Known issues and workarounds

The items in this section apply to this release of
Symantec Endpoint Protection
Upgrade issues
Description and solution
A SQL Server upgrade from version 2017 to version 2019 fails with FIPS mode enabled [14.3]
You may see the error: "The following error has occurred. An error occurred while installing extensibility feature with error message: AppContainer Creation Failed with error message NONE, state. This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." This occurs if you have a FIPS-enabled Symantec Endpoint Protection Manager 14.3 and you upgrade from the Microsoft SQL Server 2017 to 2019. [SEP-61473]
To work around this issue, disable FIPS at the operating system level:
  1. In
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    , click
    Local Security Policy
    Local Policies
    Security Options
    , and disable
    System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
  2. Upgrade from SQL Server version 2017 to version 2019.
  3. After SQL Server upgrades successfully, re-enable FIPS.
Custom names may prevent the firewall policy from updating during an upgrade to 14.2 or later
For an upgrade to Symantec Endpoint Protection 14.2 or later, firewall policies cannot incorporate the changes for IPv6 if you changed some default names. The default names include the names of default policies and default rule names. If the rules cannot be updated during the upgrade, the IPv6 options do not appear. Any new policies or rules that you create after the upgrade are not affected.
If possible, revert any changed names back to the default. Otherwise, ensure that any custom rules that you added to a default policy do not block IPv6 communication in any way. Ensure the same for any new policies or rules that you add.
Symantec Endpoint Protection Manager issues
Description and solution
Whitelist additional URLs in Symantec Endpoint Security if you use the hybrid management option and proxy servers [ or later]
With Broadcom’s recent acquisition of Symantec Enterprise Security, the URLs for client-to-cloud communication changed in [CDM-42467]
You must upgrade your clients to version build 14.2.5569.2100 or later in the following situation
  • You use Symantec Endpoint Security to manage your clients and policies when your on-premises Symantec Endpoint Protection Manager domains are enrolled in the cloud console
  • You use proxy servers.
To whitelist URLs in either fully cloud-managed or hybrid-managed agents, you whitelist them in Symantec Endpoint Security:
  1. In Symantec Endpoint Security, go to
    Endpoint > Policies > [policy name] Whitelist Policy
  2. In the Whitelist policy, next to
    Excluded by Domain
    , select
    , add the following URLs one at a time, and select
    (add if you have devices in Europe).
    Keep if you continue to manage clients with a later version.
  3. Select
    Save Policy
    and then
    to update the policy and apply it to existing groups.
See URLs to whitelist for Symantec Endpoint Security.
The Symantec Endpoint Protection Manager remote console no longer supports the 32-bit Windows platform [14.3]
As of 14.3, you cannot log on to the Symantec Endpoint Protection Manager remote console if you run a 32-bit version of Windows. The Oracle Java SE Runtime Environment no longer supports 32-bit versions of Microsoft Windows. [SEP-61106]
If you see the following message, log on to Symantec Endpoint Protection Manager locally:
"This version of C:\Users\Administrator\Downloads\Symantec Endpoint Protection Manager Console\bin\javaw.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher."
"Failed to install Microsoft Visual C++ Runtime" error appears while you install Symantec Endpoint Protection Manager [14.3]
You may see the following error while installing the Symantec Endpoint Protection Manager on Windows 2012 R2: “Failed to install Microsoft Visual C++ Runtime” [SEP-60396]
To work around this issue, activate Windows and install the Windows updates. The Windows update installs the Visual C++ 2017 redistributable, which is a prerequisite for the Symantec Endpoint Protection Manager 14.3 installation on Windows 2012 R2.
Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows [14.3]
After you upgrade to or install a Symantec Endpoint Protection Manager version 14.3 that is enrolled in the cloud console, the management server no longer uploads logs successfully to the cloud. In the uploader.log you may see the following error:
<SEVERE> WinHttpSendRequest: 12175: A security error occurred
This issue is caused by a missing Microsoft update that provides support for TLS 1.1 and 1.2.
