Symantec Endpoint Protection (SEP) client users may see the following Status message on the Help > Troubleshooting > Web and Cloud Access Protection page: "Warning: Using CTCv1 (missing enrollment token)" 

• The warning appears regardless of which Cloud SWG POP the user connects to.
• The warning appears when SEP clients are connected in tunnel mode.
• The warning does not appear with SEP clients 14.3 RU6 and earlier.

The SEP client enrollment token is not included with upgrade installations, which results in the warning.

In this state, enhanced CTC (CTCv2) does not function, even though it is supported on SEP clients 14.3 RU7.

To eliminate the warning, enable the SEP clients to use CTCv2.

Do one of the following tasks:

1) In the SEPM or ICDm Web and Cloud Access Protection policy, add a new CTCv2 token from the Cloud SWG portal. 
Note: If you run a SEPM 14.3 RU6 with 14.3 RU7 clients, you can ignore the status message. However, you cannot disable legacy CTCv1 communications until you upgrade SEPM to RU7 or later.

2) Instead of an upgrade, uninstall the SEP 14.3 RU6 or earlier client and perform a fresh install of the SEP 14.3 RU7 or later client.
The fresh install triggers the installation of the enrollment token, which is necessary for enhanced CTC.

3) Upgrade the WSS token from V1 to V2. WSS V2 is not supported on 14.3 RU6 and earlier.

The message does not impact normal SEP client functionality.

However, it does prevent the ability to use new enhanced CTC services.  Therefore, you should NOT enable the "Block legacy CTC communications" option in the Cloud SWG portal until ALL of your SEP clients connect to the service.

IMPORTANT:

• Do NOT disable legacy CTCv1 WSSA clients by enabling the "Block legacy CTC communications" option in the WSS Agent settings in the Cloud SWG portal when this warning is present. Doing so will result in WSS Agents (prior to v8.3.1) from being unable to connect to the Cloud SWG service.
• KB on: "Block legacy CTC communications"