On Windows agent endpoints auto-upgraded from Symantec Endpoint Protection (SEP) 14.3.x to SEP 16.0, the following status is displayed in ICDm console:

Security Status : Compromised
Security Status Reason : OS does not support Trusted Signing (Feature Management)

Both SEP 14.3.x and 16.0 system tray icons are displayed simultaneously.

The SEP 14.3.x GUI appears normal.
The SEP 16.0 GUI displays "Error upgrading". Clicking the error reveals the following message:

Symantec Endpoint Protection can only be installed on systems with Microsoft Trusted Signing (formerly Azure Code Signing) support. You must install the appropriate Windows security update for this system.

Broadcom is aware of this issue and will update this document when a solution becomes available.

Workaround:

Please perform the following steps to uninstall SEP 16.0 and ensure that only SEP 14.3.x continues to operate.

1. For device groups containing agents that lack Trusted Signing (ACS) support, modify the applied "System Policy" using one of the following methods to temporarily stop the auto-upgrade to SEP 16.0.
   
   
   • Go to [Product Upgrade Settings] > [Enable Auto Upgrade] > [Show Advanced]. Move the [Release channel] slider to "Previous release channel" and save/apply the policy. The "Previous release channel" will continue to utilize SEP 14.3.x.
     
     
     
   • Go to [Product Upgrade Settings] and toggle [Auto Upgrade] to the OFF (left) position to disable the auto-upgrade feature entirely.
     
     
     
2. On the affected endpoint, open [Apps & Features] in Windows Settings and uninstall [Symantec Endpoint Protection] entry corresponding to version 16.0 (identified by the white-themed icon).