Patch control in SEP 14.3 RU2


Article ID: 222695


Updated On:


Endpoint Protection


With patching now coming down from LiveUpdate, what options do Symantec Endpoint Protection Manager (SEPM) administrators have for controlling the rollout of these patches to the endpoints?


Starting with SEP 14.3 RU2, critical patches and security fixes are delivered automatically to clients via LiveUpdate to reduce the administrative burden of managing agent updates. These patches include critical fixes only.


With Symantec Endpoint Protection Manager (SEPM) 14.3 RU2 administrators can decide and configure if you want your SEPMs to download client patches in the first place. If you do decide to download the client patches, then you can also control how a client will receive the patches.  The following options will allow a SEPM administrator to control the flow of patches, starting with the SEPM.

  • Configure the SEPM(s) to download client patches.
    • From your SEPM console go to;
      • Admin>Server>Local Site>Edit Site Properties>LiveUpdate Tab>Content Types to Download
      • Here administrators can select (or deselect) the Client Patches for download from LiveUpdate.
        • By Default, Client Patches are selected for download.
    • Once the SEPM has downloaded a client patch administrators can view the version of the patch in the "Show LiveUpdate Downloads" window.
      • Admin>Server>Local Site>Show LiveUpdate Downloads
    • Also after the SEPM has downloaded a Client Patch, it will automatically create a Client Install Package that includes the patch and also reflects the patch version as well as the date it was added.
      • Administrators can view the packages via Admin>Server>Install Packages>Client Install Package


Once the SEPM has downloaded client patches administrators can configure how the clients receive the patch. There are 2 methods;


  • Configure LiveUpdate policies to allow or deny a group of clients from downloading the patches from the management server.
    • From your SEPM console go to;
      • Policies>LiveUpdate
        • Modify or create a new LiveUpdate policy
        • In the LiveUpdate Policy window go to;
          • Windows Settings>Advanced Settings>Client Patch Settings
          • Here administrators can check the box to enable clients using this policy to download patches from the SEPM.
          • By default this option is not selected.
          • Be aware that when a client applies a patch it will require a reboot.
  • Configure a group to receive patches via an Install package.
    • As mentioned previously in this article, the SEPM will automatically create an install package once it has downloaded a Client Patch. This Install package can be used to apply the latest patch to your clients either via exporting a package or by applying the package to a group for AutoUpgrade.
      • Restart is required upon applying the install package.
    • This method is better suited to those clients who require a scheduled maintenance window for a reboot, such as high availability server and the like.

With the above configurations at the disposal of administrators there can be absolute control of the distribution of Client Patches in order to address any concerns with network/bandwidth consumption, undesired reboots, quality assurance, and etc.