Symantec Endpoint Security (SES) Windows agent is moved to "Quarantine" location by failing Host Integrity (HI) policy. You move this agent to other device group on ICDm console where no HI policy is applied. Agent is moved to the expected device group but still in "Quarantine" location.
This issue is fixed in Symantec Endpoint Security 14.3 RU7. For information on how to obtain the latest build of Symantec Endpoint Security, see Upgrading Windows client software automatically.
Work-around if issue happens: