Endpoint Protection

We're beginning to apply the autoupgrade from version 12.1.4 to 12.1.6 MP1 this week for both our server and workstation clients.  As we do not force the reboot of servers we were looking to coordinate with our server team to do the reboots.  We have 23k clients in all and my manager wants to to set the autoupgrade for 1 day and to provide our server team with batches of servers to be rebooted prior to moving forward.  As the checkins are set for every hour should I expect that by the following  night they should have all downloaded the files or given the number of clients should I consider that there may be some delay?  And if so is there a particular method that the SEPM uses to prioritize distribution?

23k client in 1 day, is that the plan or are you spacing this out? Yea if you set it for 1 day they will get the upgrade cue to upgrade but each client pulling down a package could cause you some bandwidth issues.

There are some best practices:

Upgrade Endpoint Protection 12.1 clients using AutoUpgrade

To answer your question, no sepm does not prioritize the request, its simply follows first come first serve methodology. it is never advisable to upgrade such a high number of clients at one go. First and foremost the SEPM will not be able to share the package to so many clients within a day, as it will already be loaded with its regular activities like sharing the definition update and collect & processing the logs from the endpoints, secondly though you may have performed preliminary testing you may never know what sort of comparability issue may arise due to the upgrade. and finally not all the 23k clients will upgrade and report properly. so it is advisable to go in a phased manner especially for the upgrade.

Definitely think it would slam the network but that is what they are asking so I'm trying to get some numbers together.  I was thinking maybe divide it out over four days.

What I've always done is 500 clients split over 14 days. It's roughly 35 clients per day. A full package size is around 80-85MB and a delta is somewhere around 35MB.

That's fine if that's what you're told to do but I would warn them first so you don't incur the wrath when your network is clogged.
 

I did and I'm getting them to disperse it a little more.  A delta is only 35 MB?  I thought I read that it was bigger than that.  

Where are the figures?

Delta (31MB+):

Full (86MB+):

whenever you use the inbuilt auto upgrade feature the major advantage is that your sepm will calculate the difference between the features in the existing version and the new version and share only the incremental difference to optimize the bandwidth so yes the package size will be usually lesser than the normal package that we create. 

Note: Please be sure to disable the sep client password to uninstall sep client as this will prevent the auto-upgrade feature from functioning.

Hi,

Thank you for posting in Symantec community.

Test the AutoUpgrade process before you attempt to upgrade a large number of clients in your production network. If you do not have a test network, you can create a test group within your production network. For this test, you add a few non-critical clients to the test group and then upgrade them by using AutoUpgrade.

SEPM does not prioritize distribution.

For 12.1, on client side, SEP will send request to SEPM to request a delta first, if SEPM  contains packages of both the current version(e.g. version 12.1 RU4) and the target version (e.g. 12.1 RU6 MP1) , no matter what's the package check sum, then a delta will send to client. Client will send another request to ask for the full if failed  to apply the delta

Auto-upgrade for '1' day will not able to upgrade all 23K clients in one go. You should leave this setting to '8' days minimum. You must change that period. As per my information SEPM does upgrade only 10 clients in one go to reduce load.

To avoid server reboot make sure custom package with custom settings (Do not reboot) is applied. For other clients assign another custom package were reboot settings are configured, reboot is mandatory to show the latest version.

Thank you both.  

Another question:  Once the client acceptst he current package how long before it downloads the files and is read for reboot?  (these are test clients that have the package assigned to them with a distro of 0)

It should happen fairly quickly then assuming no issues were detected by the client installer. Can't give an exact time but < 1 hour.

There isn't any formula how much time it may take but ideally SEPM starts immediately client upgrade process & once the client upgraded successfully it will prompt for reboot or make a force reboot depending upon settings.

Thanks.

I need to disable the uninstall password Praveen?  I don't remember needing to do that last time.

Should be no reason to disable it with auto-upgrade. I've always kept the uninstall pw in place for upgrades and it's never been an issue.
 

Great.  Thanks all.

welcome