Once a client group is switched from Server Control to Client or Mixed Control mode, it does not retain any of the settings applied from the Symantec Endpoint Protection Manager (SEPM), but uses a default set of policies instead. This can enable settings that were previously disabled without any end-user interaction.

The product is working as designed. When configured to be in Client Control mode, the client will switch to use the client-side settings in cltdef.dat. This file is only updated by local configuration changes and will not be updated by SEPM policy changes.