Upgrading and Migrating to the Latest Release of Symantec Endpoint Protection (SEP)

Learn how to update to the latest release of Symantec Endpoint Protection.
Use this topic to upgrade to the latest release of SEP 14.x and take advantage of the new features. This information is specific to upgrading the software in environments where a compatible version of the product is already installed.
Before you upgrade, review the following information:
Process for upgrading
Symantec Endpoint Protection
Step 1: Download the latest version from the Broadcom Download Center
For links and information, see:
Before you upgrade the Symantec Endpoint Protection Manager (SEPM) and the Symantec Endpoint Protection clients, make sure you maximize the protection of your network during the upgrade by following these best practices:
  • Symantec recommends that you do not perform third-party installations simultaneous to the upgrade of Symantec Endpoint Protection. Installing third-party software that makes network- or system-level changes may cause undesirable results when you upgrade Symantec Endpoint Protection.
  • If possible, restart client computers before installing or upgrading Symantec Endpoint Protection.
  • Symantec recommends that you upgrade the entire network to the current version of Symantec Endpoint Protection, rather than manage multiple versions.
For more information, see:
Step 2: Back up the database and prepare for disaster recovery
Back up the database, logs, and recovery file that
Symantec Endpoint Protection Manager
uses to ensure the integrity of your client data. These steps are different depending on your version. See:
Step 3: Stop the
Symantec Endpoint Protection Manager
You must manually stop the management server service on all sites before you install a newer version. The management server service stops the Syslog service or similar service that  runs on the SEPM and which could potentially lock SEPM files or folders and cause the upgrade to fail. After you upgrade, the management server automatically starts the service.
If the management server replicates with other management servers, make sure that replication does not occur during the period that you upgrade the SEPM and that the management server service is stopped. See:
Step 4: Upgrade the
Symantec Endpoint Protection Manager
Install the new version of
Symantec Endpoint Protection Manager
over the existing version on all sites in your network. The existing version is detected automatically, and all settings are saved during the upgrade. See:
If you enrolled a Symantec Endpoint Protection Manager domain into the ICDm cloud console (hybrid management) before the upgrade, the domain remains enrolled during the upgrade process. You can also enroll any domain after the upgrade. See:
Enrolling a domain in the cloud console from the Symantec Endpoint Protection Manager
Step 5: Upgrade Symantec client software
You do not need to uninstall previous clients before you install the new version. The over install process saves the client settings, and then upgrades the client to the latest version. You should first update a group with a small number of test computers before you update your entire production network.
If you use clients as Group Update Providers, you must upgrade them first. See:
Review the applicable steps in the following topics:
Then choose from one of the available methods to upgrade clients:
  • AutoUpgrade
    : AutoUpgrade is the easiest way to update the Windows and Mac client software in groups.
    You assign client packages to groups in the management server, either manually or by using the
    Upgrade Clients with Package
    wizard. No further action is required on your part to complete the upgrade process. See:
    does not support the Symantec Agent for Linux 14.3 RU1.
  • Installation file
    : Download the client installation file from the Broadcom Download Center.
    For links and information, see:
  • Client Deployment Wizard
    : Run the Client Deployment wizard in the management server. This wizard walks you through the creation of a client package that can be deployed by a web link and email, remote push, or saved for a later local installation. You can also deploy using third-party tools. See: