If you trigger an upgrade of a SEP client from the server the server it will always fail.
Our security policy requires UAC be enabled. A security product should not require you to turn off UAC in order to update itself.
Please fix Symantec End Point protection so it leverages the local system account to update itself.