Best practices for upgrading to the latest version of Endpoint Protection 12.1

Article:TECH163700  |  Created: 2011-06-30  |  Updated: 2014-11-20  |  Article URL
Article Type
Technical Solution



This article provides best practices for upgrading to the latest version of Symantec Endpoint Protection (SEP) 12.1.x. The latest version is 12.1.5 (12.1 RU5).


The following resources will help to plan and perform an optimal upgrade from previous versions of Symantec Endpoint Protection (SEP) to the current version, while following the recommended best practices and being aware of any potential issues and risks.


Benefits of upgrading to the latest version of 12.1.x


Added security over Symantec Endpoint Protection 11.0.x

Symantec Endpoint Protection 12.1.x provides improved security over Symantec Endpoint Protection 11.0.x, including the following enhanced features:

  • Enhanced client IPS; Mac IPS included as of Symantec Endpoint Protection 12.1.4

  • Added Browser IPS

  • Tamper Protection protects against registry, file system and process tampering

  • SONAR realtime behavioral analysis engine protects against new and emerging threats

  • Insight reputation lookup technology

  • Application and Device Control protects more platforms

Increased performance

Insight technology reduces scan overhead on the endpoint by as much as 70% from SEP 11.

Virtualization improvements

Symantec Endpoint Protection includes the following virtualization improvements for the enterprise version:

  • A VMware vShield-enabled Shared Insight Cache. Delivered in a Security Virtual Appliance, the vShield-enabled Shared Insight Cache can be deployed into a VMware infrastructure on each host. The vShield-enabled Shared Insight Cache makes file scanning more efficient. The Security Virtual Appliance and client status can be monitored in Symantec Endpoint Protection Manager.

  • For managing Guest Virtual Machines (GVMs) in non-persistent virtual desktop infrastructures:

    • Symantec Endpoint Protection Manager includes an option to configure the aging period for offline non-persistent GVMs. Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period.

    • Symantec Endpoint Protection clients now have a configuration setting to indicate that they are non-persistent GVMs. Offline non-persistent GVMs can be filtered in the Clients tab view in Symantec Endpoint Protection Manager.

Additional platform support

  • Operating system support
    Symantec Endpoint Protection Manager (SEPM) 12.1.5 can be installed on Windows 8.1 Update 2 and Windows Server 2012 R2 Update 2. The SEP 12.1.5 client can be installed on Windows 8.1 Update 2 and Windows Server 2012 R2 Update 2, and support is added for Mac OS X 10.10.

    Symantec Endpoint Protection now supports a variety of Linux distributions for the client installation. The Linux client can be managed by Symantec Endpoint Protection Manager. For a list of system requirements, see System requirements for the Symantec Endpoint Protection client for Linux. For a list of supported Kernels, see Supported Linux kernels for Symantec Endpoint Protection.

  • Browser support
    Symantec Endpoint Protection Manager now supports Microsoft Internet Explorer 10.2 and 11, Mozilla Firefox through 31.0, and Google Chrome through 37.0.2062.94.



Important information for the latest version


System requirements and release notes

Please review carefully prior to upgrading:

Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access

Supported and unsupported upgrade paths

Ensure that the currently installed version can be upgraded to the new version.

  • Any version of Symantec Endpoint Protection 11.0.x, 12.0.x, or 12.1.x can be upgraded to the latest 12.1.x enterprise version.

  • Enterprise versions of SEP 11.0.x or 12.1.x cannot be upgraded to the Small Business Edition of 12.1.x.

See: Supported and unsupported upgrade paths to Symantec Endpoint Protection 12.1.x.

Important upgrade information

The upgrade to 12.1.5 may take much longer than you expect. The upgrade process to 12.1.5 converts all existing content to the optimized storage format. LiveUpdate also runs to obtain the most current content revisions. These resource-intensive processes may cause the upgrade to 12.1.5 to take significantly longer than previous upgrades. The extended length of time that the upgrade process requires is normal and to be expected. Do not cancel or interrupt the installation. 

See: The LiveUpdate content optimization and content storage space optimization steps take a long time to complete when upgrading to Symantec Endpoint Protection Manager 12.1 RU5



Things to know before getting started


Before the upgrade, use the Symantec Help diagnostic tool to determine whether the computers meet minimum system requirements.

Consider the following product-specific suggestions and recommendations and make sure routine maintenance has been done on the computers to be upgraded. Maintenance may include disk error checks, defragmentation of the hard drive, or other routine health checks.Here are the recommended methods for uninstalling the Symantec Endpoint Protection client.

Insufficient disk space

Ensure that there is enough disk space to perform the upgrade. For a successful SEPM upgrade, free space should be at least three times the size of the database. Consult system requirements for the free space required to install the SEP client.

Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 (enterprise version)
Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1 (Small Business Edition)

Proxy servers

Ensure the proper exclusions have been made to any peripheral firewall or proxy to ensure successful communication with all Symantec servers.

Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers
Excluding a trusted Web domain from scans

Scanning exclusions

Additional scanning exclusions may need to be created before deploying the client upgrade. 

What scan exclusions should be applied to all Windows clustered server nodes?
About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products
Best practices for virtualization
Excluding known risks from virus and spyware scans

Administering 11.x clients

A Symantec Endpoint Protection Manager (SEPM) with version 12.1 can successfully deploy, administer, and update SEP 11.x clients. A common reason to maintain SEP 11.x clients in a SEP 12.1 environment is because of computers with Windows 2000 or Mac OS X 10.4 installed to them. These legacy operating systems are not supported on any installation of SEP 12.1.

