Endpoint Protection

Hi Chetan,

I am upgrading from version 12.1.5 to 12.1.6. I have a container with a mix of 32bit and 64bit clients. I took a 64bit client out and put it in a test container and pushed out the 32bit version using the auto update feature. The 32bit version installed on the 64bit machine. Is there an issue with having 32bit software on 64bit machines? Also is there something else I needed to do to make sure that the 64bit machine rejected the 32bit package?

Thanks in advance!

I think as long as limited admin is able to assign packages to respective group it shouldn't be any issue. Let me know if faced any issue we can test in our labs. 

Is it necessary to have full admin rights in the SEPM required to initiate the auto-upgrade or can a Limited Administrator initiate the upgrade for groups that they have full access to?

Yes, You can use the Push Deployment Wizard as an alternative to the Client Deployment Wizard to deploy client software by pushing the client software to remote computers and automatically installing it.

Can refer this guide: http://www.symantec.com/docs/TECH183172

Can i upgrade clients using Client remote push tool ?

Yes, reboot is mandatory to complete the upgrade process.

SEP 12.1 employs a side-by-side, replace on reboot installation strategy. Side-by-side means that new files are written to a new folder, referred to as a silo, isolated from the existing operational folder. Because the two versions are separated from each other, during a migration the older software is left running unchanged until the next reboot.

The primary benefit of side-by-side installation and replace on reboot is that the system continues to be protected by the existing software until the new version is in operation after the reboot.

With all components enabled, it will complain about a reboot, yes. If AV only, you should not need one.

We're looking to update clients from 12.1.4 to 12.1.6. Does this necessitate a reboot on the client? Thanks!

Hi Dan,

Reboot is mandatory to comlete client upgrade. Once the reboot is completed you should get the expected result.

If still faced any issue let me know.

This is an awesome discussion!  Thank so much for this - being able to upgrade clients in a specific group has saved me a lot of anguish!

We have some older clients, specificially using 12.1.1101.401 and 12.1.3001.165, and 12.1.4013.4013.  There are even a few devices left over using 12.1.671.4971 and I thought this would be the perfect way to update them all.  We're still behind a bit, using 12.1.4100.4126, but the most recent version will be installed in the later future.

I have a question though - even though the Policy is set to update the client immediately with no reboot as soon as the client is moved into the group/OU, some of the clients don't get updated.  They sit in there for days.  How can I force the update?

Thanks!

Dan

Thanks for the update!
 

Right & I also belive you won't face any issue later on. However, you can push out communication update package on GUP machines only to reset their sylink file as per SEPM.

Hello, 

I guess you talking about C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\sylink.xml , right? 

So, updated xml.file hasn't got object location. I checked sylink.xml file on not yet upgraded machine and it seems identical (no object location). But all working good - upgraded client recieved proper policy, connection with SEPM is established and definitions are downloaded.

If by doing this clients are reporting in the correct group, i don't see any issue doing that.

Does Sylink.xml file get updated automatically with correct location?

Hello,

We are not using autoupgrade, because we have our own way to deploying packages for standard machine so it is not needed. We just need upgrade manualy servers (which are mixed in lot of different groups, with different policies). 

I did not select any of group (leave it unchecked)  because we have more than 100 groups so in this case i should generate 100 packages for each group. 

What I've done is generating one package, uncheck "export packages with policies from the following groups" and removed from sylink.xml  this line: <RegisterClient PreferredGroup="My Company\Default Group" PreferredMode="1"/> . It works ok, I mean the latest agent is installed (12.1.6) and previous client location is detected (so policies are still valid for machine). 

I just want to confirm, if this can be used in this way.

While generating package manually did you select correct group where GUP is residing?

Best option could be auto upgrade.

Hello all,

Let me join to conversation. I would like to ask you something. We are preparing to upgrade clients (first GUPs then Servers and standard machines at the end). All GUPs in our environment need to be upgraded manually - using generated packages. I want to ask about contents of the new sylink.xml file. After generating package in sylink.xml is always line:
<RegisterClient PreferredGroup="My Company\Default Group" PreferredMode="1"/>

Is this line needed? We would like to only upgrade agent not change or manage location of client.

