Video Screencast Help

Upgrade clients to SEP 12.1 by Auto upgrade feature

Created: 13 Jan 2012 • Updated: 08 Jan 2014 | 38 comments
Language Translations
Chetan Savade's picture
+16 16 Votes
Login to vote

Hello,

Auto upgrade feature is available in Enterprise Edition only, it's not available in Small Business Edition.

The AutoUpgrade process lets you automatically upgrade the Symantec Endpoint Protection client software for all the clients that are contained in a group

Upgrade existing SEP clients to latest version by using auto-upgrade method.

Logon to the Console --> Admin --> Install Package --> Upgrade clients with package 

 Auto upgrade wizard screen

.

Select required package which you would like to assign to groups, if you wish to apply both the packages you will have to follow

the same procedure.

Select Required Group/Groups. For example I have selcted Group-2 & Group-3

Select the source to provide upgrade package

First option is Download from the management server, it's useful if all the clients are residing on LAN segment.

Second option is usefult if you have multiple sites with multiple clients & as an administrator if you don't wish clients to come over WAN link to take upgrade package. It would increase/ choke up WAN link. To avoid this situation select second option.

How to upgrade a client from a non-manager server using the "Download the client package from the following URL (http or https)" option.

http://www.symantec.com/docs/TECH106181

Forum Article also available for same

https://www-secure.symantec.com/connect/articles/how-auto-upgrade-remote-site-clients-using-iis

After finalising method of clients upgrade, you can schedule your client upgrade.

Click on notification tab, you have following options

1. Yo want to notify end user or not

2. Allow user to postpone the upgrade process or not 

After setting upgrade schedule with required setting, click on next

Upgrade wizard completion screen will come up.

Go to clients tab, select group where package is assigned, we can see pacakge is successfully added.

It is also applied successfully to Group-3

If you are not configuring schedule, clients will start auto upgrade on their next heart beat interval.

This process takes some time to upgrade all the clients depending upon number of clients in network.

Note : You must test the AutoUpgrade process before you attempt to upgrade a large number of clients in your production network. If you do not have a test network, you can create a test group. You can add a few non-critical clients to the test group and upgrade them by using AutoUpgrade. You can confirm the upgrade completed successfully by verifying the version number of the client software that appears in the About dialog box.

It's always recommended to have Symantec Endpoint Protection Manager and SEP clients on the same version. 

Public Kb:

Upgrading clients by using AutoUpgrade

http://www.symantec.com/docs/TECH96789

 

About SBE

Your Symantec Endpoint Protection Small Business Edition clients will upgrade automatically once the Symantec Endpoint Protection Manager has been upgraded. No further action is required on your part to complete the upgrade process

If you would like to manually upgrade the clients to the latest version please see:  

How to deploy a Symantec Endpoint Protection Client from the Symantec Protection Center (SPC) Console

However, To disable the auto-upgrade feature for clients

  1. Login to the Symantec Protection Center Console.
  2. Select the Computers page.
  3. Under My Company select the group that includes the clients you would like to prevent from using the auto-upgrade feature.
  4. Under Tasks select Edit the group properties.
  5. Click the checkbox for Disable Automatic Client Package Updates.
  6. Click OK.

Referencehttp://www.symantec.com/docs/TECH97535

It's always recommended to have Symantec Protection Center and SEP clients on the same version. 

 

You can download this information in PPSX format also.

      

Comments 38 CommentsJump to latest comment

Neil Brooks's picture

Are there any logs on the client that can troubleshoot this?

I have a number of clients that do not seem to get notification of an update (or are being ignored by the users).

(SEPM 12.1 RU1, clients on Windows XPSP3, SEP versions 11.0.6x)

0
Login to vote
Chetan Savade's picture

You can try to collect Sylink monitor logs from affected machines.

Also try by restarting symantec service on clients machine & check.

