This is a very common question in general that I get asked in the support realm:
One thing to keep in mind is that there is new technologies in SEP 12.1.x that were not present in 11.x - when policies are migrated/upgraded - the tech that is existant during the 11.x days, the policy options will be transferred into the policy sets - however there are two new techs that need to be looked at within the AV policy sets:
Download Insight and SONAR - those are both brand new to 12.1.x - and since those are new, only the default options are loaded into those policy sets - please look over those options to verify that they are not able to be manipulated
Also, look over IPS policies as well, that one is commonly overlooked (make sure the locks are engaged)
Then also under client control modes - make sure that it is set to server control mode - and customize the options there (restricting users from turning on/off firewall and app & device control) - this is under Clients>Select Desired group/parent [if inheriting]>Policies>Location-Specific Policies>Client User Interface Control Settings> Make sure that is in Server Mode - but edit those options (set options for firewall/network threat protection and application and device control)
As long as that is set and every option in AV/IPS has the lock engaged - then that should prevent end-users from shutting it off from the tray
However, to take it a step further - make sure tamper protection is in a block and log/block and do not log state with the locks engaged, if you migrated from 11.x, the defaults is log only and the option is unlocked, it does not automatically change that -- if this is set to a block mode, then this will prevent unauthorized access to our keys and client files (such as users, threats, etc. from damaging our files) then also set a password to stop the service/uninstall at the very least -- that is under Clients>Desired Group/parent>Settings (blue box)>General Settings then the security tab and tamper protection tab