Endpoint Protection

Hello,

as outlined by Sandra.G here refering to TECH163086, migrating the SEP Client via the MSI package (or setup.exe) from version 11.x to 12.1 uses a side-by-side technology. The installation run through, but only copies the files and creates a "Symantec Migration Service" (SepMasterServiceMig). At the next reboot, the service starts and migrates from 11 to 12.1.

My question: When implementing Microsoft (security) patches, Windows (Server 2008 R2 in this case) also often needs a reboot. Is migrating SEP and patching Windows during one reboot supported or at least possible?

Should be possible, I don't think SEP Upgrade/Windows Updates are applied at the same stage during the boot (some Microsoft Updates are even partially installed before reboot).

However, any additional changes might have side effects, depending on files modified by 3rd party (by Windows Updates in your case). So I would basically recommend to perform a first reboot during your scheduled maintenance/down-time to apply Windows Updates, then upgrade SEP to 12.1 and reboot once more to get it installed.

Although I agree with John Q, most likely any changes made by MS patch day on the system will have been flagged and a "pending system changes that require a reboot" before being able to continue will occur.  Thus, likely the MS patches will not install until the flag from SEP has been cleared (system rebooted) or vice versa, Symantec will be unable to continue it's installation until the system has rebooted.

The SEP installer does not raise either
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

So first SEP setup then patching might be possible.