MS Server 2008r2
SQL Server 2008r2
SEPM 11.0.73001294 (x2 managers)
40k+ clients

I've recently been experiencing clients changing automatically from computer mode to client mode. I've called tech support, and answers received don't make any sense...

Symantec support recommends updating to lastest version 12.1.5. Great idea, and in progress, but much easier said then done. Why is this always their default answer?
Support then recommends running script on server, saying it doesn't modify database. I don't believe this to be true as console is populated from database. I've asked what the script does, and aside from "Change clients from user mode to computer mode" they can't tell me more. Specifically what queries are run, what tables are modified, etc...
Finally support CAN'T explain why this is happening in the first place, and I can't get a clear answer that running script will prevent this from happening in the future. The only reason they were able to find was ...

"An admin creates an user in any SEPM Client Group that reflects a Username used by a SEP Client. On the next Heartbeat the Client is changed into usermode and moved to the group the user belongs to. Any other computers this user logs into will be affected in the same way. Any other users logging into a computer that is in Usermode will get a “usermode” profile created in the SEPM and will cause further machines to switch to usermode once they login to other Computers."

For this reason, I am hesitent in running the script, and BTW too many to change individually.

Does anyone know why this may be happening, aside from thier explanation, and what exactly script does?

Thanks
 

They will always recommend to get on the latest version to remove any known issues.

Did they send the script? Open it up and check it out or post it here
 

Is it possible that support are asking you to use the MoveClient utility/script to just administratively change all endpoints to computer mode?  More infor about it can be found in the below article:

http://www.symantec.com/docs/TECH157429

If this is the script they sent you, then yes: it does make direct changes to the DB (via the connection properties in the SEPM).

As far as why this is happening: I'm afraid it's not all that simple as it's been happening off and on across a number of different versions of SEP.  A selection of similar articles can be found below.  Perhaps one of these matches you scenario?

http://www.symantec.com/docs/TECH97888
http://www.symantec.com/docs/TECH131749
http://www.symantec.com/docs/TECH202208

As a bit of background info, the below article describes the conditions required for a mode change,  Maybe this will help you narrow down the cause:

http://www.symantec.com/docs/TECH147033

Support did send SwitchUserModeToCompModeTool jar/bat files

seems like you have added users in SEPM console first then installed SEP client?

You can assign your clients to their groups before you install the client software. If you perform this task first, you can assign security policies to the client separately from the installation. In this case, the client does not receive the security policies from the group that is specified in the client installation package. Instead, the client is assigned to the group that you specified before installation.

did you do anything like this before installing SEP?

In the console, click Clients. 
On the Clients page, under Clients, locate the group to which you want to add a client. 
On the Clients tab, under Tasks, do one of the following actions:
For user mode, click Add User Account. Enter the user name. If the user is part of a Windows Domain, type the domain name. If the user is part of a workgroup, click Log on local computer.

For computer mode, click Add Computer Account. Type the computer name and then type the Windows Domain name or type Workgroup.

Click OK. 

Rafeeq - SEP is pre-installed in image as unmanaged client. Sylink.xml is then imported. Sylink has the following <RegisterClient PreferredMode="1" PreferredGroup="My Company\Group1\SubGroup1"/> so clients should drop into proper group and as preferred mode 1 (Computer Mode).

This has worked fine for over 3 years, but suddenly clients are changing to user mode.

Note from one of the tech articles - There was an AD sync, but of 40k+ clients, only 10 are in MS AD Domain. All others are different forest, different domain, no trusts. AD Sync has now been removed.

At this point, the only thing which is left is Upgrading to 12.1.5 or use the tool to switch modes

try running DB validator to see if it shows up any error

How to use the Database Validation tool (DBValidator.bat) for Symantec Endpoint Protection Manager -http://www.symantec.com/docs/HOWTO39461

Unintended SEP clients are switched to User Mode

http://www.symantec.com/business/support/index?page=content&id=TECH202208

OK - Ran DBvalidator. Found no errors.

Disabled AD as authentication method (There were no clients imported, or replicated thru AD)

Ran MoveClient batch file found in ...\Tools\NoSupport\MoveClient_Utility\ folder. (from SEP 11.0.7 MP3 disk)

Script worked in changing client mode and after the weekend, clients are no longer reporting as User Mode.
<SOLVED>

I also played with moving clients to different groups and found some anomolies after, where some clients once in proper groups now appeared in wrong groups - even according to script. There might be a logic error in script, so I won't use this feature.

Thanks for all suggestions