You installed an unmanaged Symantec Endpoint Protection (SEP) client for Windows with a package you exported from Symantec Endpoint Protection Manager (SEPM). The package included custom policies from a group whose Location-specific settings are under Server Control.
When you make changes in the client user interface (UI), and then reboot the computer, you notice that the policy settings have reverted to the default.
This issue is due to the Server Control setting assigned to the unmanaged client.
The Symantec Endpoint Protection client stores two copies of policy settings: serdef.dat and cltdef.dat. Both of these files are copied to the client computer when the Symantec Endpoint Protection client is installed.
In Server Control mode, the Symantec Endpoint Protection client loads the file serdef.dat for its policy settings. In Client Control mode, the file cltdef.dat is used. In either mode, the client UI can be locked or unlocked by policy.
If the Symantec Endpoint Protection client is managed, it periodically downloads serdef.dat from Symantec Endpoint Protection Manager to keep its local copy up to date. If the Symantec Endpoint Protection client is unmanaged, you can edit policy settings through the client UI with Change Settings.
Any change made through the client UI only affects cltdef.dat, and not to serdef.dat, since only Symantec Endpoint Protection Manager can modify Server Control mode’s policy settings. In either mode, the UI may also be locked by policy setting, preventing any policy changes to cltdef.dat.
In this scenario, when an unmanaged client is in Server Control mode, policy changes made in the UI are written to cltdef.dat, and the Symantec Endpoint Protection client UI continues to reflect the changes you made. When you reboot the computer, Server Control mode dictates that the Symantec Endpoint Protection client loads policy settings from serdef.dat. Because the client is unmanaged, no Symantec Endpoint Protection Manager ever modifies policy settings for serdef.dat, so it is therefore unchanged since the client installation.
Since the policy changes appear to have reverted, this looks like a defect when in fact it is working as designed. This combination of Server Control with unmanaged clients is intended for environments that use third-party content management. See Technical Information for more details.
On the Symantec Endpoint Protection client computer:
Note: This action overwrites any existing policy settings with the settings exported from Symantec Endpoint Protection Manager. If you want to keep the existing policy settings, create a new group in Symantec Endpoint Protection Manager, change the policy as needed, export and then import the profile of this custom group on the client.
Note: If you have enabled third-party content management, you can also import the updated profile by copying Profile.xml into the following folder:
Symantec Endpoint Protection has two modes: management mode, and control mode.
Management mode can be managed or unmanaged. When managed, the Symantec Endpoint Protection client has a Symantec Endpoint Protection Manager to which it reports, and which controls the client behavior on a wide scale. When unmanaged, the Symantec Endpoint Protection client runs on its own. For more information, see About managed and unmanaged clients.
Control mode can be Client Control or Server Control, which controls policy settings. For more information, see Preventing users from disabling protection on client computers.
Since those two modes are independent of each other, the Symantec Endpoint Protection client can be in one of four combinations:
In providing this flexibility to administrators and users, the fourth combination can have unintentional, undesirable results when you do not use third-party content management.