To restart service go to

Start --> Run --> smc -stop

Start --> Run --> smc -start 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
MrLateeBrown's picture

I waited for several hours, tried implementing a scheduled time to try to force the install, looked at several articles on 'Upgrade Clients with Package' and restarted the SEPM a couple of times, but it took 'restarting symantec service' the step recommended above to get it to work for me, Thank you Chetan Savade!

0
Login to vote
Dushan Gomez's picture

Do you mean restarting the SEPM server service ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
MrLateeBrown's picture

Yes to restarting the SEPM Service. 

It seemed after I ran the steps above my reply on the SEPM Server, the Auto upgrade feature started working.

+1
Login to vote
Dushan Gomez's picture

yes man, you are right !

Thanks for this simple advice :-)

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
John Santana's picture

Helo all,

Does upgrading the client from SEP 12.1 RU1 into SEP 12.1 RU1 MP1 requires any reboot ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

Hi,

Reboot is not mandatory while doing an upgrade from SEP 12.1 RU1 to SEP 12.1 RU1 MP1.

To stay in the safe side, always cofigure the installation settings with "no restart".

Creating custom client installation packages in the Symantec Endpoint Protection Manager console version 12.1

http://www.symantec.com/docs/TECH165801

How to create a new custom 'Client Install Settings' template with SEP 12.1
http://www.symantec.com/docs/TECH164754

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
John Santana's picture

Chetan, thanks for the clarification, now I can sleep peacefully over the weekend since the MP1 upgrade is should be seamless for all Workstations and Servers :-)

Assuming I have created the install package and then assign them into the each groups, it will then be applied / upgraded based on the version within the deployment time window defined.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
LeandroC's picture

Helo all,

I'd like to know if upgrading clients from SEP11 to SEP12 version by using AutoUpgrade, the SEPM will generate a content delta? Our the clients will receive full package?

 

Thanks!!

 

 

 

0
Login to vote
John Santana's picture

Hi Leandro,

AFAIK upgrading SEP v 11 into v12 will cause reboot which means that it is a completely new upgrade for the drivers and other binaries.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

Hi,

While doing an upgrade from SEP 11.x to SEP 12.1, clients will receive full package because it's a complete new install. Reboot is mandatory while doing an upgrade from SEP 11.x to SEP 12.1

While doing an upgrade from SEP 12.1 RU1 to SEP 12.1 RU1 MP1 it would be delta updates.

 

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
John Santana's picture

Thanks Chetan !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
A. Wesker's picture

Hi Chetan,

 

Really nice article.

I have a doubt about something related to Auto-Upgrade.

Let's say for example you already have Full Protection installed on your clients.

If suddenly you would like to remove a feature from these clients, so you create a custom package without the features you won't and you assign this custom package to the OU/Group.

SEP packages are on same version, you uncheck the option "Maintain existing client features when updating".

What will be the results ?

Clients will download the full package and then remove the feature not wanted ?

Or

SEP features that you won't have anymore on the custom package will be uninstalled on Client side without downloading again an heavy SEP Install package ?

Reason: For some specific environment like 1k+ machine with WAN, it would be a pain that SEP clients get all the package and not interacting just with the differences between what is currently installed and what features are present on the custom package assigned to the OU/Group.

I'm currently doing the test cause I have a doubt about that but if you know the answer, it would be great ;-)

 

Kind regards,

A. Wesker

 

 

0
Login to vote
Chetan Savade's picture

Hi,

Q. If suddenly you would like to remove a feature from these clients, so you create a custom package without the features you won't and you assign this custom package to the OU/Group.

SEP packages are on same version, you uncheck the option "Maintain existing client features when updating".

What will be the results ?

Clients will download the full package and then remove the feature not wanted ?

--> No, I believe it should be delta updates only however reboot would required to show desired results.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
A. Wesker's picture

Hi Chetan,

 

Thank you very much for your feedback.

I did various tests and it's confirmed. Mostly requires a reboot if there are some features to add compared to the current existing install on the client, otherwise if some features need to be removed no reboot required by the product so it's a sort of delta which is retrieved so you're absolutely right wink

Thanks again.

