This document lists the best practices for cloning a SEP 14/14.2/14.3.x client in either a physical, or virtual, environment. If you do not follow these best practices, then cloned Endpoint Protection clients will have duplicate identifiers, which will result in problems with management and inaccuracies in reporting.
For Symantec Endpoint Security (SES) clients, see Installing Symantec Agent on a client device without automatically enrolling it.
These instructions are for Windows clients; for Macintosh clients, see Deploying Endpoint Protection for Mac as part of a drive image for cloning.
Prepare clients for cloning using ClientSideClonePrepTool
- Install the operating system, needed applications, and all relevant patches
- Install the Endpoint Protection client and update with the latest available definitions
- Download and extract the tool for your client version: 14.3 RU4 and below - ClientSideClonePrepTool.zip; 14.3 RU5 - 1658944830786__ClientSideClonePrepTool_14_3_5.zip
- In SEP 14.0 RU1 and above, turn off the Application Hardening feature for this client, otherwise the clone prep tool might be blocked when Hardening Enforcement policies are applied
- Disable Tamper Protection or create a Tamper Protection Exception for the complete tool path: e.g. C:\TEMP\ClientSideClonePrepTool.exe
- Run ClientSideClonePrepTool.exe (You must be logged on as a Windows administrator.)
Note: For Windows 10 32-bit/64-bit, the ClientSideClonePrepTool.exe tool needs to be run with elevated privileges (e.g. "Run as administrator").
This tool removes all Symantec Endpoint Protection client identifiers and leaves the Symantec Endpoint Protection services stopped. Using this tool should be the last step in the image preparation process, before running Sysprep and/or shutting down the system. Shut down the system after running clone prep; do not restart. If the system or the Symantec Endpoint Protection client services are restarted, then new identifiers are generated and you must run the tool again before cloning.
Silently prepare clients for cloning using manual steps
The ClientSideClonePrepTool does not run silently, but you can script the following steps as a silent alternative. If you script these steps, you must disable Tamper Protection on the Symantec Endpoint Protection client.
- Run smc -stop
- Delete all instances of sephwid.xml and communicator.dat on the file system. Possible locations:
- C:\Program Files\Common Files\Symantec Shared\HWID\
- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config
- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\PersistedData\
- C:\ProgramData\Symantec\Symantec Endpoint Protection\PersistedData\
- C:\Users\All Users\Symantec\Symantec Endpoint Protection\PersistedData
- C:\Documents and Settings\*\Local Settings\Temp\
- Delete the following registry values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\ForceHardwareKey
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID
- HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HostGUID
NOTE That these values on 64-bit systems have been moved in Symantec Endpoint Protection 12.1 RU5 to HKLM\SOFTWARE\Wow6432Node. 14.3 RU5 and higher will use the above keys as it is a native 64-bit client.
NOTE Tamper protection will need to be disabled in policy to edit and clear these values.