Upgrade best practices for Endpoint Protection 12.1.x


Article ID: 154565


Updated On:


Endpoint Protection


This article provides best practices for upgrading to the latest version of Symantec Endpoint Protection (SEP) 12.1.x.

For more information on upgrading to version 14, see Upgrade best practices for Endpoint Protection 14.


The following resources will help to plan and perform an optimal upgrade from previous versions of Symantec Endpoint Protection (SEP) to the current version, while following the recommended best practices and being aware of any potential issues and risks.


Benefits of upgrading to the latest version of 12.1.x

Added security over Symantec Endpoint Protection 11.0.x

Symantec Endpoint Protection 12.1.x provides improved security over Symantec Endpoint Protection 11.x, including the following enhanced features:

  • Enhanced client IPS; Mac IPS included as of Symantec Endpoint Protection 12.1.4
  • Added Browser IPS
  • Tamper Protection protects against registry, file system and process tampering
  • SONAR real-time behavioral analysis engine protects against new and emerging threats
  • Insight reputation lookup technology
  • Application and Device Control protects more platforms

To upgrade from Symantec Endpoint Protection 11.x, follow the instructions listed in the document linked under Steps to Upgrade.

Increased performance

Insight technology reduces scan overhead on the endpoint by as much as 70% from Symantec Endpoint Protection 11.

Virtualization improvements

Symantec Endpoint Protection includes the following virtualization improvements for the enterprise version:

  • A VMware vShield-enabled Shared Insight Cache. Delivered in a Security Virtual Appliance, the vShield-enabled Shared Insight Cache can be deployed into a VMware infrastructure on each host. The vShield-enabled Shared Insight Cache makes file scanning more efficient. The Security Virtual Appliance and client status can be monitored in Symantec Endpoint Protection Manager.
  • For managing Guest Virtual Machines (GVMs) in non-persistent virtual desktop infrastructures:
    • Symantec Endpoint Protection Manager includes an option to configure the aging period for offline non-persistent GVMs. Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period.
    • Symantec Endpoint Protection clients now have a configuration setting to indicate that they are non-persistent GVMs. Offline non-persistent GVMs can be filtered in the Clients tab view in Symantec Endpoint Protection Manager.

Additional support


Important information for the latest version

System requirements and release notes

Please review carefully before upgrading:

Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access

Supported and unsupported upgrade paths

Ensure that the currently installed version can be upgraded to the new version.

  • You can upgrade to the latest version from any prior version of 12.1. See "Supported upgrade paths to Symantec Endpoint Protection" in the latest release notes.
  • Certain Windows 10 upgrade paths are supported with 12.1.6 MP1 or later installed, or Windows 10 Anniversary Edition with 12.1.6 MP5 or later installed. For details, see Endpoint Protection support for Windows 10.

Important installation / upgrade information

Upgrade Symantec Endpoint Protection to 12.1.6 MP6 or later before you upgrade to macOS 10.12. Earlier versions are not supported on macOS 10.12. Leaving an unsupported version of Symantec Endpoint Protection in place when you upgrade the operating system can have unexpected results.

The upgrade to 12.1.6 MP8 or later from a version earlier than 12.1.5 may take much longer than you expect. The upgrade process converts all existing content to the optimized storage format. LiveUpdate also runs to obtain the most current content revisions. These resource-intensive processes may cause the upgrade to take significantly longer than previous upgrades. The extended length of time that the upgrade process requires is normal and to be expected. Do not cancel or interrupt the installation.

See The LiveUpdate content optimization and content storage space optimization steps take a long time to complete when upgrading to Symantec Endpoint Protection Manager 12.1 RU5.

You may need to edit the security policies for the Windows domain to allow the Symantec Endpoint Protection Manager's virtual service accounts to run correctly for Windows 7 / Server 2008 R2 or later. Earlier operating systems are not affected, but require Network Service to be present in security policies.

For information, see How to assign user rights to the Windows Security Policies for Symantec Endpoint Protection Manager services.


Things to know before getting started

Before the upgrade, use the Symantec Help diagnostic tool to determine whether the computers meet minimum system requirements.

Consider the following product-specific suggestions and recommendations and make sure routine maintenance has been done on the computers to be upgraded. Maintenance may include disk error checks, defragmentation of the hard drive, or other routine health checks. Here are the recommended methods for uninstalling the Symantec Endpoint Protection client.

Insufficient disk space

Ensure that there is enough disk space to perform the upgrade. For a successful Symantec Endpoint Protection Manager upgrade, free space should be at least three times the size of the database. Consult system requirements for the free space required to install the Symantec Endpoint Protection client.

See Increasing Symantec Endpoint Protection Manager disk space before upgrading to version 12.1.

Proxy servers

Ensure the proper exclusions have been made to any peripheral firewall or proxy to ensure successful communication with all Symantec servers.

See Required exclusions for proxy servers to allow Symantec Endpoint Protection to connect to Symantec reputation and licensing servers
Excluding a trusted web domain from scans.

Scanning exclusions

Additional scanning exclusions may need to be created before deploying the client upgrade.


Administering 11.x clients

A Symantec Endpoint Protection Manager with version 12.1 can successfully deploy, administer, and update Symantec Endpoint Protection 11.x clients. A common reason to maintain Symantec Endpoint Protection 11.x clients in a 12.1 environment is because of computers with Windows 2000 or Mac OS X 10.4 installed to them. These legacy operating systems are not supported on any installation of 12.1. However, Symantec Endpoint Protection 11.x has reached end of support life, and content such as virus definitions is no longer updated.

