Downloading Endpoint Protection security patches to Windows clients

What are security patches and how do they work?
A security patch is a software patch for
Symantec Endpoint Protection
clients that corrects a vulnerability that exists in the client code. As new vulnerabilities become known, Symantec delivers a security patch to fix the vulnerability and uploads it to a LiveUpdate server. You can download security patches from the LiveUpdate server to the management server. You then download the patches to clients in the same way as other content, using a LiveUpdate server, the management server, or a Group Update Provider (GUP).
If the client and the management server versions match, the clients can get the security patches from a LiveUpdate server, a management server, or a GUP. If the client and the management server versions do not match, the clients get the security patches from a LiveUpdate server only, as in the case when a management server manages clients with multiple versions. If you want to use the management server or a GUP to download patches, you must update either the client or the management server version so that they are the same version.
In addition, the language for the client must match the management server. For example, a French management server that manages French, German, and simplified Chinese clients provides security patches to the French clients only.
A security patch is not the same as a Maintenance Patch. A security patch only addresses a possible security issue, and is delivered through LiveUpdate. A Maintenance Patch provides other updates, such as to offer support for new operating systems, and is delivered as a full installation download through the Broadcom Download Management page.
Examples of which client versions download which security patches displays examples of whether or not the client can receive security patches from the management server, based on the version number of
Symantec Endpoint Protection Manager
and the
Symantec Endpoint Protection
client.
Examples of which client versions download which security patches
Management server version
Client version
Does the client download patches from the management server?
14.2
14.2
Yes
14.2
14.0.1 MP2
No
14.0.1 MP2
14.0.1 MP2
Yes
14.0.1 MP2
14.0.1 MP1
No
14.0.1 MP2
14.2
No
Installing security patches on Windows clients
By default, LiveUpdate downloads security patches to
Symantec Endpoint Protection Manager
, which in turn installs the patches on the clients based on the distribution method you have configured for the other content types.
After a client downloads and installs a security patch, it continues to run the previous, unpatched version of the client until the client is restarted. You must restart the client to run the latest patch. Either the client end user must restart the computer, or you must run the restart command from the management server. The management server sends you a notification that indicates which clients require a restart.
  1. To install security patches on Windows clients
  2. In the console, verify that LiveUpdate is configured to download the security patches to the management server.
    In the
    Content Types to Download
    dialog box, make sure that
    Client security patches
    is checked.
  3. To run a report to find out which release is installed on the client computers, run a
    Protection Content Versions
    report.
  4. Verify that the LiveUpdate Settings policy is configured to download the patches to the clients.
    In a LiveUpdate Settings policy, under
    Windows Settings
    , click
    Advanced Settings
    . Make sure
    Download security patches to fix the vulnerabilities in the latest version of the Symantec Endpoint Protection client
    is checked.