Endpoint Protection

Can anyone share their experience with the SEP client-only patches to upgrade a client from an older version of SEP to a more current version?  Is there any downside to doing this, say to go from SEP 14 MP2 to SEP 14 RU1 MP1?  We've got a few unmanaged clients we're trying to easily update.

Hi Wally,

Although mentioned by Symantec articles for each version of client-only patches that this is only recommended for single clients, we have had great success using the Client-only patches to push upgrades through SCCM, for example.  There are advantages and disadvantages to note, based on our experience:

• You need to know the exact version of the SEP client currently on the system, so if you are upgrading from multiple starting versions, you need to make sure you are providing the correct MSI for each one.
• Doing this manually, there is no GUI that I recall, so either monitor the MSIEXEC process or the SEP_INST.LOG file (I believe) for the progress of the upgrade.
• It only upgrades the components that were already installed in the SEP client, so you don't have to "know" which components were installed and build a matching install package.  Although you can accomplish this through the SEP Manager, "Install Packages" tab, the options for staging and scheduling are limited, compared to third-party products (and not helpful for unmanaged clients).
• A corrupted/damaged install may receive the upgrade, but the issue behind the corruption/damage may not be resolved, whereas deploying the full product might (of course, CleanWIpe is always an option if necessary).
• If these are unmanaged, you may not want to provide a full install package, since it has a potential of being abused and installed on additional systems without your knowledge.  Providing the Client-only patch MSI would allow only the current installs to be upgraded, since the MSI is otherwise useless on a system without SEP.

Those are some key items I can think of.  Hope those help.

Thanks for your comments - all are noted.   We've only got a few unmanaged  clients to update and they are all at the same exact version.  This looks like a simple way to get them to where they need to be.

Lastly,  you are correct in that there is no GUI for the patch file install, even though the Symantec article(s) for each version of the client-only patches mentions to "follow the instructions that appear on the screen.".  Once you execute the MSI file it's installing right then with no prompting.   Likewise, there is no indication when the install finishes.  For us it was a quick process, less than a minute for the install to complete.   The install results are in SEP_INST_PATCH.txt.   At the bottom of SEP_INST_PATCH.txt are the results of the installation - in our case "Installation operation completed successfully" along with product version and some other helpful information.

A reboot is required after installing the patch file.   No notification is given, unless you open the client's GUI and see on the Status page that a reboot is required.

This is a simple and quick way to upgrade a client with the noted caveats.