Sorry, but this is a pure server issue. I appreciate the try - and it does bring up something to look at - how to the policies get to clients? (I think it's XML, not JS, but it would be an interesting thing to look at)
JS files are used widely in SEP (and other products) and are not blocked or restricted. If it was, I'd expect SEP to be acting totally bad. This is, or at least appears to be according to logs, where the server is compiling the JS policy files to push to the clients.
But by now I've pretty well figured out at least how to stop these errors - it was a shotgun approach, but after a week of no results or help, I had little choice......... We're too busy to mess around so I had to do something, even if it was wrong.
IMO, this is 100% server. Nothing on the clients can cause an error on the management servers related to compiling policies, especially both servers within seconds of each other.
I temporarily resolved this, since it seems no one knows anything at all about this "problem" by simply deleting the HI policies completely. They are now totally gone, all HI policies, deleted from SEPM altogether. And guess what - the errors stopped.
I was right, it was a pure HI (Host Integrity), not related to AV or defs or anything on the client, 100% pure server problems.
We don't have this enabled on clients, and if it was a client issue, then I'd see pretty constant errors since the clients check in constantly through the day and night. At least that's my logic - clients with a heartbeat of 5 or 7 minutes checking in at random times to either server, yet the errors are logged on one server, then seconds later, the other, and not constantly through the day. Since a client is using one "parent" or the other, then it should hit just ONE of the servers if a client with a problem checks in with mother.
If a client checked in with mom, then 5 seconds later, checked in with dad, I could see both servers erring like that. But that's not how client check-in works, so that combined with the fact that the policy is not assigned and that this is a compile issue, and the policy assignment is one-way - it's pushed but the client doesn't respond instantly with a "try again, this one is bad" response, all of those pretty much rules out clients. Whatever it is, or now was, was pure server process.
This seems to be the way it's been going lately for SEP - I get a "please repair" with no explanation (seen all too often - and I know the reason as I predicted it a while back ), but otherwise nothing timely or of real consequence. Do I not include enough information? Is the Symantec forum related to security lacking volunteers who really know SEP inside and out? Is it a bad time of year? Or am I just really super lucky and have these weird issues no one else ever sees? With that sort of luck, I guess I won't buy any lottery tickets, eh? LOL!