Video Screencast Help

Unable to deploy from SEPM 11.0.6 to Win7 machines

Created: 14 Jul 2013 • Updated: 15 Jul 2013 | 8 comments

I'm sure this is an issue with group policy in this environment; however I have been unable to track this down over the last week.

This is the first Symantec Endpoint Protection Manager installed in this environment. Domain & Forest functionality level is Windows Server 2003. So far, all of the desktops have been using SEP as an unmanaged client. There is a GPO that disables Windows Firewall, however most all of the desktops have a full installation of SEP (either 11.0.5 or 11.0.6) with firewall installed.

I've tried manually disabling SEP and that hasn't made any effect on the failure below. In fact on new systems with no antivirus installed, the same errors occur on those systems. The OS is always Windows 7 Enterprise 64-bit. Doesn't matter if I'm doing this on a VM or real hardware; the problem is always the same - which is leading me to believe it's a GPO somewhere. The SEPM server is joined to the same domain as the clients (i.e. single domain & forest).

NT AUTHORITY\NETWORK SERVICE has the following privileges in AD: Adjust memory quotas for a process, generate security audits, log on as a service, replace a process level token.

The process to reproduce the error: Go to Find Unmanaged Computers, and specify a valid computer & domain admin account, the target computer is properly found. I choose the 11.0.6100.645 package for Win64bit (target systems are all Windows 7 Enterprise 64-bit, all in the same Desktops OU in AD) & select features "Only Antivirus and Antispyware", then Start Installation.

The progress bar opens and takes a minute or two, then ultimately comes back with "Failed" deployment status. On every desktop I see no problems in the event log under applications or system; however under security I find two series of failure audits, both sets have the same sequence of errors:

Log Name: Security
Source: Microsoft Windows security
Event ID: 4776
Level: Information
User: N/A
OpCode: Info
Logged: 10/1/2010 11:09:59 AM
Task Category: Credential Validation
Keywords: Audit Failure

General Tab

The computer attempted to validate the credentials for an account.

Source Workstation: ACSEM01
Error Code: 0xc0000064

Log Name: Security
Source: Microsoft Windows security
Event ID: 4625
Level: Information
User: N/A
OpCode: Info
Logged: 10/1/2010 11:09:59 AM
Task Category: Logon
Keywords: Audit Failure

General Tab
An account failed to log on.

Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Domain: ACSEM01

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: ACSEM01
Source Network Address:
Source Port: 49514

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Operating Systems:

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

can you post the install log file? this is located under %temp% folder and filename will be sep_inst.log

have you disabled UAC?

have you tried installing SEP 11 ru7 ?

Ambesh_444's picture


Windows Vista, Windows Server 2008, and Windows 7 contain a firewall that is enabled by default. If the firewall is enabled, you might not be able to install client software remotely from Symantec Endpoint Protection Manager console and other remote installation tools. You must configure Windows Firewall to allow components to communicate with each other. You must configure Windows Firewall before you install client software. You can also temporarily disable Windows Firewall on your clients before you deploy the client software.

You must configure Windows Firewall to allow file and printer sharing before you install client software on Windows Vista, Windows Server 2008, and Windows 7.

Client installation automatically modifies Windows Firewall during installation on Window Vista to allow specific processes access to your network and the Internet. You are not required to make any further modifications.

Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Brɨan's picture

SEP_INST.log file should show what is going on.

Can you upgrade to the latest version of 11.x? (RU7 MP3)

If you can't, review the guide for deploying SEP 11.x to remote PCs:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

ON the server where SEPM is installed

Open services.msc

navigate to Symatnec endpoint protection manager service. Whats the account set for Logon? System?

Chetan Savade's picture


Thank you for posting in Symantec community.

Could you post SEP_Inst.log file, file should be present under %temp% file.

Make sure UAC is disabled.

Check this article as well.

Symantec Endpoint Protection installation fails with "CreateProcessAndWait( LUCHECK.EXE ) returned 206" in the installation log

Especially, Fix the %AppData% variable for the SYSTEM account.

Prior to make any changes in the registry take the backup.

Open 'regedit' from a run prompt.
Navigate to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.
Make sure that the AppData string is set to:
%USERPROFILE%\Application Data for Windows XP/ Windows Server 2003  or
%USERPROFILE%\AppData\Roaming for Windows Vista/ Windows 7/ Windows Server 2008.
Note: Any other values here that do not have %USERPROFILE% may be incorrect as well and could cause issues.
Start the installation of the SEP client or SEPM
Check the string for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations registry
Delete the PendingFileRenameOperations registry values if there are any.
Above mentioned issues are fixed in the latest releae of SEP, Is there any particular reason not to upgrade to the latest version of SEP?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SameerU's picture


Please install the latest version i.e. SEP 12.1.3


Beppe's picture


to those interested on the SEP installation logs:
remember that in SEP 11 a failure in the deployment wizard just means that the package has not been sent to the client, hence no installation attempted, hence no installation logs.

@T0dd001: on a client, run the SymHelp tool to get a pre-installation check and spot what you are missing for remote deployment, however the events you logged are clearly pointing to credential validation issue: (SymHelp)

If you have Windows 7 with SP1, as you should, then you must deploy SEP 11.0.7 or 12.1.3:



AjinBabu's picture


SEP 11 is a very old version, it is recommended to install 12.1.3.