If you have the correct version (14.3 RU1+), follow these steps:
Run the Installer:
Emulation Warning:
If you are an IT administrator looking to deploy to ARM devices:
If your environment has ARM64 Windows endpoints and SEP is “running hot” (high CPU, fan always on), immediately migrate to the native ARM64 client + latest hotfix. Avoid x64 emulated SEP entirely – it’s not production-stable for ARM64.
Symantec Endpoint Protection (SEP) provides support for ARM64 (AArch64) devices primarily through its cloud-managed solutions. Key details regarding ARM64 support include:
Cloud Management Required: The on-premises Symantec Endpoint Protection Manager (SEPM) does not support managing ARM64 devices. You must use the Symantec Endpoint Security (SES) cloud console to manage the agent on these endpoints.
Supported Clients: ARM64 support is currently available for unmanaged (self-managed) or cloud-managed clients only.
Operating Systems: Support is specific to Windows on ARM64 and macOS (specifically macOS 11 and 12 on ARM-based "M-series" chips). Known Issues:
Vulnerability Protections may cause connectivity loss for VNC or screen sharing on macOS ARM devices.
Command-line operations, such as uninstallation via PowerShell, are not supported for these clients.
Installation Prerequisites: On Windows ARM64, the Microsoft Visual C++ 2022 Redistributable is a mandatory requirement for agent installation.
For the most up-to-date documentation and feature releases, refer to the Broadcom TechDocs portal.
Symantec Endpoint Protection (SEP) supports Windows ARM64 (such as Surface Pro 9/X) primarily through cloud-managed installations. Broadcom support portal Key Compatibility Details Management Support : ARM64 endpoints are not supported
for on-premises management via Symantec Endpoint Protection Manager (SEPM). You must use the Symantec Endpoint Security (SES) cloud console to manage these devices. Operating System : Supports Windows 11 (21H2, 22H2). Unsupported Features on ARM64 Application Control. Exploit Protection. Threat Defense for AD. Custom Application Behavior. Legacy Internet Explorer/Firefox-based Browser Protection. Broadcom support portal How to Install Cloud-Managed : Select the Windows ARM architecture
when downloading the installation package from the SES cloud portal.
: The ARM64-specific unmanaged package is available as part of the Full_Installation download of SEP. Broadcom support portal system requirements for the latest version of the ARM64 client?
The search for "symantec endpoint protection arm64 hot" primarily relates to the integration of hotpatching capabilities for ARM64-based Windows 11 devices, a feature Microsoft has been testing to allow security updates without system reboots. Key Feature Details symantec endpoint protection arm64 hot
Zero-Reboot Updates (Hotpatching): This "hot" feature allows the operating system and supported security applications like Symantec Endpoint Protection to patch in-memory code. This eliminates the need for frequent restarts during monthly security cycles.
ARM64 Native Support: Symantec agents (SES/SEP) now natively support ARM64 processors, specifically for Windows 11 (23H2–25H2) and Windows Server 2025.
Management Requirements: Native ARM64 devices currently require management through the Symantec Endpoint Security (SES) cloud console, as the on-premises Symantec Endpoint Protection Manager (SEPM) does not yet support managing ARM64 endpoints. System Prerequisites:
VC Redistributables: Installation requires Microsoft Visual C++ 2022 (ARM64) and the 2015-2022 Redistributable (x64/x86) to function correctly on these devices.
Firmware: Some Qualcomm-based ARM64 devices may require specific UEFI firmware updates to fully enable these advanced security mitigations. Related Security Capabilities
In addition to the "hot" patching support, recent updates for ARM64 platforms include:
Adaptive Protection: Breakthrough technology that prevents attackers from using trusted applications (Living Off the Land) for malicious purposes.
Enhanced Ransomware Protection: Coverage for additional client paths and improved Tamper Protection.
Voice Clarity Support: AI-powered background noise suppression that works natively on ARM64 CPUs for secure communication apps like WhatsApp. Release Notes - Broadcom TechDocs
Symantec Endpoint Protection (SEP) provides native support for architecture starting with version . However, this support is currently limited to cloud-managed (through the Integrated Cyber Defense Manager (ICDm) (self-managed) clients. There is no support for ARM64 endpoints managed via an on-premises Symantec Endpoint Protection Manager (SEPM) Broadcom support portal Compatibility & Requirements Operating Systems : Supports Windows 11 GA builds (21H2, 22H2). Architecture
: Designed for 64-bit ARM-based processors, such as those found in the Surface Pro 9 (5G version) Surface Pro X Prerequisites : Installation may require specific Microsoft Visual C++ Redistributables (e.g., 2022 for ARM64). Broadcom TechDocs Feature Limitations for ARM64 While most core security features like Intrusion Prevention Malware Protection are active, the following are not supported on ARM64 devices: Broadcom Techdocs Custom Application Behavior Threat Defense for AD Web and Cloud Access Protection Exploit Protection Legacy Browser Protection (Internet Explorer/Firefox-based) Application Control Installation & Troubleshooting Package Download : Cloud-managed users should select the Windows ARM architecture option when downloading the SES (Symantec Endpoint Security) Common Fixes If an installation fails or rolls back, use the CleanWipe utility to remove traces of previous attempts before retrying. Review installation logs at %temp%\SepInst.log for specific "ROLLBACK" or "FAIL" errors.
For unmanaged clients, the ARM-compatible package is typically found in the Full_Installation download of SEP. Broadcom support portal Recent Updates April 2026
Fix: You are trying to run the x64 installer on ARM64. Download the explicit ARM64 MSI from the SEPM console under "Client Install Features" > "Windows ARM64 Client".
