SEPM and SEPM Web Service will need to be restarted after these changes.
SEP Client Debugging:
Enable CVE debug as well as SEP Debug in the Symdiag.
Start the AutoUpgrade and wait for the issue to be reproduced.
The Heartbeat and Download Randomization will add to the time. Set a low Heartbeat and disable Download Randomization for faster AutoUpgrade
What to look for:
Verify the config.xml was downloaded to the client. This can be seen in the CVE.log or by comparing checksum in client registry HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\ClientConfigFileChecksum with the Config.xml on the SEPM here C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\GroupFolderGuid.
Check if the delta or full package was received. This can be done by reviewing the Debug.log on the client. Alternatively, check the "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\VersionNumber\SmcLU for install files. This directory should contain the last unzipped delta or full package. If the package is a delta package, and files exist here, it is likely that patchwrap.exe was able to successfully rebuild the patched files.
Look for the smcinst.log underneath Install Dir/smcLU. If that log file exists, smcinst.exe was run and MsiInstaller was launched. If this is the case troubleshoot the install like you would any other SEP Client installation.
Full packages are requested by CVE ONLY in these scenarios: When SMC is unable to install the delta package and when the client's base version does not exist on the server.