We have an environment with roughly 10,000 clients and, for the most part, have found SEP 11.0.5 to work well. 

With that said, we recently ran into the 0x0000005 error when using an application on a small subset of our PCs. After searching this forum for a few hours, I came across the various threads on the subject and was able to get the application working again by disabling the sysplant service via the registry. 

Everything was working well until a couple of weeks later when I got a request to change one of the 'Application and Device Control' options.  After making this change and pushing the policy update, we discovered that the sysplant service on those devices (that we had previously disabled) was now RE-enabled.  I suppose I understand why this would happen - the client sees a policy update for a service that is currently disabled and decides that it needs to be re-enabled in order to enforce the policy.

We would like to avoid this problem in the future.  I created a Location under the main client group based on a registry marker from the problematic application.  I created an 'Application and Device Control' policy that has none of the Application Control Rule Sets enabled.  The SEP console on each PC reports that the PCs properly associate themselves with this Location but it still re-enables the sysplant service.

So I'm looking for any ideas on how to resolve my issue.  I suppose I could create a new client group and try to attack it from that angle but I'd rather not manually manage a client group for 30-40 PCs.