Video Screencast Help

SEP 11 - policy doesn't seem to push to endpoints

Created: 08 Sep 2013 | 23 comments

I have a large number of machines that I need to disable tamper protection on so i can automate uninstall.  I have configured the SEPM policies to disable tamper protection as well as removinig the password protection on uninstall and other prompts - but it does not seem to be pushing to the clients?!?!  I made these changes on Friday afternoon (2 days ago) - yet I am still prompted for the password to get into the client and tamper protection is still enabled.

what am I doing wrong??

thanks in advance


Operating Systems:

Comments 23 CommentsJump to latest comment

Brɨan's picture

Did you verify the policy on the clients matches what is showing in the SEPM?

Does the group have inheritance broken on it? If so, it may have a different policy applied to it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

stephenmbell's picture

Thanks for the reply - 

I have applied it to every container - default policy and 1 other.  how do I verify the policy on the client?

Brɨan's picture

Open the client GUI and go to Help >> Troubleshooting.

Should show the policy here, just compare to what's in the SEPM on the details tab on the Clients page

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Are you following this document?

How To Change Tamper Protection Policies and Settings to groups in Symantec Endpoint Protection Manager (SEPM)
You need to right click on the new policy you have created and then select apply. Once applied the policy should show the count ( right corner). In your case default should be 0 and new policy should show the number of group you have applied the policy to.
stephenmbell's picture

@Rafeeq - 

Yes - that is the document that I followed to disable the tamper protection.


In addition, I disabled all the Cleint Password Protection rules:


Yet, when I go to a client, I am still prompted for a password to open the user interface.  What am I doing wrong?

Rafeeq's picture

wrt to SEPM side what you have done should have disabled the password. 

I would like to confirm if that client is talking to SEPM to take the policy.

On the client can you open the SEP interface click on help and support ( right corner) and click on troubleshooting. 

Do you see the server name ( sepm) or does it show offline?

stephenmbell's picture


I see the IP address of the server.  It does say Security Policy Compliance - disabled.  Is that the culprit?

Brɨan's picture

Are you using NAC? This is why this shows.

However, I believe it will either say Pass or Fail. Do you have a NAC policy assigned?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Brɨan's picture

I would enable sylink logging and see what is going on:

You can post the log here for review if you wish

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

stephenmbell's picture

So I went through the doc to enable sylink logging and I don't see the log file being created?!?



I did run the smc -stop and start - and I enabled this 2 days ago, so the machine rebooted twice as well.  What's next?

Rafeeq's picture

Hmm thats correct.

when you do smc -stop

the small yellow sheild on the task bar should disappear.

when we do smc -start it would reappear

stephenmbell's picture

Yup - 

I just re-verified.  I did the smc -stop and I was prompted for the password.  Once I entered it, the sheild went away.  I did the start and the sheild re-appeared.

Still no log file created.

stephenmbell's picture

I have attached the log that was generated.

Debug.txt 93.4 KB
Rafeeq's picture

Follow this document

The legacy proxy settings can be removed by performing the following steps:

1.   Open the registry (Start->Run->type "regedit").

2.  Go to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\connections

3.  Delete the registry keys "DefaultConnectionSettings" and "SavedLegacySettings".

4.  Reboot the machine.

Note:  These registry keys will automatically regenerate after reboot of machine.

Also, this also could be caused due to incorrect proxy server information in the following registry location: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings

Removing the incorrect proxy info from this key and then rebooting allowed the client to communicate normally.

One important thing to keep in mind is that any incorrect proxy information must also be removed from the following two locations as well:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

stephenmbell's picture

So I did this - removed the two registry entries, rebooted the machine, tried to update policy.

I am still getting prompted for a password to enter the client gui, which means my policy is still not applying.

I have attached a second debug log

Debug2.txt 18.91 KB
Rafeeq's picture

Should be related to your proxy settings..

Communication issues between SEP client and SEPM after installing Internet Explorer v.7 in environment using a proxy server.
whats the version of your IE? Do you have enhabced security enabled in IE?
You may try disabling that and check. 
Open sep client help and support - download the SEP support tool, see if that shows up some errors.
stephenmbell's picture

Ok - my environment is Windows 7 x86, IE 10.  I do not use a proxy for anything.

Sidenote:  Up until now  - I have been testing all of these changes on a client machine (the debug logging registry changes, debug utilities, log files).  Is that what I should be doing?

The removing of the registry keys above, again, done on a client - not the SEPM server.  That server is Windows 2003, IE8.

Rafeeq's picture

Right,so none of the machines are getting policy changes or its just on one group? was it working before?

the client is in the same group where you applied the policy to?

stephenmbell's picture

Yes - none of the machines (that I have checked) are getting policy changes.  I don't really know if it was working before - this is the first time I have really tried to modify the default.  I will say that the client had the policy that was reflected on the server.

We basically had 2 "groups" - My Comanny (the default), and a group for laptops.  This machine is in the default.  And it has not changed groups since this whole ordeal began

Rafeeq's picture

really hard to suggest anything without actually looking at it :) 

This would be the last document you would be following . Client communication is Ok as we can see the little green dot on the client and under the help and support it shows SEPM server name. Apart from that check the remaining

Troubleshooting Policy Changes

Rafeeq's picture

1. HKCU\SOFTWARE\Microsoft\Windows\Currentversion\Internet settings  check if there is a registry value called "GlobalUserOffline" if it is present change the value of the DWORD to 0