Video Screencast Help

Symantec Endpoint Protection Client Icon in the System Tray, the selection for 'Disable Symantec Endpoint Protection' is grayed out

Created: 24 Aug 2011 | 13 comments

I have a slight problem where the Symantec Endpoint Protection Client Icon in the System Tray, the selection for 'Disable Symantec Endpoint Protection' is grayed out. Is this by design?

I built a new SEPM server, pushed the new client out to upgrade the current clients to 12.1, but the settings still don't take.

I've changed the policies and it doesn't seem to take.

I've created a new policy and still no joy.

I was able to allow the setting in the previous version but since upgrading to 12.1, it doesn't seem to work.

I want to be able to allow this on the servers as all the admins are trusted to disable the anti-virus if needed.


Comments 13 CommentsJump to latest comment

pete_4u2002's picture

if this is non admin user then yes, it should be greyed out.

If you still seeing with admin account, then check if the settings are right, hope you have configured it for Server control!

PHNSAdmin's picture

As I stated in my post, the "admins" are trusted to disable the anti-virus if needed.

Yes, the policies are set, and changing them to enable or disable make no difference. The question remains as to why it was working on my old server that I just did and upgrade to 12.1 and not it won't work on the newly built server.

Thank you

Rafeeq's picture

Its not by design, you can set to enable to disable those, 

ISEP is installed in computer mode or user mode? check if u have these settings enabled.

Policies are applied to groups, may be after upgrade you moved the machine to one of the groups where this policy is applicable, check these settings!

How to block a user's ability to disable Symantec Endpoint Protection on Clients

About computer mode and user  mode

PHNSAdmin's picture


SEP client is configured as computer mode for everything. We've never used user mode in our environment, really no need for us.

I've checked and checked these settings over and over again. The problem is that it seems to work with other policy settings (changing scan times, display notification icon, etc.) but, the ability to disable SEP from the nofication icon is always greyed out.

On my old server (where I still have a number of clients), the option to enable or disable seems to work.

I've read the artcles that you posted. Thanks, but it's driving me nuts, were it should be such a simple thing.

Maybe it has something to do with the location awareness? Just guessing.


NilsArne's picture


I have the exact same problem. I have upgraded from SEPM v11.0 to version 12.1 with no problems and pushed new SEP version also with no problems. On some of the servers (all member servers of a Win2008 R2 domain) the “disable Symantec Endpoint Protection” is grayed out when I’m logged in with a domain admin user. If I login with the local administrator on the same server the “disable Symantec Endpoint Protection” is NOT grayed out…

The SEP clients with the problem gets new definitions and SEP policies.

I have spent a lot of time installing and uninstalling but with no success… Also driving me crazy…

AravindKM's picture

Do you installed NTP on the client end. IF not install NTP.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

NilsArne's picture

All servers (SEP clients with problem) are domain member servers and time syncronisation is done in the domain. Is it then nesesary to set up NTP on the client end? I have done no NTP configuration done on the client side.

AravindKM's picture

So I believe that is the reason why disable option is grayed out. I am not so sure about 12.1, but in 11 it works like this.

If you click on disable endpoint protection, it will disable only NTP part of SEP. And if you not installed NTP this option will be grayed out.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

PHNSAdmin's picture


I don't have NTP installed on any of the servers so it does make sense. The strange thing is that it still seems possible to disable via the icon on Windows 2003 servers, but not on Windows 2008 servers.

Has anyone brought this up with Symantec? Not a big issue, just something that would be nice to know.


NilsArne's picture
I mixed NTP with Network Time Protocol... When adding the SEP component NTP the "disable..." is no longer grayed out.
We are not using the SEP Firewall on the servers (we use the Windows firewall), do you recommend using "Intrusion Protection" on servers? (all servers?)
AravindKM's picture

You can use intrusion prevention in servers, but do through testing before implementation.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Godspeed25's picture


Referring to your issue, I want to know if it is installed in the client machine. If yes, if may be disabled or may nor communicate with the server.

Try to find out if the client machine is communicating with the server.

If not, please updated the communication settings to the client.

Good luck!!!



stradric's picture

I've also seen this problem in my environment.  The clients behave as if the communication policy settings are set to 'Server Control' even if they are full permission 'Client Control' clients.  I have even seen the System logs on the clients report "Switching to Client Control" (after changing the policy between Server and Client and updating) and still the client is dysfunctional.

The symptoms I've seen are:

  • Clients with Net Threat Protection installed cannot modify the firewall settings.  The firewall can't be enabled or disabled, and exceptions cannot be added.
  • Clients cannot be disabled via right click > "Disable Symantec Endpoint Protection".  The option is always grayed out.

These are on machines where the user can elevate to admin and the policy settings are 'Client Control'.  Changing to 'Mixed Control' with full client permissions does nothing.  Changing to 'Server Control' with the ability for users to disable clients does nothing as well.

I've verified that the policy settings are updating on the client.  The client is simply failing to open permissions.  I've even worked with Symantec support, on the phone for over an hour, trying to debug the issue with no resolution.

Uninstalling and then reinstalling seems to fix the issue in some cases.  Seeing as when you install a component, you're basically reinstalling the product, I have a feeling that that's why the user above was able to resolve the issue after installing NTP.  We have over 17K clients in our environment and I cannot push out 12.1 knowing that some clients (perhaps 10% or more) are going to have to be reinstalled.  Our users will simply stop using the product.

Sort this out, Symantec.