When you go through the SEE Client creation wizard, you'll see the Advanced Settings page and looks different depending on the version of SEE Management Server you are running:

Symantec Endpoint Encryption Management Server version 12

Starting with SEE version 12, the Policies are configured via the Web portal. For information to upgrade to SEE 12, see the following article:

179347 - HOW TO: Install/Upgrade Symantec Endpoint Encryption Management Server (SEE Management Server)

For information on how to use the new web portal, see the following articles:

206503 - How to find your license number for Symantec Encryption products

240649 - Symantec Endpoint Encryption Web Dashboard and Reports

276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12

276501 - Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12

The following screenshot displays all the settings available as Symantec Encryption recommends, not as the default settings:

Notice that "Client Admin Privilege (AD User Group)" option is configured with domain\security-group.  Anyone in this group will allow client administrator privilege's.
Of course, put only the most trusted SEE Client Admins in this group.

Next, "Allow Autologon Management for SYSTEM User" is enabled.  This allows you to enable Autologon via the SYSTEM account.
If you are doing a Windows update, you can issue the enable-autologon command before the update takes place, and at the end of the update, you can disable.
This makes it very easy to perform Windows Feature Updates that usually require three reboots.

Next, "Preboot Shutdown Timeout" is set to 5 to turn the machine off if it is at the Preboot screen for 5 minutes.

The "Allow SSO Hibernation" option should be used to require only one login after coming out of Hibernation.
Note: Sleep is not hibernation and does not invoke the preboot screen.

TIP: Symantec recommends using the settings as mentioned above for these reasons.  You may need to update your policies as these settings were hidden in previous versions.
SEE 12 now makes it easy to make adjustments to these parameters. 

The other settings are to be used only as needed, but are for specific use cases.

The "Allow Client Uninstallation (AD User Group)" Should be used only if the SEE-RME Only product is installed. 
If Drive Encryption is installed, this already prevents uninstalling the product so this is not recommended if in use.

The "Allow Client Uninstallation for SYSTEM User Only" Should be used only if the SEE-RME Only product is installed. 
If Drive Encryption is installed, this already prevents uninstalling the product so this is not recommended if in use.

SEE 11.3.1 MP1 through SEE 11.4 MP2:

Client Admin Privilege (AD User Group)
As you can see in the screenshot above, there are two advanced settings that can be used.  The first setting highlighted above is "Client Admin Privilege (AD User Group)" with the domain\group.  In example above, the domain of "Domain" has been entered, and an AD Security group of "SEE Administrators" has been entered.  You would then add administrators to the "SEE Administrators" group and then when admins run any eedadmincli.exe command, their permissions are automatically elevated and no passphrase is needed at the command prompt.  

If the AD user "Bobby" was added to the SEE Administrators group, then to enable autologon, you'd enter the following command running as "bobby" in the user context:

eedAdminCli --enable-autologon --count 3

As you can see, no authentication is needed here.

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon

Allow Autologon Management for SYSTEM user
The next Advanced Setting listed above is "Allow Autologon Management for SYSTEM user".  This setting is either "False" or "True".   Once this is enabled (set to True as the screenshot above shows), then the SYSTEM account is able to enable Autologon.  This is especially useful when doing Windows 10 upgrades.  To enable autologon, running the command as SYSTEM context, the same command is used:

eedAdminCli --enable-autologon --count 3

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon

SEE 11.3.0:  

As you can see the above names are different, but they are the same in functionality.  In SEE 11.3.1 MP1 the names were improved for clarity.

The "de.clientAdmin.adGroupName" parameter in 11.3.0 and earlier is the same as ""Client Admin Privilege (AD User Group)"in version 11.3.1 MP1.  The name was improved for clarity. The way this works is the same as in SEE 11.3.1 MP1.

The "de.autoLogon.allowSystemUserManagement" parameter in 11.3.0 is the same as "Allow Autologon Management for SYSTEM user" in 11.3.1 MP1.  The name again was improved for clarity and the functionality is the same.

In older versions of SEE, the same settings would apply, but with a shorter list of options available.  both "de.clientAdmin.adGroupName" and "de.autoLogon.allowSystemUserManagement" work in the same manner as explained in the 11.3.1 MP1 section above.