When launching below command to disable RDP on a Windows endpoint with Symantec Endpoint Protection (SEP) client installed, the Symantec Endpoint Detection and Response (SEDR) either shows no event or has an event that in-accurately reports "RDP enabled"
Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f
In EDR, "enriched_data.rule_description" field shows "RDP enabled"
Expected behavior:
In EDR, the event appears and enriched_data.rule_description=RDP disabled
This behavior is the result of an error in the global Intellifilter rules within the SEP Client.
To address this issue with a new set of IntelliFilter rules in an upcoming release of SEP, upgrade the SEP Manager to SEP 14.3 RU1 or later, then upgrade the SEP client(s) to SEP 14.3 RU1.