A client that you assigned to a specific group within the Symantec Endpoint Protection Manager (SEPM), and which is using appropriate policies, unexpectedly moves to the Default Group and adopts the policies inherited to the Default Group. You can manually move the client back to its original group without error.
In some cases, when clients are assigned to a specific group, they move back to the Default Group almost immediately.
The client's globally unique identifier (GUID) may have changed.
When the client contacts the SEPM after the GUID change, it has the appropriate information to authenticate to the SEPM, but the SEPM does not recognize the client and returns the client to the Default Group. As a result, the Default Group policies override any previous policies active on the client.
The GUID can change due to (but not limited to):
The Default Group is most often used in large deployments as a initial group with limited rights and policies to contain unrecognized and unknown clients.
When a client appears in the Default Group as a result of the conditions above, move the client back to its appropriate group within the SEPM.
For clients that are routinely outside of the IP range of the network and not on VPN, it is best to set a policy to download virus definitions from LiveUpdate, rather than updating from the SEPM.
Clients that connect from a foreign IP address may experience the behavior described in this document.
When the client uses LiveUpdate while mobile, and does not attempt to connect to a SEPM, the client should remain in the group to which it was assigned, when it returns to your organization's networks.
In some cases the target group may have a different issue which causes it to move back to the Default Group. In this case, create a new group which has the same policies as the original target group, and then assign the client to that group to resolve the issue.