Installing Endpoint Protection client patches on Windows clients

What are client patches and how do they work?

A client patch is a software patch for
Symantec Endpoint Protection
Windows clients that corrects a product defect or functionality issue that exists in the client code. Symantec delivers a client patch to fix the issue and uploads it to a LiveUpdate server in 14.3 RU2 (build number 14.3.4615.2000) or later. Client patches are like any other type of content, like IPS signatures or virus and spyware definitions. You download client patches from the LiveUpdate server to the management server as an incremental delta (.dax) file. You then download the patches to clients in the same way as other content, using a LiveUpdate server, the management server, or a Group Update Provider (GUP). See:
A client patch is not the same as a maintenance patch (MP) or a release update (RU). A client patch only addresses a client defect, and is delivered through LiveUpdate. A maintenance patch provides other updates or features, such as to offer support for new operating systems, and is delivered as a full installation download through the Broadcom Download Management page. In 14.3 RU2 and later, client patches have the same content as product updates. However, product updates are included in a full client installation package, whereas we a client patch includes just the delta file. See:
If the client and the management server versions match, the clients can get the client patches from a LiveUpdate server, a management server, or a GUP. If the client and the management server versions do not match, the clients get the client patches from a LiveUpdate server only, as in the case when a management server manages clients with multiple versions. If you want to use the management server or a GUP to download patches, you must update either the client or the management server version so that they are the same version.
The following table displays examples of whether or not the client can receive client patches from the management server, based on the version number of
Symantec Endpoint Protection Manager
and the
Symantec Endpoint Protection
Examples of which client versions download which client patches
Management server version
Client version
Does the client download patches from the management server?
14.3 RU2
14.3 RU2
14.3 RU2
14.3 RU1
LiveUpdate downloads not just client patches also feature updates. In this case, the client build does not have to match the management server. It can be older, the same, or newer. See:
The language for client patches must match the management server language. For example, a French management server that manages French (supported) and German (unsupported) clients provides client patches to the French clients only. In 14.3 RU2 or later, you must enable AutoUpgrade to install an English installation package and English client patches on the German client. For more information about how to upgrade clients from an unsupported language to a supported language, see:

Installing client patches on Windows computers

By default, LiveUpdate downloads client patches to
Symantec Endpoint Protection Manager
. However, client patches do not automatically download and install on either a managed client or an unmanaged client. On the managed client, you must select the client patch to install it, whether you use the Symantec Endpoint Protection Manager, LiveUpdate, or a Group Update Provider.
After a client downloads and installs a client patch, it continues to run the previous, unpatched version of the client until the client is restarted. Either the client end user must restart the computer, or you must run the restart command from the management server. The management server sends you a notification that indicates which clients require a restart.
To install client patches on Windows clients
  1. In the console, verify that LiveUpdate is configured to download the client patches to the management server.
    In the
    Content Types to Download
    dialog box, make sure that
    Client patches
    is checked. See:
  2. To run a report to find out which release is installed on the client computers, run a
    Protection Content Versions
    report. See:
  3. Verify that the LiveUpdate Settings policy is configured to download the patches to the clients.
    In a LiveUpdate Settings policy, under
    Windows Settings
    , click
    Advanced Settings
    . Make sure
    Download client patches
    is checked.
    Make sure that
    Download delta content from a LiveUpdate server when available
    is checked. This option merges the client patches from the current release with the content with the new patch, and then downloads only the difference, or the delta. Use this option when bandwidth to the clients is low.