Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Upgrading SEP Clients using SEPM

Created: 10 Sep 2009 • Updated: 11 Sep 2009 | 8 comments
Language Translations
jeffwichman's picture
+5 5 Votes
Login to vote
Here is a quick and dirty (two part) article on using the Symantec Endpoint Protection Management (SEPM) platform to deploy Symantec Endpoint Protection (SEP) client updates. In reality there are a multiple ways to deploy upgrades (and reasons for using each) I will only be covering the methods I am familiar with.
 
Section 1: First method
 
One of the first methods I have used for testing the Symantec updates is by importing the setup files into the SEPM server. This is in my opinion the fastest, easiest, and safest way to test the updated client without having to update your entire SEPM infrastructure first.
 
To start you will need the Symantec Endpoint Protection setup files from the latest release. Extract the SEP folder from the release to a location on your management server.
 
Now open your SEPM console and click the Admin navigation button.
 
SEPMConsole1.JPG
 
Now under tasks click the Install Packages. You should end up at a screen like below although your number of packages might vary…. There is a reason for maintaining packages which I will explain at the end of this article.
 
SEPMConsole2.JPG
 
Now click the Add Client Install Package shown in the below image.
 
SEPMConsole3.JPG
 
This opens the Add Client Install Package dialog window. (Shown below) Provide a logical name for your package (I normally put in Symantec MR# MP#) or something similar. Click the browse button… navigate to your extracted SEP files from the latest build. Select the setup.exe file and click OK. Enter a short description for this install package if you desire. Click OK.
 
NOTE: You cannot add the same package multiple times (nor should you… you’re wasting space). Even if you name the package something different, you will encounter an error trying to import the package.
 
Now if you are importing a new package you will get the following screen.
 
Importing_Package.JPG
 
Bang! You just imported a new package into your SEPM infrastructure… jump section 3 to learn about configuring your install package settings
 
Section 2: Second method
 
Probably the easiest way to get packages into the SEPM infrastructure is to upgrade your company SEPM servers. If you are like me though, (with five SEPMs) you will follow the previous approach to upgrade clients before the SEPMs. I have not had any issues with upgrading the SEPM servers, but it is easier for me to replace a client than a server in the event of a corrupt database.
 
Follow the prompts to install the latest package on your SEPM server. If you have multiple SEPM servers reporting to a central database you stop all of the SEPM services (on the other servers).
 
Now to explain why you will want to maintain your previous versions of SEP install packages in your SEPM infrastructure (at least for a little while). Keep in mind though each package is stored in the database and takes approximately 180 MB. Plan accordingly.
 
  • From my experience updating the client software is similar to updating your definition files. When your SEPM server contains the previous versions your clients can perform delta upgrades. This can cut down the amount of bandwidth, time, and resources required to perform the upgrades. (I could be wrong here… it’s been a while since I tested this part of the installation push) Anyone from support let me know if my information is incorrect and I will gladly adjust this document.
 
Section 3: Configuring your install package settings.
 
This is an important part of your SEPM infrastructure management. You can use the default settings however it might be worthwhile to customize your installation parameters for your environment.
 
Let’s start by looking at what we can do with the Client Install Settings. Click on the Add Client Install Settings shown in the image below.
 
Client_Install_Settings1.JPG
 
This will bring up the Add Client Install Settings window. You’ll find a couple of important settings in here that can allow some good control over the installation.
 
Client_Install_Settings2.JPG
 
As you can see we will need to provide a name and description for our Client install settings. The name is important (as we will see later) so choose something that explains what you are doing.
 
Now, the good stuff allows you the following control over the installation process. 
  • Installation Type
    • Interactive – users interact with the install process
    • Unattended – users not allowed to interact with the process but see a windows progress dialog box (not supported on Microsoft Vista)
    • Silent – Users do not interact or see the installation progress
  • Restart Option
    • Restart – only required for firewall installation, but still a good practice
    • Do not restart
  • Installation directory – default \\Program files\Symantec
  • Installation logging – enabled by default
  • Add the program to the Start Menu – Want your users to see the Symantec console options under the start menu?
  • Update Settings
    • Maintain all logs, policies, and client-server communication settings
    • Remove all previous logs, and policies, and reset the client-server communication settings. – if you need to move to a new server, new group, or have other communication issues… it’s a great option to enable.
 
Below are my default installation settings for clients with communication issues.
 
Client_Install_Settings3.JPG
 
If you need additional assistance with this section click on the Help button for the Symantec help files.
 
Section 4: Configuring your install package features.
 
Now let’s configure our Client Install Feature Sets. This will allow you to build a custom installation package with ONLY the components you want your environment to run. Don’t want Application and Device Control or Lotus Notes Scanner? This is where you configure what you want.
 
Again, provide a name and description that tells you what this package is for. After that you can select any of the options in the following image that your infrastructure requires.
 
Client_Feature_Set1.JPG
 
 
In the next article we will go through the options I’ve used for deploying updates to your SEP clients.

Comments 8 CommentsJump to latest comment

jeffwichman's picture

The second part of this article is already submitted.  Simply waiting for one of the admins to approve/publish.  Once it is available you will be able to quickly find it here.  https://www-secure.symantec.com/connect/articles/upgrading-sep-clients-using-sepm-part-2

0
Login to vote
jeffwichman's picture

If anyone was wondering... part two hasn't been published yet.  I think it was simply overlooked by the moderators who approve the content since I did get points for the article... unless they want to give me points for not posting articles.  ;)  In that case I have a lot of articles I don't want to submit. 

+1
Login to vote
Int3rn3t's picture

good pictorial information.

0
Login to vote
shp's picture

Good Info.... thanks... 

Regards,
Srinivas H.P.
HCL Infosystems Ltd

0
Login to vote
illusion's picture

I have used for testing the Symantec updates is by importing the setup files into the SEPM server. This is in my opinion the fastest, easiest, and safest way to test the updated client

0
Login to vote
steffen910's picture

good article

0
Login to vote
Adamster's picture

I just want to roll out an update to one workstation and not the whole group? do I have to make a group and add that workstation to that group?

0
Login to vote
pete_4u2002's picture

yes, that's way to do it.

0
Login to vote