Endpoint Protection

We are trying to harden servers and workstations for PCI compliance. One of the steps is to tighten permissions on HKEY_USERS\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots. When we do this, within two minutes SescLU.exe reverts the permissions on the key.

Is there a way to stop this from happenning?

The only permissions you need on this key are READ for all users that will be using the system.
What permissions are you setting on this key and what is Symantec reverting it back to?

I am setting BUILTIN\Administrators=Full Control, NT AUTHORITY\SYSTEM=Full Control, BUILTIN\Users=Read per our policy rules. As soon as I update content from the console or update policy from the client, it reverts it back to EVERYONE=Read and NT AUTHORITY\SYSTEM=Full Control.

It appears to be doing this on both Windows 2003 Server and XP.

Has anyone else dealing with PCI compliance experienced this behavior?

 https://www-secure.symantec.com/connect/forums/after-install-sep-client-mr5-i-have-receive-all-machine-events-error-crypt32

It looks Proactive Threat Protection touches the Root Certificates.

Since "everyone" is effectively "authenticated users" nowadays, is there really a difference?

I'm pretty conversant in PCI, or so I thought, and we've never had an issue like this pop up. Where is it coming from?

Ray