Endpoint Protection

We are running SEP 12.1.6 MP4 on three Server 2012 R2 Standard SEPMs.  We set up locations for our workstations in response to applications that still needed us to run IE 8 on some machines.  We set up the policy initially to detect registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector\IE = 8.0000.  When the value is detected iexplorer.exe is blocked from access to anything outside a 1918 address and a white list.  In testing it worked brilliantly and we rolled it out to the workstations in phases.  

It has, however, recently come to my attention that three members of the IT Security Commitee for one one of our hospitals are running IE 8 and have normal access to the internet.  I spoke with tech support and they told me that I either a)  need to set the Quarantine location to default or b)  add another location for NOT that registry value.  I also noticed that in the groups General Settings remember location is checked.

I started by moving these three individuals to a seperate group and copied the policies from their original group and unchecked the remember location toggle. They reported in, downloaded the new policy but did not move.  I next moved on to select the Quarantine location as the default but again they checked in, updated but did not move.  As a third step I created a rule for an Access location that does NOT have the registry value but only got the same result.  At this point the Access location is the default and is the first in my list of locations, Quarantine is second in the list and the Default group is disabled and I am seeing no result in the Client Activity log.

This is working for a number of clients as we have had 1225 switch to the Quarantine group in the past week.  The next step is to reach out to work on the user's machines.  I was just wondering if anyone had any ideas as to the described set up.

Do you have access to the 3 machines? Might be worth attempting a repair or fresh SEP install on those machines may be a faulty SEP client component that just needs a refresh? 

I'm a bit confused here.  You mention HI in the subject, but all the OP content suggests you're actually talking about Location Awareness and the registry rule, with a location you've specifically called Quarantine.

Could you clarify exactly what you have setup please?

***************************

Failing that, you might have better luck with just a couple of SEP FW rules that target the IE8 executable by hash instead (to allow IE8 access to your 1918 addresses, and block access to everything else ).  This way you don't have to mess around with HI or Location Awareness, just put the rules in the FW policy for everything, and you're done.

You are correct, I am talking about Location Awareness and not HI.  Wouldn't the IE 8 executables have different hashses based upon build and patch?  My first thought would be just use hashes but with all the sub-builds I wasn't having much luck.  And of course IE 11 inserts a registry key for the installation but our deskeng folks repackage and remove that key.

I was really looking to see if there was something missing with the rules the way I have them set up because the next step is to go to the local machines for the symdiag, repair install etc ...

In that case, can your describe what you have set up in full please?  Number of locations, priority order, rules for each, and which is marked as default is a good start.

You might also find the below article handy:

http://www.symantec.com/docs/TECH97097

On a related note, your version number has too many zeroes to match any of the IE8 versions seen in the below MS article:

https://support.microsoft.com/en-us/kb/969393