Did you install it follwing the directions in Symantec's Terminal Server and Citrix Best Practices White Paper?

What version of SEP are you on? From that somewhat old doc, you should be on at least MR3.

Ray

It was installed in console mode with the local administrator account as an unmanaged client. We also had a fair few problems wth SEP locking up the print spooler folder initially as well.

Version is SEP 11.04

Sorry, MR4. Got cut off. I did check the forums as well and the accepted solution is to add NTUSER.DAT to the exceptions list? That seems like a terrible idea.

According to this, MR4-MP2 did not actually correct this problem:
https://www-secure.symantec.com/connect/forums/end...

And adding the wildcard %userprofile%\ntuser.dat to the exceptions gives me some bizarre message about the file being in use.

 http://www.symantec.com/connect/forums/windows-cannot-load-locally-stored-profile-possible-sep-ru5-related-problem#comment-3074081

https://www-secure.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles#comment-2492281

Vikram, I did mention this above so your post is not new information. That second link is the one I already posted. And the one on top is almost identical information.

But I don't know that it's crossed anyone's mind that NTUSER.DAT is HKCU? So by excluding it, does that also exclude SEP from detecting registry tampering for that user?

In the server first you confirm that the exclusion is got affected. Below doc can help you in this

How to Verify if an Endpoint Client has
Automatically Excluded an Application or Directory