Hello everyone,
**EDITED - I was directed to run the SymDiag tool using the WPP Reboot scan to hopefully catch this issue happening during logon. I also attached a "clean" log to compare against. Please find SymDiag logs attached below in the zip file.
Our network is currently running mainly Windows 7 computers with about 5 Windows 10 (which do not experience this issue).
Our DC is a virtual server running Server 2008 Standard 32-bit - being hosted by a Windows 2012 server
We have recently upgraded from WebRoot to Symantec, and since installing Symantec (14.0 RU1 MP2) we have had major issues every Weds & Thurs after normal Window Updates. I should state that we currently are running SEP unmanaged as our server was apparently set up as 32-bit, and we were unaware of that after our previous managed-service IT company split. So limping along until we can switch out our servers, we have been dealing with all the pop-ups everytime something changes.
The main issue though, is after our computers install updates and are logging in again, they just sit and spin at the welcome screen for anywhere from 2-10 minutes; usually at least 5 minutes! It is not finalizing updates or anything (at least it doesn't show that on the screen, just the welcome screen and the blue spinning circle). Once it is finally done loading, the computer shows a black screen with the SEP pop-up stating that Local Security Authority (lsass.exe) has changed, blah blah blah. This is always the routine, and even adding the "lsass.exe" to the security exception did not help.
I've read all sorts of "hotfixes" for windows and such, but I am very skeptical to install any of them, as it seems to be a SEP issue rather than a standalone windows issue. Has anyone experienced this, or have any ideas to test?
P.S. - I have tried a suggested hotfix for SEP 14.X that says to disable the popups on unmanged clients, to disable and then re-enable network monitoring, and I have had the same problems with that hotfix, the SEP pop-ups change to Windows Notifications that are constant (1-2x per minute) that svchost.exe and a few other things are trying to access the internet. So we uninstalled SEP and reinstalled to get back to our normal SEP popup issue as they are a lot less frequent. Worth noting that we did not leave SEP running with the hotfix long enough to see if that remedied our lsass.exe issue, it was too much to deal with multiple notifications every minute of the day, very interuptive for our typists / data entry positions.