Downloading Endpoint Protection security patches to Windows clients
What are security patches and how do they work?
A security patch is a software patch for
Symantec Endpoint Protectionclients that corrects a vulnerability that exists in the client code. As new vulnerabilities become known, Symantec delivers a security patch to fix the vulnerability and uploads it to a LiveUpdate server. You can download security patches from the LiveUpdate server to the management server. You then download the patches to clients in the same way as other content, using a LiveUpdate server, the management server, or a Group Update Provider (GUP).
If the client and the management server versions match, the clients can get the security patches from a LiveUpdate server, a management server, or a GUP. If the client and the management server versions do not match, the clients get the security patches from a LiveUpdate server only, as in the case when a management server manages clients with multiple versions. If you want to use the management server or a GUP to download patches, you must update either the client or the management server version so that they are the same version.
In addition, the language for the client must match the management server. For example, a French management server that manages French, German, and simplified Chinese clients provides security patches to the French clients only.
A security patch is not the same as a Maintenance Patch. A security patch only addresses a possible security issue, and is delivered through LiveUpdate. A Maintenance Patch provides other updates, such as to offer support for new operating systems, and is delivered as a full installation download through the Broadcom Download Management page.
Examples of which client versions download which security patches displays examples of whether or not the client can receive security patches from the management server, based on the version number of
Symantec Endpoint Protection Managerand the
Symantec Endpoint Protectionclient.
Management server version
Does the client download patches from the management server?
Installing security patches on Windows clients
By default, LiveUpdate downloads security patches to
Symantec Endpoint Protection Manager, which in turn installs the patches on the clients based on the distribution method you have configured for the other content types.
After a client downloads and installs a security patch, it continues to run the previous, unpatched version of the client until the client is restarted. You must restart the client to run the latest patch. Either the client end user must restart the computer, or you must run the restart command from the management server. The management server sends you a notification that indicates which clients require a restart.
- To install security patches on Windows clients
- In the console, verify that LiveUpdate is configured to download the security patches to the management server.In theContent Types to Downloaddialog box, make sure thatClient security patchesis checked.
- To run a report to find out which release is installed on the client computers, run aProtection Content Versionsreport.
- Verify that the LiveUpdate Settings policy is configured to download the patches to the clients.In a LiveUpdate Settings policy, underWindows Settings, clickAdvanced Settings. Make sureDownload security patches to fix the vulnerabilities in the latest version of the Symantec Endpoint Protection clientis checked.
- When notified, restart the client computers.