Endpoint Protection

Hi,

We were testing some Windows 8 machines.  SEP 12.1.14 doesn't play nicely with Windows 8.  Windows 8 wouldn't activate.  Office 2013 wouldn't update.  We've narrowed it down to Symantec.

I see 12.1.2 is out and works with Windows 8.

I'm studying the release notes, but if anyone out there knows the answers to these questions, that would speed things up....

Can we just use a client install to get a Windows 8 machine working with SEP?  That would be installing SEP 12.1.2 on the client machine and leaving 12.1.14 on our server.  Easiest solution.

I would like to upgrade the server side SEP management part though.  Is that just a matter of running the two installation exe's?  Symantec_Endpoint_Protection_12.1.2_Part1_Installation_EN.exe and Symantec_Endpoint_Protection_12.1.2_Part2_Tools_EN.exe  ?

With an upgrade, is it going to save all our settings on the management side?  Our manager/server SEP upgraded to 12.1.2 will still communicate with our client computers still on 12.1.14, right?

Once we've upgraded the server/manager to 12.1.2, will that automatically push out an update to all the clients, or do we have to manually update each one?  And will they still communicate with the server for updates, etc. in the meantime?

And to check -- Is the best method to upgrade the server manager and then the clients?

And we just do an upgrade with those two exe's on the server side?  Not a complete uninstall/reinstall right?

it looks like I can use these two files on the server.

Symantec_Endpoint_Protection_12.1.2_Part1_Installation_EN.exe and Symantec_Endpoint_Protection_12.1.2_Part2_Tools_EN.exe 

And then use the auto-upgrade feature to get the clients done.

http://www.symantec.com/business/support/index?page=content&id=TECH96789

I wonder if it matters how we initially installed SEP on the client computers.... Some were pushed from the server I remember.  For most we made a standalone installer exe so it had certain policies.  I don't have our computers split out by 32 vs. 64 bit...  I wonder if it's easier just to manually install or start over from scratch and make new installer files and then install those manually....

You can upgrade only a client even though it's at a newer version but be aware it's not supported.

Those are compressed files, you will need to extract them. Double click on them and select a location and the extraction will begin. Inside will be a folder called SEPM. This contains the upgrade.

Yes, all settings will be saved and older clients will still talk to newer SEPM.

You you can use auto upgrade deature to upgrade clients. It won't automaticalyl happen.

Yes, it is always best to upgrade manager first than clients.

Or this installer for the SEPM upgrade...

Symantec_Endpoint_Protection_12.1.2_SEPM_EN.exe

Those are just the compressed files, you need to extract first. Check this thread:

https://www-secure.symantec.com/connect/forums/latest-symantec-endpoint-protection-released-sep-121-ru2-and-sep-110-ru7-mp3

Sucessfully upgraded the server side.  Using this....

Symantec_Endpoint_Protection_12.1.2_SEPM_EN.exe

We've had success using enterprise activation files for Windows 8 and Office 2013 now.  Symantec was messing that up before.  So issue is solved.  (Time to upgrade everyone to Windows 8.  Haha...)

We made a new standalone installer file.  Installed.  Works.

Tried using the auto-upgrade feature.  It sounds like we can just upgrade the software "guts" without messing up the policies that way.  And it will upgrade 32-bit or 64-bit for us.  We just select 32, then 64, and the group, and let it go.  Is that right?

We're testing on a machine now.  I thought it would run at the next heartbeat -- Default is still set to 5 minutes.  Nothing's happened yet, even with a restart.  Is it waiting for the computer to be idle and then it will install the new version?  From the SEPM side, under the 'edit properties' on that machine it still shows the installed version as the old one, but the new version is the target.  When will it install the new version?

I'm hoping we can just tell all the machines to auto-upgrade and that will be it.  The biggest pain there will be getting users to restart (or dealing with SEPM forcing a restart after 24 hours). 

And I'm thinking the move to 12.1.2 is just for Windows 8 and Mountain Lion on the client side.  A new installer file should work fine for a new machine.  But for the rest of them still on 12.1.14 why bother upgrading them?  Is there really any point messing with upgrading the clients from 12.1.14 to 12.1.2? 

Yes, you can assign both 32 and 64 install package

It should receive the command on next heartbeart and start shortly after.

It's always good to maintain software consistency across the board to minimise any potential issues.

No luck so far.  The test machine isn't upgrading.   Hmm.... 

We tried to set it up again, but it says it's already deployed.

"The package 'Symantec Endpoint Protection version 12.1.2015 for WIN64BIT" is already deployed in the group "test3".

The SEPM properties still show it's current the 12.1.1 with a target of 12.1.2.   I wonder if the schedule is off....   It should have installed on the next hearbeat, right?

it would've gotten the command on the next heartbeat. It may take a short time to upgrade

I think we may have left the default "over 1 day" part still checked.  If that's the case....

And yes, a second test machine set at 'over the next 0 days' is upgraded after restart.

If we've got a few machines set 'over the next 1 day' to upgrade, how do I force those to do the upgrade right now?  Is there a way to do that?

