For various security reasons it may be desirable to use Group Managed Service Accounts (gMSA) for Symantec Endpoint Protection (SEP) Manager services instead of the virtual service accounts created during install (i.e. NT SERVICE\semsrv, NT SERVICE\semwebsrv, etc.).
Symantec Endpoint Protection Manager installed on Windows Server 2012, or newer
Windows 2012 Domain Controller
In order to leverage Group Managed Service Accounts for SEP Manager service use, the following requirements must be met:
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))
New-AdServiceAccount -name <ServiceAccountName> -DNSHostName <fqdn> -PrincipalsAllowedToRetrieveManagedPassword <group>
<ServiceAccountName>with the values of semsrv, semwebsrv, semapisrv, SQLANYs_sem5, SepBridgeSrv and SepBridgeUpldr as appropriate and for each gMSA you wish to create.
<fqdn>with the fully qualified domain name for the SEP Manager server.
<group>with the name of the new security group created in step 1.
NOTE: If the SEP Manager is reinstalled or upgraded the virtual service accounts will be restored. You will need to repeat the steps to assign the gMSAs to each SEP Manager service post upgrade/install.