SEPM login fails with Unexpected Server Error, and the SQL Server (SQLEXPRESSSYMC) service is not started. The issue was not present before rebooting.

This Windows System Event Log shows Event ID 7000:

"The MSSQL$SQLEXPRESSSYMC service failed to start due to the following error: 
The operation completed successfully. (0x0000042D)"

and Event ID 7041:

"The MSSQL$SQLEXPRESSSYMC service was unable to log on as NT Service\MSSQL$SQLEXPRESSSYMC with the currently configured password due to the following error: 
Logon failure: the user has not been granted the requested logon type at this computer.
 
Service: MSSQL$SQLEXPRESSSYMC 
Domain and account: NT Service\MSSQL$SQLEXPRESSSYMC
 
This service account does not have the required user right ""Log on as a service.""
...

The applied GPO defines allowed users for the user right "Log on as a service.". When the service is first installed it is automatically granted this right, but a group policy update overrides the local settings. This change would not affect already running services, but after reboot they may no longer start.

Use the following steps to resolve the issue.

• Using the Group Policy Management Console as a domain admin, from the SEPM server:
  • Update the existing GPO applied to the SEPM, and add the following user:
    NT Service\MSSQL$SQLEXPRESSSYMC
• Force a group policy update on the SEPM, then confirm the changes were applied
  (gpresult /v, or gpedit.msc allow inspection of the applied policy).
• Start the SQL (SQLEXPRESSSYMC) service
• Start or restart the Symantec Endpoint Protection Launcher service, and its dependencies, as well as the Symantec Endpoint Protection Manager Webserver service

Settings may have previously been applied per Error: "Failed to connect to the server" or "Error 1069" after upgrade of manager (broadcom.com), however 14.3 RU1 and newer no longer use SQLAnywhere, therefore a new account must be added to existing GPOs.