Endpoint Protection

Hi guys,
I've noticed how to override Client Restrictions for Centralized Exceptions set by SEPM. It's easy, I'm sure most of you know it, but for those who don't -> navigate to the path shown below, under exclusions select the type of exclusion you want to "unlock" -> expand it to "Client" key and set the "Lock" value to "0". That's all, the bad thing is - if a policy with a new S/N is created in SEPM then new policy ( no matter what the change in it is ) will re-apply "locking" 
Just wondering what the number means ( 252417422). Also what these values ( in red rectangle ) mean, and what if I set them to 1,2,3.... They appear after na exlusion is made.
Any idea ?

subscribing to this thread! i wasn't aware of that registry option, and will need to test this out myself. The only recourse then is to lock down the registry.

 My question is why you want to do this in the first place? To your statement, " if a policy with a new S/N is created in SEPM then new policy ( no matter what the change in it is ) will re-apply locking", the answer is yes this is working like it is suppose to. Also it does seem as though if  you give your clients the rights to change reg values they will be able to "unlock" these exceptions. My thought is that this would only work until the next heartbeat, when everything gets synced back up with the SEPM. I am not sure of that but it seems like this would happen. Can anyone confirm this? 

Grant

I believe these numbers are just reference points, for the system for configuration settings. All softwares have this.

Yes you are right, on the next heartbeat everything goes locked again, but the interesting thing is that the entered exception stays ( and that's the purpose ).
On your question "Why ?" - it's simple. Instead of sending a lot of mails to someone to enable me  to add exclusions, just modify a little bit and the desired program is no more detected as risk.
Thanks for your answer Paul - I'll look forward of these numbers, there should be an algorithm :)

 Ok I understand what you are getting at. My question though is if you are able to change those settings yourself anyways through the SEP Client Window. To test this double click on the SEP icon in the system tray. This brings up the SEP client window. Now click on change settings, and then centralized exceptions. This is where the client will be able to add their own exceptions. If this is locked down then I think it will be grayed out, not positive because it is unlocked on my machine. If this is not grayed out then you are not really doing anything tricky by editing that reg value that you couldn't do from this window because those values in the registry correspond to what you are seeing here. However if this option is locked down for you then you are purposely going around what your admin wants you to be able to do. This is a problem administrators will face if they allow their clients to have access to the registry. Access to the registry = access to the entire computer + any programs that are running on it. If you admin really doesn't want you to be able to do this then he/she needs to lock down the registry. Still I am not convinced this will work, I don't have a test box to try this out on now but my feeling is if this option is grayed out then at the next heartbeat your exceptions will get moved back to what your admin had them at. If this is not the case then the only thing the admin can do is lock down the registry.

Cheers
Grant