When DCOM settings for the Symantec Management Agent (SMA or Sym Agent) are changed and the SMP Server is rebooted the changed settings revert back to what they were before the changes were made.

ITMS 8.x

The Sym Agent service is resetting these on start-up. This is by design. The default or custom DCOM permissions often allow the local DCOM service launch.

User scripts, 3rd party applications, or other elements can start the SMA service by simply executing any SMA COM method. These could make changes at any time without actually checking that the time is right. The fix for this was to disallow anyone to start the SMA service by invoking a COM method. 

These changes are not recommended by Symantec. If there are a lot of errors in the log, the cause needs to be indentified and the solution below is only meant as a temporary workaround. For example, if there is a keep alive script on the endpoint that checks to see if the agent is started and then invokes a COM object to start it, the Sym Agent will fail it because it can interfere with upgrades or other solution installs.

After making the desired settings to the Sym Agent DCOM Config, follow these steps to lock it down so the settings are not changed upon reboot or restart of agent:

  1. Open the Registry Editor (regedit.exe)
  2. Browse to HKEY_CLASSES_ROOT\AppID\{5E038245-CF81-44BE-8018-9A2981B9DC9B}
  3. Right-click on {5E038245-CF81-44BE-8018-9A2981B9DC9B} and select Permissions…
  4. Click the Advanced button
  5. Select the row with the name SYSTEM
  6. Click the Edit… button
  7. For Set Value, check the Deny box
  8. Click OK
  9. Click OK
  10. On the Windows Security warning, click Yes.
  11. Click OK
  12. Close Registry Editor

The System account will now be unable to edit the settings for the Sym Agent service. If you ever need to make changes to these settings, you will need to return to Registry Editor and remove the Deny from SYSTEM account.