I have completed a couple of projects recently migrating customers from Symantec Endpoint Protection v11.0 to v12.1, including moving to a new SEP Manager. In these projects, the decision was made to do a fresh install of the SEPM, and move the clients into the new manager, without using replication between the old and new SEPM.
The file on the SEP v11 client called Sylink.xml tells the client which server to connect to, what the server certificate is and which group the client should join on the SEPM (among other things).
There is a tool on the SEP media part 2 in Tools\SylinkDrop.exe which can be used to swap the Sylink.xml file on the SEP client.
During these projects I was looking for a way to simplify the creation of the sylink.xml file, the projects both involved a large number of client groups – I didnt really want to manually export the communication settings for over 30 groups!
This lead me on a powershell path of discovery, and the realisation that powershell could load an xml file as a data object, manipulate it, and then write it out! This was exactly what I needed.
The process I used to generate the sylink files was: – Create the group structure in the SEPM – Create a groups.txt file: this file had a list of SEP client groups per line – export a sylink.xml file from the destination SEPM: for example, download the communication settings file from the “My Company” top level group. – run the update_sylink.ps1 powershell script – deploy the sylink files to the SEP agents with SylinkDrop.exe
The groups.txt file contained lines like: My Company\Desktops My Company\Desktops\WA My Company\Desktops\NSW My Company\Desktops\NT My Company\Desktops\QLD My Company\Desktops\SA My Company\Desktops\TAS My Company\Desktops\VIC
Note that SEP is case sensitive – the groups.txt file must match the group names in the SEPM.
When you export the sylink.xml, you will end up with a file that looks like: <?xml version="1.0" encoding="UTF-8"?><ServerSettings DomainId="BC7791940DEADBEEF3A86829"><CommConf><AgentCommunicationSetting AlwaysConnect="1" CommunicationMode="PULL" DisableDownloadProfile="0" Kcs="18F84DEADBEEF2CF46D" PullHeartbeatSeconds="1800" PushHeartbeatSeconds="300" UploadCmdStateHeartbeatSeconds="300" UploadLearnedApp="0" UploadLogHeartbeatSeconds="300" UploadOpStateHeartbeatSeconds="300"/> <LogSetting MaxLogRecords="100" SendingLogAllowed="1" UploadProcessLog="1" UploadRawLog="1" UploadSecurityLog="1" UploadSystemLog="1" UploadTrafficLog="1"/> <RegisterClient PreferredGroup="My Company\Workstations (location based)" PreferredMode="1"/> <ServerList FreezeSmsList="0" Name="Default Management Server List"> <ServerPriorityBlock Name="List0"> <Server Address="10.10.10.10" HttpPort="8014" VerifySignatures="1"/> <Server Address="SEPM" HttpPort="8014" VerifySignatures="1"/> <Server Address="SEPM"HttpPort="8014" VerifySignatures="1"/> </ServerPriorityBlock> </ServerList> <ServerCertList>
<Certificate Name="SEPM">MIICujCCAiOgAwIBAgIQhjuQQqXvBWWzipD7elI3oTANBgkqhkiG9w0BAQUFADB3MXUwCQYDVQQI A4GBAI6RsCE0zyFwDY6rsKeOaGVtEtZNvz5Lbas2b0OYOX53GA7JbeJMWB5OqMZ5EM76PZx/toMZ vUN+ypsPydoiLKd7uMsNWaFGzP4JKJjiJsrhGi3l1pLlR553GxZz2UZ1zbX7knjjiReVLrniIyYd CPFkI/DEADBEEF+fnUbxr259h</Certificate> </ServerCertList> </ CommConf> </ ServerSettings>
The powershell script can actually update any token in the xml file, we are just using it to update the PreferredGroup item: $xml_orig = New-Object XML $xml_orig.Load("Sylink.xml")
$grps = get-content groups.txt ForEach ($i in $grps) { $i $PreferredGroup = $i.toString() $xml_new = New-Object XML $xml_new = $xml_orig $xml_new.ServerSettings.CommConf.RegisterClient.PreferredGroup = $PreferredGroup $j = $i.Replace("\", "_") $filename = $j.Replace(" ", "_") $xml_new.Save($filename "_Sylink.xml") remove-variable xml_new }
The script needs the groups.txt and sylink.xml to be in its currect directory. The sylink files will be output to the currect directory, with the group name preceding, eg: My_Company_Desktops_WA_Sylink.xml. All that is left is to run SylinkDrop -s “target sylink.xml” on the agents to repoint them to the new SEPM. I have used both Symantec Management Platform (Altiris) to do this, and AD group policy.
You can pull the scripts from
I have used this script to save a lot of time generating sylink files for migrations. This also gave me an idea for automating the creation of a large number of setup.exe files for SEP deployments: Stay tuned for more on that!