It is permitted to remove this line from sylink.xml and upgrade agent? 

best regards

Okay, interested to konw. Keep us posted.

I don't think you would be able to add 2 different language packages to one group, have you tried that?

Best bet could be, divide then in different groups as per language & assign respective packages.

Q. we have 32bit and 64bit client in one group, add 2 packages to one group under the tab of "Install Packages"?

--> Yes, can assign both 32 bit & 64 bit client packages to one group. SEPM is self sufficient to assign correct packages. SEPM will will provide 32 bit package for 32 bit client OS &  64 bit package to 64 bit OS.

Hello,

I had a litle problem with this automatic upgrade procedure:

1. Made an unattended client installation package from SEPM and assigned it to a group

2. Copied the client installation package to a remote http server from my network with link from upgrade settings pointing to that.

3. Client version package was 12.1.4013.4013 

4. Some clients went into an upgrade loop, even if they had installed this version and all was working fine, after some time, they redownloaded the package from the http server and tried to install, it's been doing this for a while now with 50TB traffic being generated on the network...can't find a cause for this. For now, I deleted the client installation package from the group so the clients wont try to upgrade again...

Any ideas on why it does this?

For those asking some questions, we have done this and it worked perfectly but there are some things to remember:

1) In the scheduling part, regardless if you check the box or not, the number of days is still important.  If you want it done fast (maybe TOO fast), set the number of days at zero.  I would not do this if you have concerns about bandwidth.

2) There is still the matter of seeing when the workstation checks in to receive the update.

3) Going from 12.1.3 to 12.1.4 require TWO (2) reboots.  One was just after the install and the other was to do some NTP change.

4) If there is not enough disk storage on the client, this won't work.  I don't think it removes the old client and then does the install.  I think it installs over the top.

5) Drive letters: if something other than C: (system drive) then there may be an issue where you need to adjust the install drive.  Something to check. Button for Upgrade settings

6) In some cases, I had to do a push install due to the different drive letters involved.  There will always be a few exceptions to anything.  SEP-INST.LOG should help but this will do the bulk of it.  This may be found under the button "Upgrade Settings"

7) DO NOT trust the end users to do the install.  I keep it quiet and hush-hush.  I keep them in the dark.  None of my users will do anything when notified except click cancel or hit the escape key.

Thanks for the fast reply Chetan...

After upgrade, the package is forced to reboot the client.

About the transfer, so it works by:

SEPM --> Client tcp/139, 445, MS Share...

Hi,

For push deployement it uses TCP 139 and 445 port.

Client will store the downloaded package (delta or full.zip) to %SEPInstallPath%\download first (e.g. c:\program files\symantec\symantec endpoint protection\download), then generate the new install package to %SEPInstallPath%\SmcLu (for 11.x. e.g. c:\program files\symantec\symantec endpoint protection\SmcLu). or %SEPInstallPath%\{VERSION.EN_US}.105\Bin(Bin64)\SmcLu (for 12.1.)

SEP 12.1 employs a side-by-side, replace on reboot installation strategy. Side-by-side means that new files are written to a new folder, referred to as a silo, isolated from the existing operational folder. Because the two versions are separated from each other, during a migration the older software is left running unchanged until the next reboot.

The primary benefit of side-by-side installation and replace on reboot is that the system continues to be protected by the existing software until the new version is in operation after the reboot.

This technique enables you to change the normal portion of the installation path during a migration, when applicable. 

Make sure clients are configured to reboot after successful upgrade.

Hello, Nice article, congratz...

I have some doubts about it.

Is port tcp/8014 used for this feature? So, the package setup.exe is sent to the client by tcp/8014?

Where the setup.exe stays in the client? (What folder, path)

is there any easy way to check if the client is upgrading?

I created a group with SEP 11 machines, and create 2 packages, 32 and 64 bits to deploy.

I fell it so slow to happen... I really think that nothing is happening, for real.

My manager is 12.1.4 and clients and manager are in the same subnet. (Lan)

Thanks,

Diego

If password is configured via SEPM then it will ask only for the password only to open SEP GUI. It won't ask for both i.e. username and password.