It is recommended that all clients that can be upgraded, should be upgraded to take advantage of the newest protection technologies available in the latest version(s) of Symantec Endpoint Protection. Technologies such as: Browser Intrusion Prevention, SONAR, Insight Lookup, SymProtect, Install on Reboot, Shared Insight, 64-bit Application and Device Control, and much more.

Steps to upgrade

For general information on upgrading to Symantec Endpoint Protection 12.1.x, see:

Upgrading to a new release of Symantec Endpoint Protection

For information on upgrading to specific versions of the 12.1.x product line, see:



Best Practices


As a best practice, always back up the Symantec Endpoint Protection Manager database prior to an upgrade.


In the enterprise version, use Upgrade Clients with Package to upgrade existing clients: 

Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection (enterprise version)
Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection Small Business Edition

However, the following cautions apply:

  • If upgrading from 11.x and use Application and Device Control, disable the Application Control rule "Protect client files and registry keys." After the clients receive the new policy, AutoUpgrade can be used.

  • Due to possible bandwidth concerns, it is best to schedule AutoUpgrade for after hours. Packages can be staged and selected on a web server by running Upgrade Clients with Package. There are alternate methods to deploy the upgrade package as well.

AutoUpgrade is enabled by default for SEP SBE, but it can be disabled. Go to the Computers page in the management console, right-click your Group, select Properties, and click Disable Automatic Client Package Updates.

Fresh install of SEPM 12.1

To start fresh with a new install of the SEPM 12.1.x on a new server, for example, use the Communication Update Package to connect existing clients, both 11.x and 12.1.x, to the new SEPM. The Communication Update Package can be deployed in the same way as clients: Home > Common Tasks > Install protection client to computers. After they are connected, the SEP client can be installed using AutoUpgrade.

To connect existing clients to a new SEPM without sending a full installation package, see:


The Symantec Endpoint Protection clients can be used to protect virtual instances of the supported operating systems. Symantec Endpoint Protection Manager can be installed and managed on virtual instances of the supported operating systems.

The enterprise version includes additional management options for virtual clients, such as Shared Insight Cache and a separate configuration option for purging offline non-persistant GVMs.

See: Best practices for virtualization in Symantec Endpoint Protection 12.1 RU2

Disaster Recovery preparation

Prior to beginning the upgrade, ensure that the current Symantec Endpoint Protection Manager (SEPM) installation has been backed up using disaster recovery preparation techniques. That way, if the upgrade fails, The SEPM can be restored to functionality more quickly.

The disaster recovery process is slightly different for 11.x and 12.1.x, so be sure to use the correct document for the version in use. To recover an installation after a failure, due to database schema and other changes, reinstall using the exact version previously in use.

Symantec Endpoint Protection 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager





Q: Where do I get the current version of Symantec Endpoint Protection?

A: Use your serial number to download it from FileConnect. To get the serial number, which begins with an M, with licensing information.

Obtaining the latest version of Symantec Endpoint Protection or Symantec Network Access Control
Understanding the Downloads of Symantec Endpoint Protection (SEP) 12.1 available on Symantec FileConnect website

If you cannot find the serial number, contact Customer Support Assistance at the regional number on the following web page:

Q: How do I upgrade or activate my license?

A: The process is the same for all licenses received with SEP 12.1.x. For a walkthrough, read the document Activating a new or renewed Symantec Endpoint Protection 12.1 product license.

To view the video walkthrough:

  1. Go to
  2. On the linked page, click Symantec Endpoint Protection 12.1.
  3. On the expanded list, click Symantec Endpoint Protection 12.1: How to Activate the License.

Q: What are the upgrade methods? When should each method be used?

A: There are many methods available to upgrade clients. First, read: Preparing for client installation. Second, decide which method is most appropriate for the situation. Every situation is different, so Symantec provides many different methods for accomplishing this goal:

  • AutoUpgrade: Assign client packages (Windows only) to groups in the manager console, either manually or by using the Upgrade Clients with Package wizard.
    For the Small Business Edition, automatic upgrade is enabled by default. To disable it, go to the Computers page in the management console, right-click Group, click Properties, and then check Disable Automatic Client Package Updates.
  • Permit product updates in LiveUpdate Settings policy for a client group in the manager console (enterprise version only).
  • Local installation from product disc or installation media.
  • Run the Client Deployment Wizard from the manager console. It walks you through the creation of a client package that then deploys via a web link and email, remote push, or allows you to save for later local installation. In the enterprise version, you also have the option to deploy using third-party tools.

Q: What's the recommended migration order? What do I migrate first in my environment?

A: The recommended order is to upgrade all Symantec Endpoint Protection Managers, Group Update Providers (enterprise version only), and then the remaining clients as needed.

Q: How do I upgrade from Symantec AntiVirus 10.x?

A: Migration from Symantec AntiVirus 10.x is no longer supported as of 12.1.5. For complete instructions for earlier versions, see: Migrating from Symantec AntiVirus or Symantec Client Security to Symantec Endpoint Protection 12.1 or later.

Q: What's new in the latest version? How do old features map to new features? 

A: The newest features and information are described in the documents below:

Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access
Feature mapping between 11.x and 12.1 clients

Q: Can I continue to manage Windows 2000 and Symantec Endpoint Protection 11.x clients?

A: Yes. See Administering 11.x Clients in the table above for more information.

Q: How can I generate a list of SEP versions installed in my environment?

A: Generate this list using Reports.

See: Generating a list of the Symantec Endpoint Protection versions installed on the clients and servers in your network


Article URL

Terms of use for this information are found in Legal Notices