Failed to initialize agent storage: Access is denied (0x00000005)


Article ID: 197078


Updated On:


Management Platform (Formerly known as Notification Server)


The customer noticed that the Symantec Management Agent service was stopping and restarting randomly after a recent Agent upgrade. 

The agent logs shows entries like these ones:

Entry 1:

Security of 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys' was adjusted
Date: 11/08/2020 15:15:05, Tick Count: 427836687 (4.22:50:36.6870000), Size: 311 B
Process: AeXNSAgent.exe (12876), Thread ID: 12264, Module: AeXAgentExt.dll
Priority: 4, Source: AgentStorage

Entry 2:

Failed to initialize agent storage: Access is denied (0x00000005)
Date: 11/08/2020 15:15:05, Tick Count: 427836703 (4.22:50:36.7030000), Size: 294 B
Process: AeXNSAgent.exe (12876), Thread ID: 12264, Module: AeXNSAgent.exe
Priority: 1, Source: Agent

Entry 3:

Unable to preprocess received client status data.

DecryptData failure. Error 5
   [System.Runtime.InteropServices.COMException @ Altiris.TaskManagement.Common]
   at Symantec.NSAgent.AgentStorage.DecryptData(Byte[] encryptedData, UInt32 flags)
   at Altiris.TaskManagement.Common.ClientTask.Communication.NsIdentityContext.EnsureExecutedAsLocalSystemIdentity[TResult](Func`1 fn, ThrottledLogAction`2 logAction)
   at Altiris.ClientTask.Server.ClientTaskServer.PreProcessClientStatusXml(Boolean encrypted, String statusXml, Guid secretGuid)

COM Exception errcode: 0x5


Another symptom was that the Symantec Management Agent UI is not loading when trying to use AeXAgentActivate.exe:

Failed to start the session or activate the object '{FF1B80EC-257A-4DF9-8712-74150E4ADB2A}' in session 1, COM error: Cannot get the session manager, agent is initializing (0x80070005)
Date: 11/08/2020 15:09:07, Tick Count: 427478625 (4.22:44:38.6250000), Size: 435 B
Process: AeXAgentActivate.exe (12608), Thread ID: 15004, Module: AeXAgentActivate.exe
Priority: 1, Source: AeXAgentActivate


In this particular scenario, the client machine had a Windows error that caused a blue screen before they started noticing this issue.

After further review, it was found that the Altiris Service Account did not have needed permissions under the folder "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys".


ITMS 8.1, 8.5


Follow below steps:

  1. Browse to the following location: 
  2. Right-click on 'MachineKeys' directory and select Properties.
  3. Select Security.
  4. Click Edit.
  5. Select Add.
  6. Add the Application Identity/Altiris Agent service Account name.
  7. Click on Check Names and click OK.
  8. Assign, at minimum, the following:
    • Modify
    • Read & Execute
    • List folder contents
    •  Read
    • Write
  9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, "Access Denied" errors may appear on as many as 5 subdirectories. This is normal in many situations, click accept.

After running the steps above, you may need to restart the client machine to make sure the changes done to the MachineKeys directory takes effect.


In case that the steps above didn't help, check the Windows Application Event Log. In some rare situations, an anti-virus may be blocking the access for the AeXNSAgent.exe to the MachineKeys folder.