Symantec Endpoint Protection (SEP) clients will not get new auto-upgrade package from Symantec Endpoint Protection Manager (SEPM) if there is a pending reboot from a previous upgrade. And, even after a reboot, the clients still do not get new package from SEPM. 

This problem happens on SEP clients which have started an upgrade, but have not yet restarted to complete the upgrade when the new installation package is assigned to their client group.

In this case, the Config.xml file, used by the SEPM to notify SEP clients a new installation package is removed during the upgrade process from the previous upgrade. Since the SEP client registry contains a checksum of the most recent Config.xml from the SEPM, the SEP client will not re-download the Config.xml, and will not attempt to auto-upgrade again unless a change is made to the auto-upgrade package.

The Config.xml is normally located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config\Config.xml. The registry string value HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\ClientConfigFileChecksum will match the MD5 checksum of the Config.xml on the SEPM file system for the client group the client belongs to.

This problem is fixed in SEP 14 RU1. Read https://knowledge.broadcom.com/external/article/151364 for more information on obtaining the latest version of SEP.

Note: Upgrading the affected SEPM by itself will not resolve this problem on affected clients. To work around the problem on affected clients, perform one of the following workarounds:

1. Apply a newer upgrade package version to the client group(s) the affected client(s) belongs to.
2. Modify the install settings policy for the group(s) the affected client(s) belong to.
3. Manually apply the upgrade package to the affected client(s).