Symantec Endpoint Protection (SEP) clients may fail to register with the temporary group in Symantec Endpoint Protection Manager (SEPM) during the installation process. This typically occurs when new clients are blocked from registering with the "Default Group," which is designated as the temporary group in SEPM. The issue is commonly linked to group configurations, such as the blocking of new clients and the synchronization between SEPM and Active Directory (AD).

You will see within the SEPM console logs the following message:

The Default Group blocks new clients. The client cannot register with the Default Group.  

SEP 14.3

The log notification occurs by design, the SEPM assigns the "Default Group" as the temporary group for new clients upon installation. However, if the "Block New Clients" setting is enabled for the "Default Group," SEP clients cannot register with it, leading to the following error:

AgentRegistration:

WARNING: AgentRequestHandler> registerClientMainInTemp>> The Temporary group blocks new users/computers! client: Computer Laptop, domainId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2024-09-05 10:35:49.723 THREAD 38 WARNING: AgentRegisterHandler> agentRegister>> Error. Rolling back DB connection. Exception: The Default Group blocks new clients. The client cannot register with the Default Group.  
2024-09-05 10:35:49.827 THREAD 38 WARNING: AgentRequestHandler> registerClientMainWithPreferredGroup>> Found preferredGroup: My Company\Laptop, groupId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

SCM Server:

2024-09-05 10:35:49.693 THREAD 38 INFO: AgentRequestHandler> registerClientMain>> No match found in OU, preferred group: My Company\Laptop\
2024-09-05 10:35:49.723 THREAD 38 SEVERE: The Default Group blocks new clients. The client cannot register with the Default Group.  
com.sygate.scm.server.util.ServerException: The Default Group blocks new clients. The client cannot register with the Default Group.

Type="TEMPORARY" Creator="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" CreationTime="1557220377744" ModifiedTime="1707133796500" Id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" Name="Default Group"

In this case, the issue arises because the Organizational Unit (OU) is not matching the preferred group during the registration process. Once synchronization with AD occurs, clients are moved to the appropriate group, but until that happens, the default group assignment remains blocked.                                                 

To prevent this issue, disable the "Block New Clients" setting for the "Default Group" in SEPM to allow temporary registration until proper group assignment occurs via AD synchronization.

Unblock new clients from registering with the affected client group:

1. Log in to the Symantec Endpoint Protection Manager (SEPM).
2. Click Clients and select the affected client group.
3. Right click the affected client group and click Properties.
4. Un check Block New Clients and click OK.
5. Confirm the affected client(s) are able to register with the SEPM in the affected client group.