When logged into a Windows client, if the logged in username or the client's preferred group include one or more special characers, a newly installed Symantec Endpoint Protection (SEP) 14.2 or 14.2 MP1 client will fail to register with the Endpoint Protection Manager (SEPM). 

SEPM
ersecreg.log:
02/15 09:41:00 [2044:4284] 5 Server returned: 500 Internal Server Error
02/15 09:41:00 [2044:4284] 10.7.185.104<AgentInfo PreferredMode="1" DomainID="5D935ABEC0A8020C6C2A26FDE80863F5" AgentType="105" AgentID="E4275F600A07B9674B32A3E6D900D140" HardwareKey="55F69D950958E7B939753E0E4528EA3B" UserDomain="testnet.work" LoginUser="e%26omanager" ComputerDomain="testnet.work" ComputerName="sepm" PreferredGroup="My%20Company%5CServers" SiteDomainName="" AgentPlatform="Windows%20Server%202012%20R2"/>--FAILED

SEP client
cve.log:
[2019-Feb-14 16:50:11.723127] [WARN ] Failed to connect to server sepm.testnet.work. InternalServerException

cve-actions.log:
[2019-Feb-14 16:50:11.721115] E4275F600A07B9674B32A3E6D900D140    500    0    [-Registration]    2019-Feb-14 16:50:09.830408    2019-Feb-14 16:50:11.721115    1890    90032

Windows user account or the client group includes the & character. 
 

The SEPM does not allow certain characters, such as "&" in a group name.  Normally, the SEPM UI will block a group from being created with an invalid character.

In cases where AD import is utilized for groups, it is possible that an invalid character such as "&" may be imported, and cause this issue.

SEPM presently does not have a validation mechanism for non-supported characters imported via Active Directory Import.

{FIXED_DOWNLOAD_LATEST_SEP.EN_US}

As a workaround, ensure that the Windows username or SEP client group do not include special characters. 

Rename the group in Active Directory, such that it is not using the '&' or other unsupported characters.

Synchronize the group in SEPM: Right Click the group name > Sync now