How to remove the threat protection from specific ESXi hosts in a cluster while leaving the remaining exit hosts in the cluster protected
If you want to keep specific ESXi servers on a protected cluster from being protected while leaving the other ESXi hosts protected, you have three different options.
Create a DSwitch other then where SVA and Guest Introspection is being installed and move the ESXi hosts you do not want to protect to it. This will show a Failed state for remaining protected state, as NSX shows successful state when all ESXi are under one cluster are protected.
Remove / Don't Install vSepFLT driver on the Guest Virtual Machines under the ESXi host(s)(where protection is not required), this will show ESXi as protected however GVMs will always remain in unprotected state as they don't have the driver the does the protection.
You can remove the ESXi from Cluster and move it to another cluster which is not under Symantec Threat Protection, they can move those without removing anything. When moving ESXi from a protected cluster should automatically remove Guest Introspection service and SVA from ESXi's.