Endpoint Protection

In our environment, we have several sites.  The number of systems at a site may be small, but they are spread out amongst several subnets within each site.  As is proper IP routing design, each site's IP range summarize to one or a very few IP supernets.  Since we are using the 10.0.0.0/8 RFC1918 space, we can be very generous with our IP allocations per site.  A site with only a couple hundred machines still gets a /16, and follows the same network design as our main site with 10000+ machines.  This means that I could have dozens or more /24 networks in the site.

I want to be able to input a summarized supernet into the Explicit Group Update Providers, so that all machines in, for example, 10.250.0.0/16, all point to the local site GUP.  Since there is no "subnet mask" field to input, I don't know how SEPM is deriving the mask from the IP.  Is it using the old classful system, and thus by default if my IP is 10.x.x.x it's going to assume a /8?  Does it assume /24s?  Or is it somehow smart enough to assume the end 0.0 implies that the last two octets are hosts?  I really just don't want to have to enter in 254 different /24 addresses (10.250.0.0, 10.250.1.0, 10.250.2.0, etc).  I also want to make sure that, with our 10.0.0.0/8 network space usage, that SEPM doesn't think that it's a flat network and every host can use any GUP in that full range.

According to the note for Explicit GUPs, SEP will auto-find the subnet mask.

https://www-secure.symantec.com/connect/downloads/generate-liveupdate-policies-have-many-gup-subnets#comment-9318121

I don't want to use any subnet calculated by SEPM.  I want to explicitly define the subnet mask.  My GUP may be (as in my example above) at 10.250.14.200.  What's the subnet mask SEPM will use?  The GUP itself may be using a 255.255.252.0 subnet (/22), but I want everything in the entire site subnet (255.255.0.0) to use that GUP.  I would want something similar to the attached image file (hacked together in ms paint).