Make sure the lock is closed in the AV policy for AutoProtect.

Make sure the lock is closed in the AV policy for SONAR (unable to disable PTP)

To disable SEP in task bar, do this,

Go to Clients page

Select a group you want to remove icon for

Under location specific policies and settings, click + sign Location-specific Settings

Click on Tasks next to Client user Interface Control Settings and select Edit Settings

Select the Customize button

Uncheck "Display the notification area icon"

See these as a reference:

https://www.symantec.com/business/support/index?pa...

https://www.symantec.com/business/support/index?pa...

That should do it

Disable Antivirus and Antispyware Protection is grayed out in the Symantec Endpoint Protection Client

http://www.symantec.com/business/support/index?page=content&id=TECH95087

How to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/business/support/index?page=content&id=TECH102822&locale=en_US

Check this thread

http://www.symantec.com/connect/forums/how-disable-disable-symantec-endpoint-protection-option-right-click-menu

http://www.symantec.com/connect/forums/block-users-ability-disable-symantec-endpoint-protection-clients

I've tried all those but if I disable the NTP and PTP I won't have that protection.

Also, I haven't made any changes and there are Security Status messages about Auto-Protect Failures on those computers. Not sure why that is.

Under Monitors and Command Status, the completion status shows 0% for everything. The Details show Not Received for status.

Well, I'll have to say I didn't "get" something at first. The lock symbols are clickable LOL! I thought it had something to do with certain check combinations...wow, I'm done for the day lol.

Yes :)

I attached a file with the report results.

Security Status messages about Auto-Protect Failures on those computers. Not sure why that is.

Under Monitors and Command Status, the completion status shows 0% for everything. The Details show Not Received for status.

GUP is same like al clients. it wil cache the updates and distribute to clients, they dont need to contact manager or internet for update.

Replication : is what u see in Sepm A, will be same in SEPM B.

You will see the green dot on the client.

GUP provides content updates only to clients. You can setup to SEPMs to be replication partners to replicate logs, policies, etc.

Also, what would cause the AD sync group to not display the computers that are in it? (they don't have SEP installed yet as I don't see them there) I could them under Find Unmanaged Computers as a workaround.

Haha! Thanks again. I think I've been staring at the screen too long lol.

Can you also deploy clients using the Find Unmanaged Computers window? Or is it recommended to use the Migration and Deployment Wizard?

If an x64 client was sent to an XP x86 PC it would/should fail, right?

Is there a way to find out where the SEP on the client PC received its updates from, such as SEPM or GUP?

Look at the System Log on the client

View Logs >> Client Management >> View Logs >> System Log

You will see "Downloaded new content from..."

This will tell you.

Awesome! Thank you very much!

I've seen a flow of how the system works, such as LiveUpdate>SEPM>GUP. So a computer in another octet will pick up only that one, SEPM as x.x.101.20, and GUP as x.xx102.34.

Here's an interesting question which I'm sure will have a simple answer. If the server with GUP has two network cards, one x.x.102.x and the other 10.0.1.x, the clients (on a separated network which cannot access internet at all) will update only from the GUP, right?

If I have a SEPM server and GUP in same net, x.x.101.x, how do I make everything, except what the GUP handles 10.0.1.x, go to the SEPM?

So this would be the way things go...

SiteA (x.x.101.x) has the SEPM

SiteB (x.x.102.x) and SiteC (x.x.103.x) have GUPs

PCs at SiteB will only go through SiteB GUP

PCs at SiteC will only go through SiteC GUP

PCs at SiteA will only go through SiteA SEPM

Back to syncing above, what will happen if one of those computers in the AD sync had to be rebuilt? Will SEPM reinstall the software, or what would need to be done?

Thanks Brian.

I've been thinking on the subnets.

ServerA is a SEPM, ServerB is a GUP, and ClientB1 is a PC in a ServerB's subnet.

ServerB has two nics, one for domain network and the other for subnet (10.x.x.x).

ServerB will receive updates from ServerA.

Will ClientB1 receive updates from ServerB (GUP)?

If I make any changes to policies etc, and I have a stand-alone EXE (or non-EXE) package, will I have to re-export those client install packages to export with the changes?