Rather than using xcopy we managed to use the -source:dirpath command with UNC addresses to the servers with msdeploy. The key was the ignoreAcls=true and removing calls to username and password in the msdeploy string:
msdeploy -verb:sync -source:dirpath=\\build\e$\app -dest:dirpath=\\live\d$\app,ignoreAcls=true
The example deploys the site from our build server's E drive to the D drive on our live server. There are some security considerations with exposing shares or this level of disk access on a live server. We're currently looking into using a limited access shared folder.
We then pipe this output to a log file which is then moved to the backup archive for reference. The log file records which files were moved and when.Continuing the example above with the output pipe command:
... > E:\archive\msdeploy.log