That could be the policy that is enforced to avoid user to disable the AV.

Yip, UAC prompt asking for admin username\password when opening SEP 12.1.2 GUI.

Hi,

Asking for username & password while opeing SEP GUI?

I'm not sure how long I left it, but rebooted anyway, then saw the SEP upgrade notification and I let it install then reboot. I've just connected to my PC from home and can tell it has rebooted again, so I assume the SNAC upgrade has run and then rebooted. When I double click SEP icon I get UAC prompt (SEP 11 didn't do this, is this normal for 12?), I put in admin creds but SEP 12 window never opens. I'll do some research on that in the morning.

Thanks for you help, learning more about SEP every day.

@GarethNZ

Q. Communication settings were set to download Pull Mode, Heartbeat 2 hours, Download Randomization 1 hr, I changed to Push, 5 minutes and off. Should that mean it upgrades SEP client faster?
-->  Yes, It should upgrade  SEP client faster.

Have you seen any difference after doing these changes?

GarethNZ, no you don't need to.

the Check box means that the upgrade or the installation will be randomly pushed at the specified time window, no check box means immediately push the install.

Hi John, I left Upgrade Schedule unticked, do I need to tick it? I got the notification after I rebooted my PC, I shouldn't need to reboot to trigger it right? Thanks.

Hi Gareth,

in the Install Packages tab, for each upgrade package, Have you set the "Upgrade Schedule" time frame ?

Hi, today I've pointed some of our SEP 11 clients to new server running SEPM 12.1.2, I added an install package for SEP 12.1.2 and SNAC 12.1.2, and set it to notify the user. I configured this a few hours ago, but I have no seen any notification yet, is there a way to force it? I don't want to do a remote push, I want to test that SEP will update itself and I want to see the notification and then the prompt for a reboot. I restarted the Symantec Endpoint Protection Manager service as suggest above by MrLateeBrown (I think that was the right service), but that didn't help, and all clients went offline, they are slowly coming back online.

Communication settings were set to download Pull Mode, Heartbeat 2 hours, Download Randomization 1 hr, I changed to Push, 5 minutes and off. Should that mean it upgrades SEP client faster?
I created a new Client Install Settings and set the log to C:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\SEP_INST.LOG, I wasn't sure where %temp% was for the installer service? There is no log file there on my test PC.
Thanks

Cool, that does make sense.

Thank you Chetan for your clarification.

Hi,

In this article http://www.symantec.com/docs/HOWTO81106  it's mentioned that these settings are supported on Microsoft Windows 8.

I believe for Windows XP and Windows 7 this feature is not available.

Hi Chetan,

Does that ELAM features works only on Win 8 automatically ?

How about Windows XP and Windows 7 client does the EALM features not working at all ?

Hi,

No as such, only check the scan settings means when they are configured to trigger.

In SEP 12.1 RU2 we have a new feature i.e. ELAM.

Early Launch Anti-Malware Driver:

Early launch anti-malware (ELAM) protects client computers from threats that load at startup. Symantec Endpoint Protection includes an early launch anti-malware driver that works with the Microsoft early launch anti-malware driver to provide the protection. The settings are supported on Microsoft Windows 8.

The early launch anti-malware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the Symantec Endpoint Protection driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection driver then passes the information to Windows to decide to allow or block the detected driver.The Symantec Endpoint Protection settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.

The Windows early launch anti-malware driver must be enabled for the Symantec Endpoint Protection settings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.

Path: SEPM --> Virus & Spyware Protection --> Edit assigned Policy --> Protection Technology --> Early Launch Anti-Malware Driver

Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options

http://www.symantec.com/docs/HOWTO81106

Thanks Chetan!

Did u see any impact after boot?

Regards,

Ilano Albuquerque

Hi,

The installation/upgrade process is made before the boot however reboot is mandatory to complete the upgrade process 100%.

If upgrading from SEP 11.x to SEP 12.1 then upgrade completes after the reboot. Because it's side by side upgrade.

