Upgrading SEP from 12.1 RU6 MP3 to 14.0 RU1 MP1 or from any 12.1 version to 14.0, upgrade rolls back.
Manual or remote deployment also fails. Fresh unmanaged package fails too.
From SEP_INST.log
MSI (s) (B0:04) [19:04:01:044]: Invoking remote custom action. DLL:C:\Windows\Installer\MSI314E.tmp, Entrypoint: ShowServiceProgress
ScriptGen: ShowServiceProgress() MSIRUNMODE_SCHEDULED
ScriptGen: ShowServiceProgress() calling WaitForSingleObject(scriptStarted) ...
ScriptGen: ShowServiceProgress() WaitForSingleObject(scriptStarted) returned WAIT_OBJECT_0
ScriptGen: ShowServiceProgress() script execution failed.
ScriptGen: ShowServiceProgress() reset script failure event.
ScriptGen: ShowServiceProgress() is returning an error (so close to the end!)
CustomAction ShowServiceProgress returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (B0:C8) [19:04:02:650]: User policy value 'DisableRollback' is 0
MSI (s) (B0:C8) [19:04:02:651]: Machine policy value 'DisableRollback' is 0
Action ended 19:04:02: InstallFinalize. Return value 3.
From SIS_INST.log, we are getting an Access Denied for creating folder in C:\ProgramData folder
2018-05-14T13:34:02.072Z INFO I SIS Executing action ( 22 ) - CopyFile currentPosition: 7338
2018-05-14T13:34:02.072Z INFO I SIS CopyFile Action - C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll -> C:\Windows\system32\FwsVpn.dll
2018-05-14T13:34:02.088Z INFO I SIS CopyFile: target is a file.
2018-05-14T13:34:02.090Z DEBUG I SIS DeleteFileAction: target exists, using CopyFile action to save it to temp area: C:\Windows\system32\FwsVpn.dll
2018-05-14T13:34:02.090Z INFO I SIS CopyFile Action - C:\Windows\system32\FwsVpn.dll -> C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\TransactedTemp\Folder1\file5
2018-05-14T13:34:02.090Z ERROR I SIS openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied} A process has requested access to an object, but has not been granted those access rights.
2018-05-14T13:34:02.091Z ERROR I SIS openImpl Failed to create file. [\??\C:\ProgramData] Status: 0xC0000022 = {Access Denied} A process has requested access to an object, but has not been granted those access rights.
2018-05-14T13:34:02.091Z ERROR I SIS Createfolder: failed to create folder. 0xC0000022
2018-05-14T13:34:02.091Z ERROR I SIS [C:\ProgramData]
2018-05-14T13:34:02.091Z ERROR I SIS Copyfile: createfolder failed.
2018-05-14T13:34:02.091Z ERROR I SIS Copyfile: deletefile failed.
2018-05-14T13:34:02.091Z ERROR I SIS
2018-05-14T13:34:02.091Z ERROR I SIS Dumping action parameters from the script:
2018-05-14T13:34:02.091Z ERROR I SIS SrcPath=[C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Bin\FwsVpn.dll]
2018-05-14T13:34:02.091Z ERROR I SIS DestPath=[C:\Windows\system32\FwsVpn.dll]
2018-05-14T13:34:02.091Z ERROR I SIS SkipWhenMissing=[true]
2018-05-14T13:34:02.091Z INFO I SIS ExecuteScript() - Successfully set failure event.
2018-05-14T13:34:02.093Z INFO I SIS ExecuteScript() returning ACTION_FAILED_WITH_ROLLBACK
2018-05-14T13:34:02.093Z INFO I SIS
2018-05-14T13:34:02.093Z INFO I SIS script completed with status: ACTION_FAILED_WITH_ROLLBACK
2018-05-14T13:34:02.097Z INFO r SIS TransitionToEnteringRollbackScript() - success
2018-05-14T13:34:02.097Z INFO r SIS
2018-05-14T13:34:02.098Z INFO r SIS starting execution of script: C:\Program Files\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Scripts\startrollback.sis
2018-05-14T13:34:02.098Z INFO r SIS
2018-05-14T13:34:02.098Z INFO r SIS Executing action ( 23 ) - ShowInstallMessage currentPosition: 2
2018-05-14T13:34:02.098Z INFO r SIS [ShowInstallMessage] message = [Rolling back install]
Evidence from procmon.
>>ccsvchst.exe failed to open C:\ProgramData.
7:04:01.9445046 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9553233 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:01.9615583 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9617910 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:01.9933961 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:01.9936260 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:02.0628275 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:02.0630725 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
7:04:02.0839558 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Attributes, Synchronize, Disposition: Open
7:04:02.0841938 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Write Attributes, Synchronize, Disposition: OpenIf
>>CMD.exe also tried to access C:\ProgramData once and failed with access denied.
7:05:54.4701220 PM cmd.exe 5712 1200 IRP_MJ_CREATE C:\ProgramData ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open
CMD.exe was launched by OcsService.exe(OCS Inventory NG Service)
Both these executable are running under NT AUTHORITY\SYSTEM, still not able to access this particular folder only.Other folders are accessible to them.
CCSVCHST.exe can access subfolders and files within C:\ProgramData always.
7:04:01.9573633 PM ccSvcHst.exe 7796 5164 IRP_MJ_CREATE C:\ProgramData\Symantec\Symantec Endpoint Protection\14.0.3876.1100.105\Data\Config\serdef.dat SUCCESS Desired Access: Read Attributes
MsiExec can access C:\ProgramData Always.
7:05:37.7679448 PM msiexec.exe 2736 7368 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open
Setup.exe can access C:\ProgramData.
7:01:44.1451701 PM Setup.exe 7768 6080 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open
EfaInst.exe Can Access C:\ProgramData
7:02:12.8338322 PM EFAInst.exe 6856 7344 IRP_MJ_CREATE C:\ProgramData SUCCESS Desired Access: Read Attributes, Disposition: Open