I've also seen this problem in my environment. The clients behave as if the communication policy settings are set to 'Server Control' even if they are full permission 'Client Control' clients. I have even seen the System logs on the clients report "Switching to Client Control" (after changing the policy between Server and Client and updating) and still the client is dysfunctional.
The symptoms I've seen are:
- Clients with Net Threat Protection installed cannot modify the firewall settings. The firewall can't be enabled or disabled, and exceptions cannot be added.
- Clients cannot be disabled via right click > "Disable Symantec Endpoint Protection". The option is always grayed out.
These are on machines where the user can elevate to admin and the policy settings are 'Client Control'. Changing to 'Mixed Control' with full client permissions does nothing. Changing to 'Server Control' with the ability for users to disable clients does nothing as well.
I've verified that the policy settings are updating on the client. The client is simply failing to open permissions. I've even worked with Symantec support, on the phone for over an hour, trying to debug the issue with no resolution.
Uninstalling and then reinstalling seems to fix the issue in some cases. Seeing as when you install a component, you're basically reinstalling the product, I have a feeling that that's why the user above was able to resolve the issue after installing NTP. We have over 17K clients in our environment and I cannot push out 12.1 knowing that some clients (perhaps 10% or more) are going to have to be reinstalled. Our users will simply stop using the product.
Sort this out, Symantec.