Hello All!
I'm coming back to this space with a few questions that I'm hoping are very easy to answer.
Back in the day when I used to manage SEPM policy updates to my systems, I'd wait to make any changes to policies until our change window. When endpoint activity was low and it was "safe" to do so.
In my new role, it's come to my attention that there are policy changes being pushed to endpoints midday. There's little to no change control occuring and the responses I'm getting are basically a "These are itty bitty changes, no big deal" or "No changes are being made, that timestamp could be AV defs being downloaded".
However, I can't help but recall a time nearly 7 years ago where we recovered from simple human error and a policy push midday. That is a weekend I will not forget any time soon.
Can someone here help me recall what causes the "Policy Serial Number" to change? I am operating under the assumption that this only changes when a you want the client to behave differently, from a simple setting change to something as big as Network Threat Protection, Location Awareness, Device Control... it all qualifies.
However, are there changes that would cause this number to change from a simple operational activity? Say an AV push, or something incredibly benign? From what I remember, those were FAR and few in between, and the importance of waiting for off-hours, and sticking with proper testing/promotion was paramount to make sure the endpoint was behaving as expected.
So the TLDR here is - What makes the "Policy Serial Number" change in the client? Is there ever a policy update that could be changed without the knowledge of the sysadmins? (meaning done by Symantec via normal AV def downloads?)