You use a scheduled task or other method to run smc -importconfig when no user is logged in on a system running Symantec Endpoint Protection (SEP). Contrary to expectations, you find that the command fails with error 3. SEP's System Log shows an "Import new policy failed" error message.
While logged in to the system, running the same command returns exit code 0, with SEP's System Log showing "New policy has been imported".

• return error 3
• syslog.log: "Import new policy failed"

• SEP for Windows

Policies are user-specific. When smc -importconfig is run, Windows' ImpersonateLoggedOnUser() function is called to impersonate the security context of the logged-on user. When there is no logged-on user, INVALID_SESSION_ID will be returned and our Trident engine will abort the configuration import operation.

The same is true on a Terminal Services or Remote Desktop server where there is no logged-on user. ImpersonateLoggedOnUser() will call GetFirstActiveSessionId(), which enumerates all active sessions and retrieves the session ID of the first active user. The WTSEnumerateSessions() API will return no active session. Hence, ImpersonateLoggedOnUser() will return FALSE and our Trident engine will similarly abort the configuration import operation.. 

This issue is fixed in Symantec Endpoint Protection 14.2 RU2. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.