Password protection settings have been configured in the Symantec Endpoint Protection Manager (SEPM) prior to upgrade to 14 RU1 version. Post upgrade of the client to 14 RU1, it is observed that the password protection settings are not honored on the client.

PBKDF2 is a password strengthening algorithm and it was implemented in SEP 14.0 RU1. In SEP 14.0 RU1 MP1, SEP client checks the existence of "AdminPassword" and "AdminPasswordPBKDF2" element to verify whether the password is set for any options. First, it checks for "AdminPassword" and later for "AdminPasswordPBKDF2" element. 

After migrating SEPM 14.0 MP2 to SEPM 14.0 RU1 MP1, by default profile.xml does not contain the "AdminPasswordPBKDF2" element. If AdminPasswordPBKDF2" is missing then client assumes that password is not set for any option. As a result, SEP client does not prompt for a password.

Symantec Endpoint Protection (SEP) 14 RU1 or 14 RU1 MP1

This issue is fixed in Symantec Endpoint Protection manager 14 RU1 MP2.  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

Workaround:

Remove and reapply the password in the password settings in the SEPM console and update the policy on the clients.