Symantec Endpoint Protection (SEP) Windows ARM64 (such as the Surface Pro 9 5G), but with specific management limitations. Broadcom TechDocs Key ARM64 Support Details Management Mode : ARM64 support is restricted to Cloud-managed (Symantec Endpoint Security / SES) or (self-managed) clients. Unsupported Platforms : The on-premises Symantec Endpoint Protection Manager (SEPM)
does not support ARM64 devices. You cannot manage ARM64 endpoints using a local management server. Client Software
: For cloud management, you must select the "Windows ARM" architecture specifically when downloading the installation package from the Symantec Endpoint Security console Available Protection Features
ARM64 clients generally support core security features, though some specialized policies may vary by platform: Broadcom TechDocs Virus and Spyware Protection : Real-time scanning and scheduled scans. Intrusion Prevention (IPS) : Protection against network-level exploits. : Standard network traffic filtering. Exceptions & LiveUpdate If you have the correct version (14
: Customizable exclusion lists and automatic definition updates. Broadcom TechDocs Installation Note
If you are using an ARM64 device like the Surface Pro X or 9 5G, ensure you have the SEP Mobile or the cloud-compatible
version, as standard x64 on-premises installers will not work. Microsoft Learn for the ARM64 installer or help from on-premises to cloud management?
Known Issues in Symantec Endpoint Security - Broadcom TechDocs
Symantec Endpoint Protection (SEP) provides native support for Windows ARM64 devices, specifically targeting modern hardware like the Surface Pro 11 and other Snapdragon-based PCs. As of April 2026, compatibility is focused on cloud-managed and unmanaged environments. Latest Support & Compatibility (April 2026)
Operating Systems: Support includes Windows 11 GA builds (21H2, 22H2, 23H2, 24H2) and the latest version 26H1 for ARM64. Management Requirements:
Cloud-Managed: Full support through the Integrated Cyber Defense Manager (ICDm).
Unmanaged: Supported via the "Full_Installation" download package.
On-Premises: No support currently exists for endpoints managed by an on-premises Symantec Endpoint Protection Manager (SEPM). Current Known Limitations for ARM64
While the agent is a single-agent solution, some specific legacy features are not yet available on ARM64 architectures: Custom Application Behavior and Application Control. Threat Defense for Active Directory (AD). Web and Cloud Access Protection (specific policies).
Exploit Protection and legacy browser protection for Internet Explorer or Firefox. Maintenance & Performance Tips
Regular Updates: Broadcom releases monthly feature updates and daily security definitions to maintain protection levels.
High CPU Usage: If experiencing performance drops, check for conflicting third-party software or consider running the Symantec Diagnostic Tool (SymDiag) to identify resource-heavy scans.
Upcoming Maintenance: Broadcom has planned backend maintenance for Endpoint Security on April 29-30, 2026, which may cause temporary console slowness.
Moving to ARM64: The State of Symantec Endpoint Protection As organizations trade traditional x86 hardware for the power efficiency of ARM-based processors, security teams are facing a new challenge: ensuring their legacy endpoint protection keeps up. If you are looking into Symantec Endpoint Protection (SEP) for ARM64, The ARM64 Compatibility Reality
As of April 2026, Symantec’s ARM64 support is specific to how you manage your environment. The key takeaway is that on-premises Symantec Endpoint Protection Manager (SEPM) does not support ARM64 devices.
If you are deploying Windows 11 on ARM (like on a Surface Pro 9 or newer "Copilot+" PCs), your management options are restricted: Run the Installer:
Cloud Management Required: You must use the Symantec Endpoint Security (SES) cloud console to manage ARM64 agents.
Unmanaged Support: SEP 14.3 RU7 and newer supports ARM64 for unmanaged (self-managed) clients if cloud management isn't an option. What is Missing? (The "Hot" Issues)
While core antivirus and firewall protections are active, not every feature has made the jump to the ARM architecture. If your security policy relies on these specific tools, you may need a "hot" workaround or an alternative:
Custom Application Behavior and Threat Defense for AD are currently unsupported on ARM.
Web and Cloud Access Protection and Exploit Protection are also missing from the ARM64 feature set.
Application Control remains unsupported on these devices as well. Managing the Transition
For teams currently running on-premises SEPM, the move to ARM64 often serves as the catalyst for migrating to the SES Cloud. Broadcom has streamlined this through "hybrid management," allowing you to keep your x86 fleet on-prem while managing newer ARM hardware via the cloud. Quick Support Links:
Download the latest Security Updates (Updated April 15, 2026).
Check the Broadcom TechDocs for the latest ARM-specific release notes.
Are you planning a full migration to the cloud console, or are you looking to maintain a hybrid setup for your ARM64 devices? Known Issues in Symantec Endpoint Security
Symantec Endpoint Security and Protection now officially supports ARM64 architecture for Windows 11 and Apple Silicon, offering high-scoring malware protection for cloud-managed and unmanaged endpoints. While providing robust security, the ARM versions are limited in functionality and can be resource-intensive, with reported high RAM usage on lower-spec devices. For full technical details, visit Broadcom Knowledge Base Broadcom support portal
Here’s a concise write-up based on your search query "Symantec Endpoint Protection arm64 hot" — likely referring to ARM64 native support, hotfixes, or performance issues.
If you are deploying via script or command line, you must ensure the MSI checks the architecture correctly.
Run the following command to check the version:
msiexec /i "Symantec Endpoint Protection.msi" /l*v install.log
If the log shows PLATFORM_UNSUPPORTED, the package does not contain ARM64 binaries.
Since no native client exists, these are your best workarounds: