Upgrade best practices for Endpoint Protection 14.x

When upgrading, follow the recommended best practices and be aware of any potential issues and risks.
The following resources help you to plan and perform an optimal upgrade to the current version of
Symantec Endpoint Protection

Benefits of upgrading to the latest version

To get the latest security features, operating system support, and customer fixes, upgrade to the latest version. For information on what features each version offers, see:

Important information for the latest version

Important information for the latest version
System requirements and release notes
Review the following carefully before you upgrade:
Before the upgrade, use the Symantec Diagnostic tool to determine whether the computers meet minimum system requirements. See:
If you plan to upgrade your operating system, be sure to first upgrade
Symantec Endpoint Protection
to a version that supports the operating system. Leaving an unsupported version of
Symantec Endpoint Protection
in place when you upgrade the operating system can have unexpected results.
Supported and unsupported upgrade paths
Make sure that the currently installed version can be migrated or upgraded to the new version. Review the following:
Important installation and upgrade information
  • When you upgrade from a Symantec Endpoint Protection Manager embedded database to a default Microsoft SQL Server Express database (14.3 RU1 and later), the following error may appear:
    The specified password does not meet strong password requirements.
    To work around this issue, see: While upgrading a SEPM embedded database to 14.3 RU1 the error "The specified password does not meet strong password requirements"
  • Symantec Endpoint Protection 14.3 RU2 clients cannot be managed by a 14.3 RU1 MP1 or earlier Symantec Endpoint Protection Manager.
  • For an upgrade to 14.3 RU1 or later, the default Microsoft SQL Server Express database replaces the embedded database. The maximum database size is 10 GB.
  • For an upgrade to 14.2 or later, firewall policies cannot incorporate the changes for IPv6 if some default names have been changed. The default names include the names of default policies and default rule names. If the rules cannot be updated during the upgrade, the IPv6 options do not appear. Any new policies or rules that you create after the upgrade are not affected.
    If possible, revert any changed names back to the default. Otherwise, ensure that any custom rules that you added to a default policy do not block IPv6 communication in any way. Ensure the same for any new policies or rules that you add.
    These actions prevent any issues with IPv6 communications.
  • You cannot upgrade legacy
    Symantec Endpoint Protection
    clients to version 14.2 or later if the network only uses IPv6 communications. In this context, legacy clients are
    Symantec Endpoint Protection
    clients with a version earlier than 14.2. These earlier client versions do not support IPv6 communication, so the upgrade can result in communication issues with
    Symantec Endpoint Protection Manager
    Upgrade the clients to version 14.2 or later before moving the environments to a pure IPv6 network. Alternately, uninstall the legacy versions, then deploy a new 14.2 or later package to these client computers.
  • If
    Symantec Endpoint Protection
    uses a SQL Server database and your environment only uses TLS 1.2, ensure that SQL Server supports TLS 1.2. You may need to patch SQL Server. See:
    This recommendation applies to SQL Server 2008, 2012, and 2014.
  • New installations of
    Symantec Endpoint Protection Manager
    enable secure communications between the clients and the management console. The upgrade maintains current communication configuration.

Things to know before you get started

The following table lists the recommended routine maintenance tasks you should perform before you upgrade. Maintenance may include disk error checks, defragmentation of the hard drive, or other routine health checks.
Recommended routine maintenance tasks
Insufficient disk space
Ensure that the management server has enough disk space to perform the upgrade. For a successful
Symantec Endpoint Protection Manager
upgrade, free space should be at least three times the size of the database. Consult the system requirements for the free space that is required to install the
Symantec Endpoint Protection
client. See:
Proxy servers
Ensure that you have made the proper exclusions to any peripheral firewall or proxy to ensure successful communication with all Symantec servers. See:
Scanning exclusions
Steps to upgrade
For general information on upgrading
Symantec Endpoint Protection
, see:
Upgrading unsupported languages
As of 14.3 RU2, both the Symantec Endpoint Protection Manager (SEPM) and the clients are translated into five languages only: English, Brazilian Portuguese, French, Japanese, and Spanish. When you upgrade the SEPM from a non-supported language, SEPM automatically upgrades to English.
If you want to upgrade to a different supported language, such as from Czech to French, before you upgrade, see:
To upgrade an unsupported language on the Windows client, see:

Best practices

Best practices
Back up before you upgrade
As a best practice, always back up the
Symantec Endpoint Protection Manager
database before an upgrade. See:
Use the
Upgrade Clients with Package
wizard to upgrade existing Windows and Mac clients.
You may want to schedule AutoUpgrade for after hours, due to possible bandwidth usage. You can stage client packages on a web server, and then run
Upgrade Clients with Package
. There are alternate methods to deploy the upgrade package as well, such as through the Client Deployment Wizard. See:
Fresh install of Symantec Endpoint Protection Manager
You can use the Communication Update Package to connect existing clients to a new installation of the
Symantec Endpoint Protection Manager
. For example, if you decommission an existing server, and install
Symantec Endpoint Protection Manager
to a new server instead. Create a new client installation setting that resets client-server communications settings, and then deploy the Communication Update Package in the same way as clients:
Help > Getting Started Page > Install the client software on your computers
You can also reset the client-server communications settings for Mac computers with a client installation setting.
After the clients are connected, you can upgrade the clients with AutoUpgrade. See:
Symantec Endpoint Protection
clients can be used to protect virtual instances of the supported operating systems.
Symantec Endpoint Protection Manager
can be installed and managed on virtual instances of the supported operating systems.
Symantec Endpoint Protection
includes additional management options for virtual clients, such as Shared Insight Cache and a separate configuration option for purging offline non-persistent GVMs. See:
Disaster recovery preparation
Before you begin the upgrade, ensure that you have backed up the current
Symantec Endpoint Protection Manager
installation using disaster recovery preparation techniques. If the upgrade then fails, you can restore the
Symantec Endpoint Protection Manager
to functionality more quickly.
To recover an installation after a failure, due to database schema and other changes, you must reinstall using the exact version previously in use. See:

Frequently asked questions (FAQs)

Q: Where do I get the current version of
Symantec Endpoint Protection
From the Broadcom Support Portal. See the following page for guidance:
Contact Technical Support for additional assistance:
Q: How do I activate my license?
After you log on to
Symantec Endpoint Protection Manager
, click
Help > Getting Started Page
, under
Required Tasks
Q: What are the upgrade methods? When should each method be used?
There are many methods available to upgrade clients. Second, decide which method is most appropriate for the situation. Every situation is different, so Symantec provides many different methods for accomplishing this goal:
  • AutoUpgrade: Assign client packages to groups in the management console, either manually or by using the
    Upgrade Clients with Package
  • Local installation from the installation file or installation media.
  • Run the Client Deployment Wizard from the management console. The Client Deployment Wizard walks you through the creation of a client package. You can then choose to deploy by emailing a web link to users, by a remote push. You can also save the package for local installation or with a third-party deployment tool.
Before you begin, ensure the client computers are ready to receive an upgrade package. See:
Q: What's the recommended migration order? What do I upgrade first in my environment?
The recommended order is to upgrade is as follows:
  1. Symantec Endpoint Protection Manager
  2. Group Update Providers
  3. The remaining clients as needed
Q: Can I continue to manage Windows 2000 and Symantec Endpoint Protection 11.x clients?
Q: How can I generate a list of Symantec Endpoint Protection versions installed in my environment?
Generate this list using
. See: