Thanks for the quick reply, but all of the locks in the AV policy for this group are "open" already. This is one of several Exchange servers, and there are very few people who can actually log in to this server, so we are not worried about a user bypassing SEP, so just about the only restriction on this client is Live Update.
I failed to mention, this was an upgrade from SEP 11.0.6, using the new "Basic Protection for Servers" installer package, if any of that makes a difference.
I can disable the protection by right clicking the shield icon in the systray, but the client is re-enabled after a reboot. I need to set the services withni "services.msc" to disabled.