I understand about them all hitting the server at the same time.  Makes sense to have the default as over 1 day.  The network here can handle it though.  I just want to force these test machines to upgrade now.

restarting symantec services should work ie, 

start

run

smc -stop

smc -start

I believe an algorithm is used to determine when teh machines get it if the schedule is set. You will need to either change it to 0 days or leave as is and wait.

Dang.  Lost my post.

We found it.  It's under client, install packages tab.  Right click on the correct machine, edit, and then change to over 0 days.  That did it on the test machines.

Yup, should be good to go on that then.

Slight concern....

We don't use the Symantec firewall.  I forget why exactly but we don't want to retweak everything on the servers, etc. 

SEP 12.1.14 installs show on the client button firewall status as 'not installed.'

With the test machines from yesterday I see SEP 12.1.2 firewall status is 'disabled.' 

It doesn't appear to be working, but there's a difference between not being installed and being installed and then disabled. 

Is that going to futz up anything?  Is there a way to just not install the SEP firewall like 12.1.14?

As long as you don't have a fw policy assigned, than it will not be activiated and you should be fine.

Ah.  Found a problem.

We made the standalone exe installer.  From the default I think.   Last time it must have been tweaked more.  That's installed on two machines.

The rest we did an auto upgrade on.  No problems there.  Firewall is 'not installed' in the SEPM.

The problem is that standalone installer.  Those are listed as 'disabled' for firewall in SEPM.  On the machine itself, both the SEPM and Windows 8 firewall are disabled.  We just wanted the Windows firewall going.  Being without a firewall at all is a problem.

Is there a way to restore the Windows 8 firewall on those machines?  I tried doing an autoupgrade on one of the Windows 8 machines.  That menu option went through to the end, set at '0 days' but I haven't seen any changes yet.

And how do you create a standalone exe package that does not include the SEP firewall and leaves the Windows firewall alone/on?

Did you restart Windows fw service?

Check this thread, may be a code issue:

https://www-secure.symantec.com/connect/forums/121-ru2-disabling-windows-firewall

Running auto upgrade for 12.1.2 on the Windows 8 machine didn't seem to do anything, although it let me through all the menus to set that up.

I made a new editted firewall poicy for the Windows 8 machine. The old firewall policy is not enabled. I left this not enabled but told it to restore the Windows firewall. No change. (which makes sense since it's not enabled...)

I'm trying the edited firewall policy on this Windows 8 machine as enabled now. It looks like that will enable both the SEP firewall (don't want) and the Windows firewall. Then I'll go back and disable this SEP firewall policy if this works.

So far so good.... I got kicked off remote desktop, probably from the SEP firewall.  On the machine itself, the Windows firewall is back on.

I disabled the SEPM firewall policy on that machine.  Just waiting now...

Appears successful.  Remote desktop works again.  SEPM firewall policy is disabled for that machine.  Windows firewall is back on on the that machine.  Strange to have to turn both firewalls back on like that but whatever....

How do I create a standalone exe installer package without the SEP firewall?  I wasn't the person who made that before.  We'll need a new one for new machines, or we can reuse the old one for 12.1.1 and do an autoupgrade.

I wish I could just see the software version in the client list too.  I have to right click, edit properties, and focus in on which version number it is.  The virus definitions are right there, but not the software version itself.  And I have to look through each machine in each folder.  I've got maybe twenty different folders and subfolders set up for our machines to control them with policies.  At least this doesn't happen often.  It could definitely be simplified though.

When you create a package under Client option, just uncheck the firewall option

Hello,

This Issue occurs due to either

- Upgrade schedule badly configured

OR

- DNS issues.

I would request you to perform the steps provided below:

- Access the install packages tab and remove the upgrade packages that has been added;

- Add the packages again;

- Set new period of time time for SEPM to provide the upgrade packages to the clients.

If the DNS error is shown in SylinkMonitor, try to add the SEPM's IP address and name into hosts file as workaround but also verify if the DNS server registries are correctly configured.

Reference Article:

Auto upgrade does not work when migrating from SEP 11.x to 12.1

http://www.symantec.com/docs/TECH172779

Similar Issue - 

https://www-secure.symantec.com/connect/forums/clients-11-wont-upgrade-121-automatic

Hope that helps!!!

how to make SEPM client install package?
http://www.symantec.com/business/support/index?page=content&id=TECH102215
http://www.symantec.com/connect/articles/how-do-i-create-and-configure-custom-symantec-endpoint-protection-installation-package-vers

Admin button, install packeage button
Highlight the updated package you want, that’s the base.
Click on export a client install package
*** then make sure it is the the right policy.  (Is this policy or feature set?    Feature set I think...)
You can include the policies too.  That will probably change depending on which folder it’s put in later anyway.  Ok to get it now, but it probably doesn’t matter.
Point it at your folder.
Have it make the exe.   If the exe box isn’t checked it will make more files, including an msi according to the web.  Still, not a huge deal – an msi might allow for silent install during a round of updates though.
That’s it.  Grab the exe and test it out.

In this case there was only one feature set for that set of machines, so there wasn't a big issue.  I am having an issue figuring out which features we included on some other groups of machines.  I'm stuck for updating them until we figure that out. 

https://www-secure.symantec.com/connect/forums/how-see-feature-settings-existing-install