Endpoint Protection Small Business Edition

We just started using Symantec Device Control.  We're still in the process of upgrading our clients so they all have device control.  Is there an audit that would show us which machines have it and which ones don't?  Reports in SEPM are ok, but if there's anything we can search on the workstation that would be even better.

Second, a few users have the security rights to turn the device control on/off.  Is there a query we can run against workstations to know if they have turned off their device control? 

I tried running procmon while toggling the device control on a machine, but can't see if there's a simple value it changes.

Thank you in advance.

Is this for SEP or Symantec Endpoint Encryption Device Control (SEE-DC)?

Monitor - logs -computer status export it, components should give you the list of machine who have ap/dc enabled.

Sorry, we are using SEP. 

I'm a little new to the monitor logs.  I exported the computer status log without any filters and have 23K cells.  I don't see any fields called "components".

The computer status report does not show which clients have ADC installed, unfortunately.

But you can run this SQL query to see which clients have it:

select distinct EVENT_ID, EVENT_TIME, HARDWARE_KEY, HOST_NAME, DESCRIPTION, CALLER_PROCESS_NAME, CALLER_RETURN_MODULE_NAME from V_AGENT_BEHAVIOR_LOG where event_id in ('501', '502')

https://www-secure.symantec.com/connect/forums/zero-day-flaws-found-symantecs-endpoint-protection-computerworld-article-73014-629am-et#comment-10365321

I double checked and don't see any SQL database running on our SEP management server that I can run this query on.

Is there anything we can query on the workstation itself to tell if it has Device Control enabled?  We have other scripts that check for baselines and could add this. 

The query can be run against the embedded DB as well. It runs against the DB schema.