You need to manually unenroll Symantec Protection Engine (SPE) when the normal unenrollment process fails.

SPE 8.0+ on Windows

1. Stop the "Symantec CAF Service" service.
2. In File Explorer, navigate to "C:\Program Files\Symantec\Common Agent Framework\" and make a backup copy of CAFConfig.ini.
3. Download the default CAFConfig.ini from this page and place it in the directory mentioned above. Make sure to rename it to CAFConfig.ini.
4. Rename CAFStorage.ini to a different name (i.e. CAFStorage.ini_backup).
5. Navigate to SPE's installation directory (normally C:\Program Files\Symantec\Scan Engine).
6. Make a backup of the centralmgmt.xml file.
7. Open CMD or PowerShell as administrator and navigate to SPE's installation directory (normally C:\Program Files\Symantec\Scan Engine).
8. Run the following two commands so that SPE appears to be unenrolled:
   • .\XMLModifier.exe -r /centralmgmt/Configuration/EnrollmentInfo/DeviceID/@value centralmgmt.xml
   • .\XMLModifier.exe -s /centralmgmt/Configuration/EnrollmentInfo/Status/@value 0 centralmgmt.xml
   • Note: To complete the unenrollment fully, the Symantec Protection Engine service will need to be restarted. If you plan to re-enroll the scanner, you can skip restarting and go straight to the last step.
9. If you do not plan to re-enroll the scanner, restart the Symantec Protection Engine service.
10. To enroll the scanner again, run the enroll.bat from SPE's installation directory.
    
    • You may need to download a new enrollment script from the cloud console
    • In the Centralized Console, go to Settings -> Downloads

For the same instructions in Linux, see: https://knowledge.broadcom.com/external/article/222691