Prevent users from disabling Endpoint Protection on their computer
search cancel

Prevent users from disabling Endpoint Protection on their computer

book

Article ID: 154771

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to know how to prevent users from disabling the Symantec Endpoint Protection (SEP) client on their computer.


 

Resolution

Step 1: Remove the right to disable Network Threat Protection

  1. In the Symantec Endpoint Protection Manager, click Clients.
  2. Select the group that contains the clients you want to be affected, and then click the Policies tab.
  3. Expand Location-specific Settings.
  4. Next to Client User Interface Control Settings, click Tasks > Edit Settings.
  5. Select Server control or Mixed control if it is not already set to one of these.
  6. Click Customize.
    • If Server control is enabled this will open the Client User Interface Settings dialog.
    • If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.
  7. Uncheck Allow the following users to enable and disable Network Threat Protection.
  8. Click OK, and then click OK again.

 

Step 2: Remove the right to disable Virus and Spyware Protection

  1. In the Symantec Endpoint Protection Manager, click Clients.
  2. Select the group that contains the clients you want to be affected, and then click the Policies tab.
  3. Expand Location-specific Policies.
  4. Next to Virus and Spyware Protection policy, click Tasks > Edit Policy and make the following changes.
    If you edit a shared policy, the edited policy applies to every group to which the shared policy applies.
    1. Click Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Auto-Protect.
    2. Click Download Protection, then lock this feature by clicking the lock symbol next to Enable Download Insight to detect potential risks downloaded files based on file reputation.
    3. Click SONAR, then lock this feature by clicking the lock symbol next to Enable Sonar.
    4. Click Early Launch Anti-Malware Driver, then lock this feature by clicking the lock symbol next to Enable Symantec early launch anti-malware.
    5. Click Internet Email Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Internet Email Auto-Protect.
    6. Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Microsoft Outlook Auto-Protect.
    7. Click Lotus Notes Auto-Protect, then lock this feature by clicking the lock symbol next to Enable Lotus Notes Auto-Protect.
    8. Click Global Scan Options, then lock this feature by clicking the lock symbol next to Enable Insight for and Enable Bloodhound(TM) heuristic virus detection.
  5. Click OK.

Note: Users that are not members of the Administrators group in Windows cannot change settings in the Symantec Endpoint Protection client interface, regardless of the mode set in the client policy for Location-specific Settings.  Windows 10 Administrators CAN still disable the product through the system tray icon by right clicking and choosing the Disable Symantec Endpoint protection option even with these items set.  They will not be able to disable the individual items if brought up in the client ui. 

 

Step 3: Remove the right to disable Intrusion Prevention

  1. In the Symantec Endpoint Protection Manager, click Clients.
  2. Select the group that contains the clients you want to be affected, and then click the Policies tab.
  3. Expand Location-specific Policies.
  4. Next to Intrusion Prevention policy, click Tasks > Edit Policy.
    If you edit a shared policy, the edited policy applies to every group to which the shared policy applies.
  5. Click Intrusion Prevention, then lock this feature by clicking the lock symbol next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.
  6. Click OK.

 

Step 4: Force clients to update policy

This step is not necessary as clients will receive the policy during their normal heartbeat. However, you may be able to speed up the process with the following:

In the Symantec Endpoint Protection Manager

  1. In the Symantec Endpoint Protection Manager, click Clients.
  2. Right-click the group that contains the clients you want to be affected.
  3. Point to Run Command on Group, and then click Update Content.
  4. Click Yes, and then click OK. The client will receive a prompt to heartbeat and update its policy. Once the policy has been updated, Disable Symantec Endpoint Protection will be grayed-out when users right-click the Symantec Endpoint Protection notification area (system tray) icon.

On the client computer

  1. In Windows, click the notificaiton area icon, and then right-click the Symantec Endpoint Protection icon.
  2. Click Update Policy. The client requests the new policy from the Symantec Endpoint Protection Manager.
Powered by Wolken Software