Hello,
ADC Policy should be disabled in case if you are migrating from RU6 to RU6a.
Disabling of ADC Policy is not required when migrating from RU6a to RU6 MP1.
Check the below:
Issue (KB 2010050612450248)
When SEPM is migrated to RU6 or RU6a it will publish new policy files for all managed clients. The application control policy produced by the migrated SEPM contains a new XML element “DeviceManagerSettingGroupLink”. Managed clients which are not yet migrated to RU6 will incorrectly enable application control based on the new XML. The client will prompt the end user for a reboot. If the reboot occurs sysplant will be enabled.
Migration Planning
To prevent this issue add the following steps to your migration plan.
- Prior to SEPM migration identify client groups containing Symantec Endpoint Protection (SEP) clients that should not enable sysplant.
- Disable the Application and Device Control policies associated with the client groups identified in step 1. Client groups with disabled Application and Device Control policies will not experience the issue when the SEPM is migrated. Proceed with SEPM migration plan.
- When SEP clients have been migrated to RU6 or later the disabled Application and Device Control policies can be enabled if desired.
Recovery
If the customer has migrated without accounting for this issue there are two recovery options.
- Upgrade clients to RU6. When the client is upgraded it will appropriately understand the new XML from SEPM and disable the sysplant driver if application control rules are not being used.
- Disable the application control policy in SEPM. By default each client group has an enabled Application Control policy without any rules. If upgrading the clients is not practical, then the user can edit the application control policy in SEPM and uncheck the checkbox for “Enable this Policy”. Once the policy has been disabled, the client still needs to receive the policy and reboot before the sysplant driver will stop running.