 

Kind Regards,

A. Wesker

 

+3
Login to vote
Ilano's picture

Hey guys,

The installation/upgrade process is made before the boot?

 

It may happen an impact after the boot?
 
Regards,
Ilano

Ilano Albuquerque

0
Login to vote
Chetan Savade's picture

Hi,

The installation/upgrade process is made before the boot however reboot is mandatory to complete the upgrade process 100%.

If upgrading from SEP 11.x to SEP 12.1 then upgrade completes after the reboot. Because it's side by side upgrade.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+1
Login to vote
Ilano's picture

Thanks Chetan!

Did u see any impact after boot?

 

Regards,

Ilano Albuquerque

Ilano Albuquerque

0
Login to vote
Chetan Savade's picture

Hi,

No as such, only check the scan settings means when they are configured to trigger.

In SEP 12.1 RU2 we have a new feature i.e. ELAM.

Early Launch Anti-Malware Driver:

Early launch anti-malware (ELAM) protects client computers from threats that load at startup. Symantec Endpoint Protection includes an early launch anti-malware driver that works with the Microsoft early launch anti-malware driver to provide the protection. The settings are supported on Microsoft Windows 8.

The early launch anti-malware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the Symantec Endpoint Protection driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection driver then passes the information to Windows to decide to allow or block the detected driver.The Symantec Endpoint Protection settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.

The Windows early launch anti-malware driver must be enabled for the Symantec Endpoint Protection settings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.

Path: SEPM --> Virus & Spyware Protection --> Edit assigned Policy --> Protection Technology --> Early Launch Anti-Malware Driver

Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options

http://www.symantec.com/docs/HOWTO81106

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
John Santana's picture

Hi Chetan,

Does that ELAM features works only on Win 8 automatically ?

How about Windows XP and Windows 7 client does the EALM features not working at all ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

Hi,

In this article http://www.symantec.com/docs/HOWTO81106  it's mentioned that these settings are supported on Microsoft Windows 8.

I believe for Windows XP and Windows 7 this feature is not available.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
John Santana's picture

Cool, that does make sense.

Thank you Chetan for your clarification.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
GarethNZ's picture

Hi, today I've pointed some of our SEP 11 clients to new server running SEPM 12.1.2, I added an install package for SEP 12.1.2 and SNAC 12.1.2, and set it to notify the user. I configured this a few hours ago, but I have no seen any notification yet, is there a way to force it? I don't want to do a remote push, I want to test that SEP will update itself and I want to see the notification and then the prompt for a reboot. I restarted the Symantec Endpoint Protection Manager service as suggest above by MrLateeBrown (I think that was the right service), but that didn't help, and all clients went offline, they are slowly coming back online.

Communication settings were set to download Pull Mode, Heartbeat 2 hours, Download Randomization 1 hr, I changed to Push, 5 minutes and off. Should that mean it upgrades SEP client faster?
I created a new Client Install Settings and set the log to C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\SEP_INST.LOG, I wasn't sure where %temp% was for the installer service? There is no log file there on my test PC.
Thanks

+1
Login to vote
John Santana's picture

Hi Gareth,

in the Install Packages tab, for each upgrade package, Have you set the "Upgrade Schedule" time frame ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
GarethNZ's picture

Hi John, I left Upgrade Schedule unticked, do I need to tick it? I got the notification after I rebooted my PC, I shouldn't need to reboot to trigger it right? Thanks.

+1
Login to vote
John Santana's picture

GarethNZ, no you don't need to.

the Check box means that the upgrade or the installation will be randomly pushed at the specified time window, no check box means immediately push the install.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

@GarethNZ

Q. Communication settings were set to download Pull Mode, Heartbeat 2 hours, Download Randomization 1 hr, I changed to Push, 5 minutes and off. Should that mean it upgrades SEP client faster?
-->  Yes, It should upgrade  SEP client faster.

Have you seen any difference after doing these changes?

