In a cluster with SVA's deployed some GVM's are showing unprotected even though they have the vmci driver installed and are applied to a Security Group with a policy.
In UMC viewing events you may see:
Security Virtual Appliance are not able to protect Guest VM
In the NSX logs vsm.log you will find the below entry:
2017-05-17 18:09:02.821 UTC INFO TaskFrameworkExecutor-13 EndpointConfigurationManagerImpl:882 - vm: vm-109004 not mapped to any host
Any GVM to be protected by the SVA must be mapped to an ESXi Host in the cluster otherwise it is not possible for the SVA to know it is to protect that GVM.
You must fix the problem causing the GVM to not be mapped to an ESXi Host in order for the SVA to be able to protect it.