The LU policy that you ,have shows that if the Cleint doesnot take update from the SEPM, there may be diffrent reasons for that , it will take the update from the Symantec server.
uncheck the option that says Use the default Symantec LU server
On the client, look in the registry under
HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\LiveUpdate.
Check the settings for the following keys:
■ UseLiveUpdateServer
If this key is set to 1, the client uses an internal LiveUpdate server or Symantec
LiveUpdate directly.
■ UseManagementServer
If this key is set to 1, the client uses the management server.
■ UseMasterClient
If this key is set to 1, the client uses a group update provider.