You should upgrade all computers that can be upgraded to take advantage of the newest protection technologies available in the latest version(s) of Symantec Endpoint Protection for Windows, such as Browser Intrusion Prevention, SONAR, Insight Lookup, SymProtect, Install on Reboot, Shared Insight, 64-bit Application and Device Control, and much more. For Macs, versions after 12.1.4 include Intrusion Prevention.

For more information, see Symantec Endpoint Protection 11.0.x End of Support Life.

Steps to upgrade

For general information on upgrading to Symantec Endpoint Protection 12.1.x, see Upgrading to a new release of Symantec Endpoint Protection.

For information on upgrading to specific versions of the 12.1.x product line, search the knowledge base for "upgrade or migrate to", and include thr specific version.


Best practices

As a best practice, always back up the Symantec Endpoint Protection Manager database before an upgrade.


Use Upgrade Clients with Package to upgrade existing clients:

Upgrading clients by using AutoUpgrade in Symantec Endpoint Protection

However, the following cautions apply:

  • If upgrading from 11.x and use Application and Device Control, disable the Application Control rule "Protect client files and registry keys." After the clients receive the new policy, AutoUpgrade can be used.
  • Due to possible bandwidth concerns, it is best to schedule AutoUpgrade for after hours. Packages can be staged on a web server by running Upgrade Clients with Package. There are alternate methods to deploy the upgrade package as well.

Fresh install of Symantec Endpoint Protection Manager 12.1.x

To start fresh with a new install of the Symantec Endpoint Protection Manager 12.1.x on a new server, for example, use the Communication Update Package to connect existing clients, both 11.x and 12.1.x, to the new Symantec Endpoint Protection Manager. The Communication Update Package can be deployed in the same way as clients: Home > Common Tasks > Install protection client to computers. After they are connected, you can upgrade the Windows client with AutoUpgrade.

To connect existing clients to a new Symantec Endpoint Protection Manager without sending a full installation package, see:


The Symantec Endpoint Protection clients can be used to protect virtual instances of the supported operating systems. Symantec Endpoint Protection Manager can be installed and managed on virtual instances of the supported operating systems.

Symantec Endpoint Protection includes additional management options for virtual clients, such as Shared Insight Cache and a separate configuration option for purging offline non-persistent GVMs.

See: Best practices for virtualization in Symantec Endpoint Protection 12.1.2 and later

Disaster Recovery preparation

Before beginning the upgrade, ensure that the current Symantec Endpoint Protection Manager installation has been backed up using disaster recovery preparation techniques. That way, if the upgrade fails, the Symantec Endpoint Protection Manager can be restored to functionality more quickly.

The disaster recovery process is slightly different for 11.x and 12.1.x, so be sure to use the correct document for the version in use. To recover an installation after a failure, due to database schema and other changes, reinstall using the exact version previously in use.

Symantec Endpoint Protection 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager


Frequently asked questions (FAQ)

Q: Where do I get the current version of Symantec Endpoint Protection?

A: Use your serial number to download it from FileConnect. To get the serial number, which begins with an M, with licensing information.

Download the latest version of Symantec Endpoint Protection
A guide to Endpoint Protection files on FileConnect

If you cannot find the serial number, contact Customer Support Assistance at the regional number provided.

Q: How do I upgrade or activate my license?

A: The process is the same for all licenses received with Symantec Endpoint Protection 12.1.x. For a walkthrough, read Activating a new or renewed Symantec Endpoint Protection 12.1 product license.

To view the video walkthrough:

  1. Go to http://go.symantec.com/education_septc.
  2. On the linked page, click Symantec Endpoint Protection 12.1.
  3. On the expanded list, click Symantec Endpoint Protection 12.1: How to Activate the License.

Q: What are the upgrade methods? When should each method be used?

A: There are many methods available to upgrade clients. First, read Preparing for client installation. Second, decide which method is most appropriate for the situation. Every situation is different, so Symantec provides many different methods for accomplishing this goal:

  • AutoUpgrade: Assign client packages (Windows only) to groups in the manager console, either manually or by using the Upgrade Clients with Package wizard.
  • Permit product updates in LiveUpdate Settings policy for a client group in the manager console.
  • Local installation from installation media.
  • Run the Client Deployment Wizard from the manager console. It walks you through the creation of a client package that then deploys using a web link and email, remote push, or lets you save for later local installation. You also have the option to deploy using third-party tools.

Q: What's the recommended migration order? What do I migrate first in my environment?

A: The recommended order is to upgrade all Symantec Endpoint Protection Managers, Group Update Providers, and then the remaining clients as needed.

Q: How do I upgrade from Symantec AntiVirus 10.x?

A: Migration from Symantec AntiVirus 10.x is no longer supported as of 12.1.5. For complete instructions for earlier versions, see: Migrating from Symantec AntiVirus or Symantec Client Security to Symantec Endpoint Protection 12.1 or later.

Q: What's new in the latest version? How do old features map to new features? 

A: The newest features and information are described in the documents below. 

Q: Can I continue to manage Windows 2000 and Symantec Endpoint Protection 11.x clients?

A: Yes. See Administering 11.x Clients in the table above for more information. However, this version is no longer supported, and you should upgrade as soon as possible. For more information, see FAQ: Upgrading Symantec Endpoint Protection 11 to 12.1.

Q: How can I generate a list of Symantec Endpoint Protection versions installed in my environment?

A: Generate this list using Reports.

See Generating a list of the Symantec Endpoint Protection versions installed on the clients and servers in your network,