Upgrade paths to Endpoint Security
search cancel

Upgrade paths to Endpoint Security


Article ID: 173682


Updated On:


Endpoint Protection Endpoint Security Complete Endpoint Security


This document describes supported migration paths from older versions of Symantec Endpoint Protection (SEP) to the fully cloud-managed version Endpoint Security (formerly SEP 15).


SEP clients that are managed by a Symantec Endpoint Protection Manager (SEPM) that has not been enrolled in the cloud can be migrated to Endpoint Security (formerly SEP 15).  Below is an example of a supported upgrade scenario.

  1. An on-premises SEPM is installed and managing clients but is not cloud enrolled
  2. The Admin activates and sets up their Endpoint Security account
  3. The Admin creates Symantec Agent installation packages
  4. The Symantec Agent installation package is pushed to existing clients
  5. Once the installation is complete, the clients will be cloud managed

This migration path is supported for SEP 12.1.6 MP5 and later clients.  SEPM policies and settings are not carried forward to the Endpoint Security environment using this migration path.  The upgraded clients will begin using policy settings as defined in the Symantec Endpoint Security cloud console. 

SEP 14.2 RU1 or higher clients that are associated with a cloud-enrolled, on-premises SEPM can be converted to Endpoint Security, thereby removing the need for SEP client re-deployment. This can be achieved in one of two ways:

  • Via a new SMC command line option for manual conversion on a single client. Requires the Symantec_Agent_Setup.exe installation file for the destination cloud domain or tenant. You download this file from the cloud console.
    • smc –cloudmanaged pathtoSymantec_Agent_Setup.exe
  • Through the REST API
    • /api/v1/command-queue/cloudmanaged
    • You can target specific groups or clients
  • Use of the command will shut down the SEP client services, and make all configuration changes required so that the client can talk directly to the Cloud (including removing SEPM management information, backing up the sylink.xml –in case this process needs to be reverted, clearing the Host Integrity policy, restarting the SEP client services and uploading command status to SEPM as confirmation of the switch).
  • Upon client service restart, it will be fully Cloud-managed. No system reboot, end-user interaction, or proxy information is necessary to make this change.
  • It is possible to revert a cloud-managed client back to SEPM-managed using smc –sepmmanaged [c:\path\to\sylink.xml], whereby [c:\path\to\sylink.xml] is an optional parameter to be used in the event the client was never SEPM-managed. The process will disconnect the client from the cloud and remove credentials, stop the client services, restore sylink.xml, and restart the client services.
    In the event the SEPM is still bridged to the Cloud, the client will go into roaming mode. The client will return to its original SEPM group, regardless of where it may have been moved while cloud-managed.