When enrolling Symantec Endpoint Protection Manager (SEPM) into the cloud portal, the Endpoint Protection Bridge installer automatically adds the required rights to local security policies. If the computer that hosts Endpoint Protection Bridge is a part of a domain, then domain policies override local policies and may cause an error. Normally a detailed message is displayed that describes user rights required by the Symantec virtual service accounts. See Error: Endpoint Protection Manager Bridge Services "require user rights" or "...cannot read the required user rights". If there is no interactive Windows logon session present during the enrollment, then only a generic one-word "Error" will be displayed in Enrollment Installation Status.
During cloud enrollment, the Bridge/Hub is installed. Hub installer does a GPOPolicyReview to make sure the system policy allows Hub virtual service accounts. When SEPM enrolls with cloud it launches Hub installer which runs as local SYSTEM account. After clicking the “Enroll” button in SEPM console, if the user logs out of Windows immediately then Hub installer won’t find an interactive logon session and the gpresult command will fail. This will also occur when cloud enrollment is triggered through SEPM remote web console (and no interactive Windows logon sessions are open on SEPM machine).
This is a limitation of Windows; currently there is no plan to change the SEPM cloud enrollment.
To avoid this issue, do not log out of the session after clicking the Enroll button.