I'm sure this is an issue with group policy in this environment; however I have been unable to track this down over the last week.
This is the first Symantec Endpoint Protection Manager installed in this environment. Domain & Forest functionality level is Windows Server 2003. So far, all of the desktops have been using SEP as an unmanaged client. There is a GPO that disables Windows Firewall, however most all of the desktops have a full installation of SEP (either 11.0.5 or 11.0.6) with firewall installed.
I've tried manually disabling SEP and that hasn't made any effect on the failure below. In fact on new systems with no antivirus installed, the same errors occur on those systems. The OS is always Windows 7 Enterprise 64-bit. Doesn't matter if I'm doing this on a VM or real hardware; the problem is always the same - which is leading me to believe it's a GPO somewhere. The SEPM server is joined to the same domain as the clients (i.e. single domain & forest).
NT AUTHORITY\NETWORK SERVICE has the following privileges in AD: Adjust memory quotas for a process, generate security audits, log on as a service, replace a process level token.
The process to reproduce the error: Go to Find Unmanaged Computers, and specify a valid computer & domain admin account, the target computer is properly found. I choose the 11.0.6100.645 package for Win64bit (target systems are all Windows 7 Enterprise 64-bit, all in the same Desktops OU in AD) & select features "Only Antivirus and Antispyware", then Start Installation.
The progress bar opens and takes a minute or two, then ultimately comes back with "Failed" deployment status. On every desktop I see no problems in the event log under applications or system; however under security I find two series of failure audits, both sets have the same sequence of errors:
Log Name: Security
Source: Microsoft Windows security
Event ID: 4776
Level: Information
User: N/A
OpCode: Info
Logged: 10/1/2010 11:09:59 AM
Task Category: Credential Validation
Keywords: Audit Failure
Computer: xxx.xxx.corp
General Tab
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: NT AUTHORITY\NETWORK SERVICE
Source Workstation: ACSEM01
Error Code: 0xc0000064
Log Name: Security
Source: Microsoft Windows security
Event ID: 4625
Level: Information
User: N/A
OpCode: Info
Logged: 10/1/2010 11:09:59 AM
Task Category: Logon
Keywords: Audit Failure
Computer: xxx.xxx.corp
General Tab
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: NT AUTHORITY\NETWORK SERVICE
Account Domain: ACSEM01
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: ACSEM01
Source Network Address: 10.18.10.248
Source Port: 49514
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.