Upgrade best practices for Endpoint Protection 14.x

The following resources help you to plan and perform an optimal upgrade to the current version of
Symantec Endpoint Protection
(SEP). Follow the recommended best practices and be aware of any potential issues and risks.
Benefits of upgrading to the latest version
To get the latest security features, operating system support, and customer fixes, upgrade to the latest version. For information on what features each version offers, see:
Important information for the latest version
System requirements and release notes
Review carefully before you upgrade:
Before the upgrade, use the Symantec Diagnostic tool to determine whether the computers meet minimum system requirements.
If you plan to upgrade your operating system, be sure to first upgrade
Symantec Endpoint Protection
to a version that supports the operating system. Leaving an unsupported version of
Symantec Endpoint Protection
in place when you upgrade the operating system can have unexpected results.
Supported and unsupported upgrade paths
Make sure that the currently installed version can be migrated or upgraded to the new version. Review the following articles:
Important installation and upgrade information
  • For an upgrade to 14.3 RU1, the default Microsoft SQL Server Express database replaces the embedded database. The maximum database size is 10 GB.
  • For an upgrade to
    Symantec Endpoint Protection
    14.2 or later, firewall policies cannot incorporate the changes for IPv6 if some default names have been changed. The default names include the names of default policies and default rule names. If the rules cannot be updated during the upgrade, the IPv6 options do not appear. Any new policies or rules that you create after the upgrade are not affected.
    If possible, revert any changed names back to the default. Otherwise, ensure that any custom rules that you added to a default policy do not block IPv6 communication in any way. Ensure the same for any new policies or rules that you add.
    These actions prevent any issues with IPv6 communications.
  • You cannot upgrade legacy
    Symantec Endpoint Protection
    clients to version 14.2 or later if the network only uses IPv6 communications. In this context, legacy clients are
    Symantec Endpoint Protection
    clients with a version earlier than 14.2. These earlier client versions do not support IPv6 communication, so the upgrade can result in communication issues with
    Symantec Endpoint Protection Manager
    Upgrade the clients to version 14.2 before moving the environments to a pure IPv6 network. Alternately, uninstall the legacy versions, then deploy a new 14.2 or later package to these client computers.
  • You can continue to manage those clients that run Windows XP and Server 2003 as 12.1.x legacy clients. However, you should ensure that TLS v 1.2 is enabled on these operating systems. Windows XP and Server 2003 do not enable TLS by default. See: Enable TLS on Windows XP or Windows Server 2003.
  • If
    Symantec Endpoint Protection
    uses a SQL Server database and your environment only uses TLS 1.2, ensure that SQL Server supports TLS 1.2. You may need to patch SQL Server. See:
    This recommendation applies to SQL Server 2008, 2012, and 2014. Without the SQL Server patch to support TLS 1.2, you may have issues when you upgrade from
    Symantec Endpoint Protection
    12.1 to 14.
  • New installations of
    Symantec Endpoint Protection Manager
    14.x now enable secure communications between the clients and the management console. If you upgrade from an earlier version to version 14.x, then the upgrade maintains current communication configuration.
Things to know before you get started
The following table lists the recommended routine maintenance tasks you should perform before you upgrade. Maintenance may include disk error checks, defragmentation of the hard drive, or other routine health checks.
Insufficient disk space
Ensure that that the management server enough disk space to perform the upgrade. For a successful
Symantec Endpoint Protection Manager
upgrade, free space should be at least three times the size of the database. Consult the system requirements for the free space that is required to install the
Symantec Endpoint Protection
Proxy servers
Ensure that you have made the proper exclusions to any peripheral firewall or proxy to ensure successful communication with all Symantec servers.
Scanning exclusions
Steps to upgrade
Best practices
Back up before you upgrade
As a best practice, always back up the
Symantec Endpoint Protection Manager
database before an upgrade.
Use the
Upgrade Clients with Package
wizard to upgrade existing Windows and Mac clients.
You may want to schedule AutoUpgrade for after hours, due to possible bandwidth usage. You can stage client packages on a web server, and then run
Upgrade Clients with Package
. There are alternate methods to deploy the upgrade package as well, such as through the Client Deployment Wizard.
Fresh install of Symantec Endpoint Protection Manager 14
You can use the Communication Update Package to connect existing clients, both 12.1.x and 14, to a new installation of the
Symantec Endpoint Protection Manager
14. For example, if you decommission an existing server, and install
Symantec Endpoint Protection Manager
to a new server instead. Create a new client installation setting that resets client-server communications settings, and then deploy the Communication Update Package in the same way as clients:
Help > Getting Started Page > Install the client software on your computers
See Informazioni sulle impostazioni di installazione del client Windows. You can also reset the client-server communications settings for Mac computers with a client installation setting.
After the clients are connected, you can upgrade the clients with AutoUpgrade.
Symantec Endpoint Protection
clients can be used to protect virtual instances of the supported operating systems.
Symantec Endpoint Protection Manager
can be installed and managed on virtual instances of the supported operating systems.
Symantec Endpoint Protection
includes additional management options for virtual clients, such as Shared Insight Cache and a separate configuration option for purging offline non-persistant GVMs.
Disaster recovery preparation
Before you begin the upgrade, ensure that you have backed up the current
Symantec Endpoint Protection Manager
installation using disaster recovery preparation techniques. If the upgrade then fails, you can restore the
Symantec Endpoint Protection Manager
to functionality more quickly.
To recover an installation after a failure, due to database schema and other changes, you must reinstall using the exact version previously in use.
Frequently asked questions (FAQs)
Q: Where do I get the current version of
Symantec Endpoint Protection
A: From the Broadcom Support Portal. See the following page for guidance:
Contact Technical Support for additional assistance: Symantec Endpoint Security
Q: How do I activate my license?
A: After you log on to
Symantec Endpoint Protection Manager
, click
Help > Getting Started Page
, under
Required Tasks
. For a walkthrough, see the quick-start-v127682506-d9e279.html.
Q: What are the upgrade methods? When should each method be used?
A: There are many methods available to upgrade clients. Second, decide which method is most appropriate for the situation. Every situation is different, so Symantec provides many different methods for accomplishing this goal:
  • AutoUpgrade: Assign client packages to groups in the management console, either manually or by using the
    Upgrade Clients with Package
  • Local installation from the installation file or installation media.
  • Run the Client Deployment Wizard from the management console. The Client Deployment Wizard walks you through the creation of a client package. You can then choose to deploy by emailing a web link to users, by a remote push. You can also save the package for local installation or with a third-party deployment tool.
Before you begin, ensure the client computers are ready to receive an upgrade package:
Q: What's the recommended migration order? What do I upgrade first in my environment?
A: The recommended order is to upgrade is as follows:
  1. Symantec Endpoint Protection Manager
  2. Group Update Providers
  3. The remaining clients as needed
Q: Can I continue to manage Windows 2000 and Symantec Endpoint Protection 11.x clients?
A: No.
Q: How can I generate a list of Symantec Endpoint Protection versions installed in my environment?
A: Generate this list using