Critical checklist of what you need to know before starting any SEPM upgrade
Note: Save any files, backups, and configurations indicated below to a separate location outside of the Symantec Endpoint Protection Manager folder.
- Read and practice (in a non-production environment)
Disaster Recovery Best Practices for Endpoint Protection
- Disable “Secure Client Communications” (do this 1 week prior to the upgrade so as many clients as possible get the change)
- SQL “sa”administrator password
- SEPM Sem5 database password
- What version is the SQL server?
- Check SEPM upgrade system requirements at the link below:
Release notes, new fixes, and system requirements for all versions of Endpoint Protection
- What version of SQL client tools is installed on the SEPM? Preferably the SQL Client Tools version should match the installed SQL Server version (check Programs & Features for version information)
- Make a copy of the SEPM current conf.properties file prior to starting.
The file is located in \Program Files (x86) \Symantec\Symantec Endpoint Protection Manager\tomcat\etc
- Screenshots of Site Properties – (check all tabs- make sure you don’t lose configuration data)
- Screenshot External logging configuration- what selections are made for filtering? (if in use)
- Backup of the database within 24 hours prior to upgrade.
- Run the Dbvalidator to verify database integrity before and after every SEPM upgrade.
The DBvalidator.bat file is located here:
\Program Files (x86) \Symantec\Symantec Endpoint Protection Manager\Tools
- Record the site name and the SEPM server names along with IP addresses
- Backup of Server Certificate for each SEPM- Save to a different location than the current SEPM folder.
- Copy the latest Recovery .zip to the location you used above to save information
- Do not upgrade subsequent SEPM servers until you verify the upgrade was successful, all your policies are present, and clients are checking in
- Drive space on C: drive where the upgrade process will take place will need an estimated 2.5 times the space used by the database to perform the schema update.
- Make sure the SQL sem5 database tables are set to auto growth sizes (ask your SQL Admin)
- Replication cannot run during an upgrade. Extend the replication scheduling so it cannot start during the upgrade or break it completely.
The amount of content and logs is what takes the most time in an upgrade. It can also cause the most issues during an upgrade.
See the document below for instructions:
Managing log data in the Symantec Endpoint Protection Manager (SEPM)
You can purge older logs by reducing the number in your retention settings. The SEPM will purge the older logs over the next few days prior to the upgrade. Once the upgrade is complete you can reset the retention configuration back to the original settings. Once logs are purged from the SEPM they cannot be recovered.
Note: You should check your company policies on log retention requirements before reducing the number of logs.
Note: (Any change to content revision levels take time to purge. Allow a minimum of a week for purging)
You can reduce the number of content revisions prior to an upgrade to speed the process up. Do not lower the number of revisions to less than 10 or the reduction may trigger full update downloads from the clients that check in to that site. The SEPM will purge the older revisions from the database and SEPM content folders over the course of a few days.