By [Your Name/Staff Writer]
For years, the Windows ecosystem was a monolithic x86/x64 fortress. That fortress wall cracked with the introduction of Arm64 devices like the Microsoft Surface Pro X, the Lenovo ThinkPad X13s, and the new wave of Snapdragon X Elite-powered laptops. These devices promise all-day battery life, 5G connectivity, and sleek, fanless designs.
However, for enterprise IT administrators, the question has been persistent: Will our critical security stack work?
Specifically, can Symantec Endpoint Protection (SEP), the venerable workhorse of enterprise antivirus and endpoint detection, run natively—or at least effectively—on Windows 11 on Arm?
The short answer is nuanced. As of 2025, Broadcom (which now owns Symantec) has made strides, but the path to a fully native Arm64 SEP client is a work in progress.
In Q2 2025, Broadcom announced a renewed focus on ARM64 due to enterprise demand. According to internal roadmaps (shared at the 2025 Symantec Partner Summit):
For now, the safest “works” scenario for SEP on ARM64 is:
Symantec Endpoint Protection (SEP) does not currently offer a native ARM64 client. Protection on Windows 11 ARM64 devices (e.g., Microsoft Surface Pro X/11, Lenovo ThinkPad X13s, MacBook Air/Pro with Apple M1/M2/M3 via Parallels/VMware) relies on the x86 emulation layer (CHPE/ARM64EC) provided by Windows. This results in functional but performance-limited endpoint protection.
The story of Symantec Endpoint Protection (SEP) on ARM64 is a tale of a slow but steady transition from traditional x64 architecture to the specialized world of Windows on ARM devices like the Microsoft Surface Pro X. The Compatibility Milestone
As of April 2026, Symantec Endpoint Protection does work on ARM64, but with specific caveats regarding how it is managed. Support was officially solidified starting with version 14.3 RU7. The Core Conflict: Managed vs. Unmanaged symantec endpoint protection arm64 work
The "twist" in the story is that while the ARM64 client (the software on the computer) is fully functional, it cannot be managed by a traditional, on-premises Symantec Endpoint Protection Manager (SEPM).
The Cloud Path: To successfully deploy SEP on ARM64, administrators must use the Symantec Endpoint Security (SES) cloud console.
The Lone Wolf Path: Users can also run "unmanaged" packages (self-managed) on ARM64 devices if they don't require centralized corporate oversight. Known Limitations in the ARM World
While the protection is "native" and compatible, the ARM64 version isn't a mirror image of the x64 version. Several high-level features remain unsupported on ARM64 as of early 2026:
Threat Defense for AD: Active Directory-specific defenses are unavailable.
Exploit Protection: Standard memory-based exploit protections may be limited.
Browser Protection: Specific protections for older versions of Firefox or legacy Internet Explorer do not apply.
Application Control: Granular control over which apps can run is not yet supported for ARM64 clients. System Requirements for Success To get SEP running on an ARM64 device, ensure you have:
OS: Windows 11 (21H2 through 24H2) is the primary target for ARM support. By [Your Name/Staff Writer] For years, the Windows
Dependencies: Installations often require the Microsoft Visual C++ 2022 Redistributable specifically for ARM64.
Hardware: Compatibility is focused on Qualcomm Snapdragon platforms (7c and later) and Ampere Altra processors.
For further technical details, you can refer to the official Broadcom Knowledge Base which details current ARM limitations.
Are you looking to deploy this to individual devices or as part of a larger enterprise fleet?
Symantec Endpoint Protection on ARM64 represents a shift from "kernel dominance" to "OS cooperation."
Symantec Endpoint Protection (SEP) provides native support for ARM64 architectures across Windows, macOS, and Linux, primarily starting with version 14.3 RU7. However, management and feature availability vary significantly by platform. Windows on ARM Support
Broadcom introduced native ARM64 support for Windows in SEP 14.3 RU7.
Management Limitations: Native ARM support is currently limited to unmanaged (self-managed) or cloud-managed clients (via the Integrated Cyber Defense Manager or ICDm). There is no support for managing ARM endpoints through an on-premises Symantec Endpoint Protection Manager (SEPM).
Operating Systems: Supported on Windows 11 GA builds (21H2, 22H2). For now, the safest “works” scenario for SEP
Unsupported Features: While most protection features work, the following are not supported on Windows ARM: Custom Application Behavior Threat Defense for Active Directory (AD) Web and Cloud Access Protection Exploit Protection
Legacy Browser Protection (IE/Firefox-based) in Intrusion Prevention Policies Application Control macOS (Apple Silicon) Support
Symantec offers robust support for Apple’s M-series chips, with compatibility added incrementally by processor generation: Supported From Apple M1 SEP 14.3 RU2 Apple M2 SEP 14.3 RU5 Apple M3 SEP 14.3 RU8 Apple M4 / M5 SEP 14.3 RU9
Unlike Windows ARM, the Mac agent can be managed by either on-premises SEPM or the cloud console. Linux ARM64 Support
Broadcom provides ARM64/aarch64 installers for specific Linux distributions, managed through the seplpkg (SEP Linux Packager) tool.
Supported Platforms: RHEL 8, RHEL 9, and Ubuntu (16, 18, 20) support ARM64/aarch64 architecture.
Kernel Support: SEP for Linux relies on specific kernel modules. From 14.3 RU8, cloud-managed agents use LiveUpdate to automatically upgrade these modules.
Discontinued Support: As of version 14.3 RU9, support for older distributions (RHEL 6, CentOS 6, Ubuntu 14, Debian 9, SLES 12) has been removed. Installation Notes
ARM-Specific Packages: For Windows, ARM packages are available within the "Full_Installation" download of SEP. For cloud users, you must specifically select the Windows ARM architecture when downloading the agent package from the console.
Prerequisites: For Windows 10/11 versions starting with 14.3 RU8, ensure Microsoft Trusted Signing (formerly Azure Code Signing) is installed for the client to function correctly.