to 12.1.6608.6300 by virtue of our having assigned the new package to the various client groups in SEPM.  However, as described above, attempts to push the same package to a new client invariably fail.

     

    Dale M.



  • 9.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 16, 2016 06:19 PM

    Using a different tool is not the answer, even though it may work for what you need. I hope they look into this issue.



  • 10.  RE: SEPM Push of 12.1 RU6 MP3 to Windows 10 Enterprise Client Fails

    Posted Feb 26, 2016 08:48 AM

    When all was said and done, I ended performing a complete reinstall of the SEP Management system.  During that process, at the conclusion of the database restore, the Management Server Configuration Wizard automatically starts.  During the running of the wizard I received a message indicating, "The certificate in the recovery file does not match the certificate in the database".  I generated a new certificate and at the conclusion of the process, I was once again able to push new installations to clients (both Win 7 and Win 10).  It was however necessary to push a new sylink.xml file to existing clients to re-establish communication with them.

    In the end, I wonder if the original problem (inability to push install package to new clients) might possibly have been remedied by simply generating a new server certificate (?)

    Thank You,

    Dale M.