When launching below command to disable RDP on a Windows endpoint with Symantec Endpoint Protection (SEP) client installed, the Symantec Endpoint Detection and Response (SEDR) either shows no event or has an event that in-accurately reports "RDP enabled"

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f

In EDR, "enriched_data.rule_description" field shows "RDP enabled"

Expected behavior:

In EDR, the event appears and enriched_data.rule_description=RDP disabled

This behavior is the result of an error in the global Intellifilter rules within the SEP Client.

To address this issue with a new set of IntelliFilter rules in an upcoming release of SEP, upgrade the SEP Manager to SEP 14.3 RU1 or later, then upgrade the SEP client(s) to SEP 14.3 RU1.