When installing Endpoint Protection using a GPO, the installation installs all of the client feature sets instead of only installing the features that are set in the client installation package.

Symptoms
Installing Symantec Endpoint Protection clients via a GPO installs all client features.
 

When deploying via GPO, the installation does not query the "setaid.ini" file which specifies what components to install/enable.

Assign a custom package to the client group within Symantec Endpoint Protection Manager

1. Log in to the Symantec Endpoint Protection Manager
2. Click on Admin on the left
3. Click on Install Packages on the bottom left
4. Click on Client Install Feature Sets at the top left
5. Click Add Client Install Feature Set under Tasks
6. Enter a name for the feature set
7. Check and uncheck the desired features to meet the needs of the clients in the environment
8. Click OK
    
9. If there are different groups of clients that need to have different features installed, add as many additional custom feature sets as are required
10. Click on the Clients tab on the left
11. Select a group to configure
12. Click the Install Packages tab at the top right
13. Click Add Client Install Package under Tasks
14. Select a package from the drop down list at the top of the window
    • The clients in this group will conform to the version number of the package that is selected here.
    • Note that the 32 and 64 bit packages are separate. If there are both 32 and 64 bit clients in the same client group, one package will need to be added for each
15. Under the Client Features section uncheck the box for Maintain existing client features when updating
    • This will force the clients to conform to the feature set that is selected from the drop down list below
16. Select the appropriate custom client feature set that was created in steps 5 through 9 in the Select the features you want to use drop down
17. Click OK
     
18. Deploy the Symantec Endpoint Protection installation via GPO (This installation may require a reboot)
    • At time of installation, the client will implement all of the features, including those that should be disabled
    • When client registers with the Manager and is assigned to the correct client group, the "correct" package will be pushed down to it
    • The client will then reinstall the package, implement the correct features and settings, effectively disabling the unwanted components. (This re-installation may require a second reboot).