To solve the issue, install Microsoft update: KB3140245. For more information, see:
"Deployment in progress" still appears in Symantec Endpoint Protection Manager after the client receives an updated policy for Endpoint Threat Defense for AD [14.2 RU1 MP1 and later]
This behavior is expected. Endpoint Threat Defense for AD 3.3 policies are only supported on the client as of version 14.2 RU1 MP1.
You apply a policy for Symantec Endpoint Threat Defense for Active Directory 3.3 to a group. This group contains some clients that run Symantec Endpoint Protection 14.2 RU1 or earlier. These clients receive and apply the policy as expected, but the status in Symantec Endpoint Protection Manager continues to show the message Deployment in progress.
Windows, Mac, and Linux client issues
Description and solution
Upgrade issue on macOS 10.15 and later [14.3 MP1]
On macOS 10.15 and later, the
Install Symantec Endpoint Protection to Remote Computers
feature in the Client Deployment Wizard fails to upgrade the Symantec Endpoint Protection client from older versions to version 14.3 MP1.
Symantec Endpoint Protection Manager Auto Upgrade
to perform the Symantec Endpoint Protection client upgrade on macOS 10.15 and later.
The Symantec Endpoint Protection 14.3 Windows client installation may fail unless you first install SHA-2 support [14.3]
If you run legacy operating system versions (Windows 7 RTM or SP1, Windows Server 2008 R2 or R2 SP1 or R2 SP2), you are required to have SHA-2 code signing support installed on your devices to install Windows updates released on or after July 2019. Without SHA-2 support, the Windows client installation sometimes fails. The installation may fail whether you install clients for the first time or automatically upgrade from a previous release. [SEP-61175/61403]
To get Microsoft enforced SHA-2 code signing support, see:
2019 SHA-2 Code Signing Support requirement for Windows and WSUS
The Symantec Endpoint Protection Windows client does not run when installed on Windows 10 1803 with UWF enabled [14.3]
If the Symantec Endpoint Protection client runs on the Windows 10 RS4 1803 32-bit operating system when the Unified Write Filter (UWF) is enabled and protecting the drive on which the Windows client is installed, the client does not run properly. This Windows operating system contains a UWF defect that prevents the Windows client from running.
To work around this issue:
Mac clients that enable WSS Traffic Redirection do not honor custom proxy settings for LiveUpdate [14.2 RU1 MP1 and later]
You have configured your managed Mac clients for Symantec Endpoint Protection 14.2 RU1 MP1 or later to use custom proxy settings for LiveUpdate through External Communications Settings. After you enable WSS Traffic Redirection (WTR) for your Mac clients through the Symantec Endpoint Protection Manager policy, however, you find that LiveUpdate traffic no longer honors your custom proxy settings. Instead, LiveUpdate attempts a direct connection.
To work around this issue, only use custom proxy settings for LiveUpdate when WSS Traffic Redirection is disabled.
Microsoft Edge unexpectedly allows PDF downloads with Hardening enabled [14.2 RU1 MP1 and later]
With Application Hardening enabled in the Symantec Endpoint Protection client, you are unexpectedly able to download PDF files if you use the Microsoft Edge browser. The prevention of the download of PDF files works as expected with other browsers.
A fix for this issue is planned for a future release.
With Broadcom’s recent announcement that Symantec Enterprise Protection has officially joined Broadcom, Symantec migrated the documentation to the Broadcom Symantec Security Tech Docs Portal.
To find Endpoint Protection documentation, click the
Symantec Security Software
tab, then click
Endpoint Security and Management
Endpoint Protection
Documentation issues
Description and solution
HOWTO articles have been expired.
The HOWTO articles, which were duplicates of the topics in the Symantec Endpoint Protection Manager Help, have been republished on the Endpoint Protection site and now have a different URL.
To find an article, use the
Search field
PDF files
Symantec posted all PDF files on DOC articles. These pages have been expired.
To find the release most recent version of the PDF file, go to the Related Documents page. In the future, Broadcom will be adding legacy PDF files and translated PDF files.
For resolved issues, see: