After Symantec Endpoint Protection Manager (SEPM) 14.0.1 enrolls to the cloud, you see an error that indicates the appropriate user rights are not assigned to the Symantec Endpoint Protection Bridge services.
You see one of the following error messages in the Symantec Endpoint Protection Manager console, on the Cloud tab, under Troubleshooting > Installation Status:
Note: While these services might run at startup, it is only a temporary state until the domain policies are enforced.
Warning #1 |
Warning #2 |
Symantec Endpoint Protection Bridge services require user rights in Windows domain security policies. The Bridge services cannot run until you assign user rights to the services in the specified policies: | Symantec Endpoint Protection Bridge cannot read the required user rights that are specified in the Windows domain security policies on this computer. The Bridge services cannot run if user rights are not assigned to Symantec Endpoint Protection Bridge services. |
Example of message seen on the Installation Status page (click to Enlarge):
The Endpoint Protection Bridge installer automatically adds the required rights to local security policies. However, if the computer that hosts Endpoint Protection Bridge is a part of a domain, then domain policies override local policies. See Technical reference for more information on group policy precedence.
The error message indicates that domain policies are enforcing the privileges from the domain controller and do not contain the required user rights for Endpoint Protection Bridge during installation. The Endpoint Protection Bridge installer cannot assign user rights to domain security policies. Therefore, you must take manual action.
The following table summarizes Endpoint Protection Bridge's security policy requirements for Windows Server 2008 R2 / Windows 7 or later:
SEPM Service | User Right | Services to be added |
---|---|---|
Symantec Endpoint Protection Bridge | Logon as Service (SeServiceLogonRight) |
NT SERVICE\SepBridgeSrv NT SERVICE\SepBridgeUploaderSrv |
Endpoint Protection Bridge services on operating systems earlier than Windows Server 2008 R2 / Windows 7 use the Network Service, for which default domain policies include privileges. You should ensure that any security policies used on the Endpoint Protection Bridge computer do not have the Network Service removed.
Note: These accounts need to be present only if you have defined any of the user rights in the policies. If any of the user rights are in a "Not Defined" state, you do not have to explicitly enable them or add Endpoint Protection Bridge accounts. If you have not defined any user right, Endpoint Protection Bridge will not include that user right in the alert.
This error message indicates that domain group policy objects (GPOs) are restricting which rights are assigned to virtual service accounts.
To learn more, see If user rights are missing.
This error message indicates that the installer may not be able to determine whether the correct rights are assigned to virtual service accounts in domain GPOs.
To learn more, see If user rights cannot be determined.
Note: You must be a domain administrator, or coordinate with your domain administrator, to make changes to the affected domain GPOs.
To perform some of the steps below, you must install Group Policy Management Console (GPMC) on the machine where you install Endpoint Protection Manager. For more information see, Install the GPMC on Microsoft.com.
Perform the following tasks to make Endpoint Protection Bridge work:
There will be additional log entries in the following location:
SEPM_Installation_Folder represents the installation folder for Endpoint Protection Manager. By default, this folder is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager. Currently, Symantec Endpoint Protection Bridge is installed on the same machine as Endpoint Protection Manager.
From the errormessage, make note of the missing service accounts. With the Troubleshooting pane on screen, press Control-C to copy the text of the message, which you can then paste it into a document.
For example, the alert message may read:
Group policy setting SeServiceLogonRight in 'New Group Policy Object-testB' does not contain [NT SERVICE\SepBridgeSrv, NT SERVICE\ SepBridgeUploaderSrv]
Note: In this example, the user rights appear in green, the domain GPOs in blue, and the virtual service accounts in red.
The required user rights are as follows:
You must ensure that for the GPOs listed, all of the accounts listed are present in all of the user rights assignments mentioned.
Note: The Symantec Endpoint Protection Manager Bridge is installed silently by the management console after cloud portal enrollment. Therefore, virtual accounts that correspond to Endpoint Protection Bridge services are not active yet when it’s installed. You can update domain policies using the steps below when you see the error message in the Symantec Endpoint Protection Manager, on the Cloud tab, under Troubleshooting > Installation Status.
Make the appropriate changes to the necessary domain GPOs with the Group Policy Management Console on your Active Directory server, or work with your domain administrator to make these changes. See Create and Edit a Group Policy Object on Microsoft.com to learn how to edit group policies.
Note: These steps are for the Windows Server 2012 Server Manager. Other versions of Windows may vary slightly.
gpupdate /force
When the Endpoint Protection Bridge cannot read the domain policies, it does not provide the missing user rights in the error message. In this instance, you (or your domain administrator) should manually inspect the domain policies based on the user rights assignments guidelines provided above, and ensure all required rights apply to the Endpoint Protection Bridge services.
You can manually check for the presence of required accounts and privileges before you enroll Symantec Endpoint Protection Manager with the cloud portal.
If you find the privileges, then the domain GPOs do not enforce them. You do not need to make a change to domain GPOs.
If you do not find the privileges, but do not contain any of the Endpoint Protection Bridge accounts, then you must add them into the corresponding policy.
<Identifier>
{31B2F340-016D-11D2-945F-00C04FB984F9}
<Identifier>
<Name>PolicyName
For more information, see the following Microsoft technical articles: