How to prevent client features from being disabled by users in the SEP 12.1 client interface

Article:TECH166950  |  Created: 2011-08-11  |  Updated: 2013-02-26  |  Article URL
Article Type
Technical Solution


How to prevent users from disabling the Symantec Endpoint Protection (SEP) 12.1 client features.


Symantec Endpoint Protection 12.1

Windows Server OS


The ability to disable SEP features is selectable - enabled by default for user selection.



  1) The selection item to disable all Virus and Spyware protection features is available / enabled by default.


To disable Virus and Spyware protection feature access on a SEP client, you will need to modify policies in the Symantec Endpoint Protection Manager (SEPM):

Logon to the SEPM --> Policies ---> Virus and Spyware Protection ---> Virus and Spyware Protection – Balanced --> Protection Technology --> Auto-Protect --> Check mark / lock Enable Auto-Protect



Confirm on Client, as seen below, the option "Disable all Virus and Spyware Protection features" is grayed out.


2) Disable Proactive Threat Protection is also enabled by default 


Logon to the SEPM --> Policies --> Virus and Protection policy – Balanced --> Protection Technology --> SONAR  --> Lock Enable SONAR


Confirm on client, as seen below, the item "Disable all Proactive Threat Protection features" is grayed out.


3) Disable Network Threat Protection access on SEP client.


Go to the Specific client group > Policies > Location specific setting > Client user interface settings > Edit settings >  Uncheck Allow user to enable and disable firewall


Check on client, as seen below, the option "Disable all Network Threat Protection features" is grayed out.


4) Disable Symantec Endpoint Protection feature is also enabled by default. This option can disable the previous 3 features, if they are not locked, along with some additoinal features.


1) In the SEPM, under Virus and Protection policy lock all the "Enable" items which are unlocked


Select Virus and Protection policy- High security, it will lock all the items as a policy default.

2) Go to Specific group > Policies > Location-specific Settings > Client User Interface Control Settings > Tasks > Edit settings Server Control > Customize > Uncheck the following two options

i) Allow user to enable and disable the firewall

ii) Allow user to enable and disable application and device control policy.

3) Also perform the following changes In the Policies tab of the SEPM:

i) Click  Intrusion Prevention Protection policy.

ii) Click Setting, then lock this feature by clicking the lock symbol next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.

iii) Click OK.


Check on client, as seen below, the option "Disable Symantec Endpoint Protection" is grayed out.



Article URL

Terms of use for this information are found in Legal Notices