After upgrade of the Endpoint Protection Manager (SEPM) the following errors occur:

• Error "Failed to connect to the server" when attempting to login to console following an upgrade of Symantec Endpoint Protection Manager (SEPM).
• Attempting to manually start the Endpoint Protection Manager services results in the following message: "Windows could not start the Symantec Endpoint Protection Manager service on Local Computer. Error 1069: The service did not start due to a logon failure."

In the Windows Event Viewer, the following error messages appear:

• Log Name: System
  Source: Service Control Manager
  Event ID: 7000
  Description: The Symantec Endpoint Protection Manager service failed to start due to the following error: The service did not start due to a logon failure.
  
  
• Log Name: System
  Source: Service Control Manager
  Event ID: 7041
  Description: The semsrv service was unable to log on as NT SERVICE\semsrv with the currently configured password due to the following error:
  Logon failure: the user has not been granted the requested logon type at this computer./
  Service: semsrv
  Domain and account: NT SERVICE\semsrv

This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

• Log Name: System
  Source: Service Control Manager
  Event ID: 7041
  Description: The MSSQL$SQLEXPRESSSYMC service was unable to log on as NT SERVICE\MSSQL$SQLEXPRESSSYMC with the currently configured password due to the following error:
  Logon failure: the user has not been granted the requested logon type at this computer./
  Service: MSSQL$SQLEXPRESSSYMC 
  Domain and account: NT SERVICE\MSSQL$SQLEXPRESSSYMC 

  This service account does not have the required user right "Log on as a service."
  User Action
  Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
  If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

Services for Endpoint Protection Manager (SEPM) run under more secure permissions.

Edit the local policy settings to enable the services to run correctly, and then start the Endpoint Protection Manager services. 

Edit local policy settings

1. Open the Local Group Policy Editor Management Console.
   Click Start > Run, type gpedit.msc, and then click OK.
2. In the left pane, under Computer Configuration, click Windows Settings > Security Settings > Local Policies > User Rights Assignment.
3. In the right pane, double-click Log on as a service.
4. In the Log on as a service Properties window, in the Local Security Setting tab, click Add User or Group.
5. Click Locations, navigate to, and select the computer, and then click OK.
6. Under Enter the object names to select, type the following*:
   • NT SERVICE\SQLAnys_sem5
   • NT SERVICE\semwebsrv
   • NT SERVICE\semsrv
   • NT SERVICE\semapisrv
   • NT SERVICE\SepBridgeSrv
   • NT SERVICE\SepBridgeUploaderSrv
7. Click OK, and then click OK again.
8. Close the Local Policy Group Editor Management Console.

When the Group Policy Object (GPO) defines the "Log On As a Service" right

You cannot edit local policy settings when the Group Policy Object (GPO) defines the "Log on as a service" right.

In this instance, follow these steps to a new GPO:

1. Log on to the Endpoint Protection Manager server using a domain account.
2. Open the Microsoft Group Policy Management Console (install it first if necessary).
   Click Start > Run, type gpmc.msc, and then click OK.
3. Right-click Group Policy Objects, and then click New.
4. Type SEPM Log On As a Service, and then click OK.
5. Navigate to and right-click the newly created "SEPM Log On As a Service" GPO, and then click Edit.
6. Navigate to the following:
   
   Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
    
7. Double-click Log on as a service.
8. Click Browse, and then click Locations.
9. Select the local computer instead of the domain.
10. Add the following as the object names*:
    
    NT SERVICE\semsrv;NT SERVICE\semwebsrv;NT SERVICE\SQLANYs_sem5;NT SERVICE\semapisrv;NT SERVICE\SepBridgeSrv;NT SERVICE\SepBridgeUploaderSrv;
     
11. Click Check Names, and then click OK.
    Perform the same steps on the Endpoint Protection Manager server for other users or groups that require "Log on as a service" rights.
12. Close the Group Policy Management Console.
13. In the "Security Filtering" section of the GPO, remove all entries, and then click Add.
14. Click Object types, check Computers, and then click OK.
15. Enter the name of the Endpoint Protection Manager server, click Check Names, and then click OK.
    This ensures that the GPO apply only to the Endpoint Protection Manager server.
16. Right-click the domain name, and link it to the existing Endpoint Protection Manager "Log on as a service" GPO.
17. Open Windows Command Prompt.
    Click Start, click Run, type cmd, and then click OK.
18. Type the following command and press Enter:
    
    gpupdate /target:computer /force
     
19. Open the Local Security Policy Management Console.
    Click Start > Run, type secpol.msc, and click OK.
20. In the left pane, navigate to the following:
    
    Local Policies\User Rights Assignment\Logon as a service
     
21. Verify that the three "NT SERVICE" accounts you created earlier are present.
22. Close the Local Security Policy Management Console.
23. Start the Endpoint Protection Manager services.​

Start the Endpoint Protection Manager services

1. Open the Services Management Console.
   Click Start > Run, type services.msc, and then click OK.Services.
2. Right-click on each of the following services, and then click Start:
   • Symantec Embedded Database (If using embedded database)
   • Symantec Endpoint Protection Manager Webserver
   • Symantec Endpoint Protection Manager
3. Close the Services Management Console.

Alternatively, you can start the Endpoint Protection Manager services from Windows Command Prompt by typing the following commands:

• Net start SQLAnys_sem5
• Net start semwebsrv
• Net start semsrv

Note:  If there are ports not in use that should be, use the Management Server Configuration Wizard to fully resolve this issue. To configure the management server, click Start > All Programs > Symantec Endpoint Protection Manager > Symantec Endpoint Protection Manager Tools > Management Server Configuration Wizard.

*SQLANYs_sem5 is only necessary if using the Embedded database. semapisrv is specific to versions 14 and newer. SepBridgeSrv and SepBridgeUploaderSrv are specific to 14.1 and later.

Reset Local Service Account

Note: This option will only work when a local service account is used. 

1. Open the Services Management Console.
   Click Start > Run, type services.msc, and then click OK.Services.
2. Right Click on the problem service. 
3. Choose "Properties" 
4. Choose the "Log On" tab
5. "This account" should be selected with "NT SERVICE\" and the user ID. Leave this in tact. 
6. Erase both the "Password" and "Confirm Password" field so they are empty. 
7. Select "apply" then "OK"
8. Select OK on the message stating the service will need to be restarted.
9. Start the service. You will notice in the service properties a password was automatically regenerated.