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
GarethNZ's picture

I'm not sure how long I left it, but rebooted anyway, then saw the SEP upgrade notification and I let it install then reboot. I've just connected to my PC from home and can tell it has rebooted again, so I assume the SNAC upgrade has run and then rebooted. When I double click SEP icon I get UAC prompt (SEP 11 didn't do this, is this normal for 12?), I put in admin creds but SEP 12 window never opens. I'll do some research on that in the morning.

Thanks for you help, learning more about SEP every day.

0
Login to vote
Chetan Savade's picture

Hi,

Asking for username & password while opeing SEP GUI?

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
GarethNZ's picture

Yip, UAC prompt asking for admin username\password when opening SEP 12.1.2 GUI.

0
Login to vote
John Santana's picture

That could be the policy that is enforced to avoid user to disable the AV.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Chetan Savade's picture

If password is configured via SEPM then it will ask only for the password only to open SEP GUI. It won't ask for both i.e. username and password.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
dimago's picture

Hello, Nice article, congratz...

I have some doubts about it.

Is port tcp/8014 used for this feature? So, the package setup.exe is sent to the client by tcp/8014?

Where the setup.exe stays in the client? (What folder, path)

is there any easy way to check if the client is upgrading?

I created a group with SEP 11 machines, and create 2 packages, 32 and 64 bits to deploy.

I fell it so slow to happen... I really think that nothing is happening, for real.

My manager is 12.1.4 and clients and manager are in the same subnet. (Lan)

Thanks,

 

Diego

 

0
Login to vote
Chetan Savade's picture

Hi,

For push deployement it uses TCP 139 and 445 port.

Client will store the downloaded package (delta or full.zip) to %SEPInstallPath%\download first (e.g. c:\program files\symantec\symantec endpoint protection\download), then generate the new install package to %SEPInstallPath%\SmcLu (for 11.x. e.g. c:\program files\symantec\symantec endpoint protection\SmcLu). or %SEPInstallPath%\{VERSION.EN_US}.105\Bin(Bin64)\SmcLu (for 12.1.)

SEP 12.1 employs a side-by-side, replace on reboot installation strategy. Side-by-side means that new files are written to a new folder, referred to as a silo, isolated from the existing operational folder. Because the two versions are separated from each other, during a migration the older software is left running unchanged until the next reboot.

The primary benefit of side-by-side installation and replace on reboot is that the system continues to be protected by the existing software until the new version is in operation after the reboot.

This technique enables you to change the normal portion of the installation path during a migration, when applicable. 

Make sure clients are configured to reboot after successful upgrade.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote
dimago's picture

Thanks for the fast reply Chetan...

After upgrade, the package is forced to reboot the client.

About the transfer, so it works by:

SEPM --> Client tcp/139, 445, MS Share...

0
Login to vote
hforman's picture

For those asking some questions, we have done this and it worked perfectly but there are some things to remember:

 

1) In the scheduling part, regardless if you check the box or not, the number of days is still important.  If you want it done fast (maybe TOO fast), set the number of days at zero.  I would not do this if you have concerns about bandwidth.

 

2) There is still the matter of seeing when the workstation checks in to receive the update.

 

3) Going from 12.1.3 to 12.1.4 require TWO (2) reboots.  One was just after the install and the other was to do some NTP change.

 

4) If there is not enough disk storage on the client, this won't work.  I don't think it removes the old client and then does the install.  I think it installs over the top.

 

5) Drive letters: if something other than C: (system drive) then there may be an issue where you need to adjust the install drive.  Something to check. Button for Upgrade settings

 

6) In some cases, I had to do a push install due to the different drive letters involved.  There will always be a few exceptions to anything.  SEP-INST.LOG should help but this will do the bulk of it.  This may be found under the button "Upgrade Settings"

 

7) DO NOT trust the end users to do the install.  I keep it quiet and hush-hush.  I keep them in the dark.  None of my users will do anything when notified except click cancel or hit the escape key.

0
Login to vote