The status of all the features applied to a device can be checked on Symantec Endpoint Security (SES) console as per Device Details: Feature Status

There are few features like: Threat Defense for Active Directory (TDAD) & Web and Cloud Access Protection which are showing "Disabled by admin" even though it is Enabled.

Other requirements for the feature is not met or additional setting required

Verify the following for these features:

1. Web and Cloud Access Protection
To use this feature within SES, a valid Cloud SWG subscription is required for configuration details.
If it is not available, this feature will not work and can be un-selected through the Feature Selection policy settings

2. Threat Defense for Active Directory (TDAD)
If a machine is not in domain, it will report as Disabled by admin for Threat Defense for AD feature.
This feature can also be un-selected for the group/computers in Workgroup from the feature selection page as above.

Additionally, in older TDAD Policy Versions, there is an "Enable TDAD Protection on Server (Experimental)" toggle option that needs to be enabled for this feature status to show Enabled.

Note: With TDAD policy version (9) released in May 25, this toggle option is removed and Server Protection is automatically enabled.
Reference: Policy Template Updates: Threat Defense for Active Directory policy

It can be updated as follows: