Step-1: Download the tool checksum.exe from the CD-2 of SEPM 12.

1 if the full package has been installed on the client side then the tools
will be automatically installed with the package.

Step-2: On the client system - Open the cmd prompt with elevated credentials (admin rights) and change directory to the following path -
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin

Step-3: Add the command checksum C:\<filename>.txt C:\

Step-4: This will create an output fingerprint file in C:\ root with the <filename> chosen in step-3

Step-5: Export that fingerprint file to the SEPM server

Step-6: Open the SEP Manager and click on policies tab then go to policy components and in the drop down select File Fingerprint Lists Add the
new file fingerprint list that was exported to SEPM server earlier in step-5.
Step-7: In the SEP Management Server go to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc

Open the conf properties file for editing

Step-8: Add the following two lines in the conf file and save it

scm.systemlockdown.blacklist.enabled=1
scm.systemlockdown.max.count.extrafiles=max num of apps
Step-9: Go to Services and restart the following two services of Symantec Endpoint Protection Manager
Step-10: Now open the SEP Management Console and go to clients > Policies and click on System Lockdown and you will see the Disable System
Lockdown will be checked.
Step-11: Now check the Enable Blacklist Mode and Step1: Log unapproved Application Only as shown in the figure below
Step-12: Now add the fingerprint list in the in the system Lockdown for clients as shown below in the figure and click ok
Step-13: Now after few hours go to clients > Policies> System Lockdown and view Unapproved Applications to see the list of unapproved
applications run by the client
Step-14: After watching the list of unapproved applications run by the client. You can add the applications in approved list which are not part of
the fingerprint list as shown below in the figure. The Test Before Addition option if selected will allow the SEPM manager to log the approved
application in the Application Control log list before adding it into the approved list. After adding the applications in the approved list you can
check the Step 2: Enable System Lockdown to enable the client system in trusted or known zone.
Step-15: To ensure that the System Lockdown policy has been set you can check the status ON against the System Lockdown as shown in the
image below
Step-16: Finally you can check back on the client system whether the policy has been successfully implemented by running the application that is
excluded in the approved list and also not a part of fingerprint list and you will get the notification as shown below