Hey guys,

The installation/upgrade process is made before the boot?

Hi Chetan,

Thank you very much for your feedback.

I did various tests and it's confirmed. Mostly requires a reboot if there are some features to add compared to the current existing install on the client, otherwise if some features need to be removed no reboot required by the product so it's a sort of delta which is retrieved so you're absolutely right

Thanks again.

Kind Regards,

A. Wesker

Thanks Chetan !

Hi,

Q. If suddenly you would like to remove a feature from these clients, so you create a custom package without the features you won't and you assign this custom package to the OU/Group.

SEP packages are on same version, you uncheck the option "Maintain existing client features when updating".

What will be the results ?

Clients will download the full package and then remove the feature not wanted ?

--> No, I believe it should be delta updates only however reboot would required to show desired results.

Hi Chetan,

Really nice article.

I have a doubt about something related to Auto-Upgrade.

Let's say for example you already have Full Protection installed on your clients.

If suddenly you would like to remove a feature from these clients, so you create a custom package without the features you won't and you assign this custom package to the OU/Group.

SEP packages are on same version, you uncheck the option "Maintain existing client features when updating".

What will be the results ?

Clients will download the full package and then remove the feature not wanted ?

Or

SEP features that you won't have anymore on the custom package will be uninstalled on Client side without downloading again an heavy SEP Install package ?

Reason: For some specific environment like 1k+ machine with WAN, it would be a pain that SEP clients get all the package and not interacting just with the differences between what is currently installed and what features are present on the custom package assigned to the OU/Group.

I'm currently doing the test cause I have a doubt about that but if you know the answer, it would be great ;-)

Kind regards,

A. Wesker

Hi,

While doing an upgrade from SEP 11.x to SEP 12.1, clients will receive full package because it's a complete new install. Reboot is mandatory while doing an upgrade from SEP 11.x to SEP 12.1

While doing an upgrade from SEP 12.1 RU1 to SEP 12.1 RU1 MP1 it would be delta updates.

Hi Leandro,

AFAIK upgrading SEP v 11 into v12 will cause reboot which means that it is a completely new upgrade for the drivers and other binaries.

Helo all,

I'd like to know if upgrading clients from SEP11 to SEP12 version by using AutoUpgrade, the SEPM will generate a content delta? Our the clients will receive full package?

Thanks!!

Chetan, thanks for the clarification, now I can sleep peacefully over the weekend since the MP1 upgrade is should be seamless for all Workstations and Servers :-)

Assuming I have created the install package and then assign them into the each groups, it will then be applied / upgraded based on the version within the deployment time window defined.

Hi,

Reboot is not mandatory while doing an upgrade from SEP 12.1 RU1 to SEP 12.1 RU1 MP1.

To stay in the safe side, always cofigure the installation settings with "no restart".

Creating custom client installation packages in the Symantec Endpoint Protection Manager console version 12.1

http://www.symantec.com/docs/TECH165801

How to create a new custom 'Client Install Settings' template with SEP 12.1
http://www.symantec.com/docs/TECH164754

Helo all,

Does upgrading the client from SEP 12.1 RU1 into SEP 12.1 RU1 MP1 requires any reboot ?

yes man, you are right !

Thanks for this simple advice :-)

Yes to restarting the SEPM Service. 

It seemed after I ran the steps above my reply on the SEPM Server, the Auto upgrade feature started working.

Do you mean restarting the SEPM server service ?

nice docs...

I waited for several hours, tried implementing a scheduled time to try to force the install, looked at several articles on 'Upgrade Clients with Package' and restarted the SEPM a couple of times, but it took 'restarting symantec service' the step recommended above to get it to work for me, Thank you Chetan Savade!

You can try to collect Sylink monitor logs from affected machines.

Also try by restarting symantec service on clients machine & check.

To restart service go to

Start --> Run --> smc -stop

Start --> Run --> smc -start 

Are there any logs on the client that can troubleshoot this?

I have a number of clients that do not seem to get notification of an update (or are being ignored by the users).

(SEPM 12.1 RU1, clients on Windows XPSP3, SEP versions 11.0.6x)