Endpoint Protection

I recently changes revisons from 30 to 5 and a week later half of my clients are not updating. Anything specific i need to change or look at in the console to have the clients update?

Does all sep client showing online ? Do you have any GUP between SEP client and SEPM ?

You will enable sylink debugging

How to enable Sylink debugging for the Symantec Endpoint Protection 11.x and 12.1 client in the Windows Registry

http://www.symantec.com/docs/TECH104758

Clients are communicating and i think that alot of the clients simply needed a reboot to clear up the definitions. But that still wouldnt explain why so many are out of date.

Typically reducing the number of retained defs should not affect the SEPM's ability to update its clients.

What will change, is the probabilty of it needing to send down full defs instead of deltas.  In your case, clients will receive fulls defs if they are (approximately) a day and a half out of date, whereas before they had to be 10 days out before requiring the full defs.

One of the possible scenarios in which this change would prevent your clients from updating, is if the available bandwidth does not allow the clients to download the full defs correctly.  This would only be a factor if the machines are regularly unavailable for more 1.5days at a time too.  Could this be the case?

Admittedly, the scenario is quite unlikely, so I'd actually recommend following through the very useful article below to troubleshoot, and let us knwo the results:
http://www.symantec.com/docs/TECH106034

Does any GUP between SEP client and SEPM ?

May be corrupt virus defination cause that issue,

How to clear out corrupted definitions for a Symantec Protection Center and Symantec Endpoint Protection Client manually

http://www.symantec.com/business/support/index?page=content&id=TECH98276

Did anything change on the policy side? Are the clients showing the greem dot?

What I would suggest is enabling sylink debugging on one affected client to see what's going on.

Incidentally, if it is a client problem, then getting them to perform a LiveUpdate from Symantec or slapping down the intelligent updater package (found in below link) will generally help.

http://www.symantec.com/security_response/definitions.jsp

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Was there specific reason to reduce the number of content revision?

The SEPM must have previous content revision downloads in order to create a "delta", or differential, capable of updating a client from its current content version to the most recent version of that content being stored on the SEPM.  The value of deltas is that content revisions are kept to a minimal size as they are sent across the network. 

To determine how many content revisions you should keep consider the following:

• For the majority of your clients how often do they communicate with their SEPM?
• Historically, how long have your clients had to go without communication with their SEPM?
• What disaster recovery scenarios must you consider and of what duration?

The number of content revisions to keep should depend on the need to balance network bandwidth usage with the amount of hard drive storage availability on the SEPM. This setting should be made with the specific network environment's requirements and limitations in mind.

Refer this article to know more about it: Best Practices for configuring the number of content revisions to keep in Symantec Endpoint Protection Manager:

http://www.symantec.com/business/support/index?page=content&id=TECH92225