Seems like I found the answer my self. The desktop group was the only group that inherented from "My company".
Apperantly it's not enough to add the ATP to the private cloud configuration page on all non-inherited groups.
The configuration must be done through the ATP GUI to cover all groups.
I had to check this option in the ATP GUI EDR wizard to cover groups that is not inheriting settings from the root "my company" group.
" to ensure that private cloud policies for the top-level Symantec Endpoint Protection Manager group 'My Company' and its inherited groups are always overwritten regardless of whether you select this option"
https://support.symantec.com/en_US/article.HOWTO127750.html