Video Screencast Help

How to create a live update policy

Created: 06 Oct 2012 | 9 comments


I have symantec endpoint protection manager12.1.100in which i have created many groups. now i want to create a sepearate live update policy for one of the group to schedule it for getting updates on a specified time. Can you just help me out woth this??
Also, can you please let me know the difference between shared and non-shared policies ?


Comments 9 CommentsJump to latest comment

pete_4u2002's picture

open a sepm console, click on policy tab, create a new LU policy and configure it according to your requirement.

shared policy means the policy is shared by more than 1 group

non shared policy it is only policy used by the specific group.

Ashish-Sharma's picture


About shared and non-shared policies

Policies can be either shared or non-shared. A shared policy applies to any group and location. If you create shared policies, you can easily edit and replace a policy in all groups and locations that use it. You can have multiple shared policies. 
You can apply shared policies at the My Company group level or a lower group level and subgroups can inherit policies. 
A non-shared policy applies to a specific location in a group. You can only have one policy per location. You may need a specialized policy for a particular location that already exists. In that case, you can create a policy that is unique to a location.
You can apply one policy to a group or location or you can apply separate security policies to each location in a group. For example, take a group that has been assigned multiple locations. Users may need to connect to an enterprise network by using different locations when in the office or when at home. You may need to apply a different policy with its own set of rules and settings to each location.
You apply a separate policy to each group of users or computers. Remote users typically use DSL and ISDN for which you may need a VPN connection. Other remote users may want to dial up when they connect to the enterprise network. Employees who work in the office typically use an Ethernet connection. However, the sales and marketing groups may also use wireless connections. Each of these groups may need its own Firewall Policy for the locations from which they connect to the enterprise network.
You may want to implement a restrictive policy regarding the installation of non-certified applications on most employee workstations to protect the enterprise network from attacks. Your IT group may require access to additional applications. Therefore, the IT group may need a less restrictive security policy than typical employees. In this case, you can create a different Firewall Policy for the IT group.
When you create a new policy, you typically edit a default policy. A default policy always includes default rules and security settings.

Configuring a LiveUpdate Settings policy

Thanks In Advance

Ashish Sharma

Anishk's picture


Thanks for the Post.

Please let me know the difference between the following two methods of creating Live update policies for a specific group.

1st Method :- Click on clients, go to group , within that group, go to policies tab, Click on LiveUpdate settings policy , edit settings , server settings , checking both the 'use the management server' and 'use a live update server'-'use the default  Symantec live update server' and then on 'schedule' tab, changing the schedule time as per our convenience.

2nd Method:- Click on Policies, go to live update , Add new policy , server settings , checking both the 'use the management server' and 'use a live update server'-'use the default  Symantec live update server' and then on 'schedule' tab, changing the schedule time as per our convenience. Also, to understand the group for which we want to make the changes, mentioning the group update provider for that group.

Iam confused with this two methods of scheduling Live update policy settings. Does this both ways have the same effect ?


Ashish-Sharma's picture


Check this artical

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained



Internal or External LiveUpdate Server

Select one of the following options:

• Use the default management server

Downloads the content updates from the Symantec Endpoint Protection Manager. This option is recommended for most organizations. The option is the simplest and requires no configuration other than applying the policy to a group. Select this option if you use a Group Update Provider.

• Use a LiveUpdate server

Downloads the content updates from either the default Symantec LiveUpdate server over the Internet, or from an internal LiveUpdate server. You can specify multiple internal LiveUpdate servers for failover support.

If you enable both options, clients try to retrieve updates from both sources. You typically do not enable both options unless you have a specific reason. If the server provides named update versions to clients, and the clients have previously downloaded the latest updates from a LiveUpdate server, the clients do not download and install the named (previous) versions.

Group Update Provider (GUP)

Use one or more Group Update Providers

Specifies one or more computers to act as a LiveUpdate server for the group. For example, you might want to create a Group Update Provider to conserve bandwidth to clients in a remote location over a slow link. In this scenario, the Group Update Provider downloads the latest updates from the server. The Group Update Provider then updates the clients in the group. If the Group Update Provider is offline, the clients contact the server for the updates.

The Group Update Provider can reside in any group.

Note: The Group Update Provider is available only for Windows clients.

Third Party Management (TPM)

Enable third-party content management

Enables third-party tools such as Microsoft SMS to provide updates to client computers securely.

To use this feature, you must set up the Symantec Endpoint Protection Manager to use as a staging server for content. This staging server does not require that the clients be connected to it. Configure the server to download updates on a periodic schedule. If you use continuous, the server downloads the latest updates when they are posted.

By default, the updates appear in the Default group's clients' content outbox folders. These folders are organized by content type. You can then pick up one or more content packages from the content outbox folder and deliver it to the client's inbox folder.

To ensure that only third-party management tools update client computers, disable the other LiveUpdate server options on this page.

Note: Third-party content management settings are applied to Windows clients only.

LiveUpdate Proxy Configuration

Configure a proxy server to use for LiveUpdate from the default Symantec LiveUpdate server or from a specified internal LiveUpdate server.

This proxy server is used only for LiveUpdate and not for any other external communications.

Thanks In Advance

Ashish Sharma

Ch@gGynelL_12's picture

when  you performed the first method, the policy you've created is only effective within that group and no other group/s can enherited that policy. but when you performed the second method, the policy you've created will be effective to your assigned group/s. this policy can be enherited and effective to any of your group if they were assigned.

hopefully helps..

Mithun Sanghavi's picture


In SEPM, go to clients--> highlight corresponding group---->policies click on the liveupdate policy which you want to make as non-share policy, it will promt three options, select create a non-shared policy. Then, it will open the policy edit window, do the required changes and click ok.

The new non-shared policy will be assigned to that group. This policy cannot be assigned to any other group. If you want the same non-shared policy in other group, you have to do the same procedure there also.


In SEPM go to Policies tab, create the Liveupdate policy, right click assign to required group.

You can also assign a policy from clients-->corresponding group---->polices tab also. For this click on task and go for replace policy.

Check these Articles:

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

About shared and non-shared policies

Performing tasks that are common to all security policies

Hope that helps!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Ashish-Sharma's picture


have you received your answer ?

Thanks In Advance

Ashish Sharma