FEP 2010 with ConfigMgr Integration : Computers are no longer accessible remotely

January 31, 2011 at 1:25 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, FE, FEP, FEP2010, Installation, R3, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

Hi ,

When migrating slowly at a customer from Symantec Endpoint protection to FEP 2010 we encountered the following issue :

After the FEP client has been installed, the computer is no longer remotely accessible , even with RC.exe from System Center Configuration Manager

Problem Description : In some cases, after the FEP client has been installed, the computer is no longer remotely accessible using any form of remote control utility or Computer Management tools, including but not limited to Windows Computer Management, ConfigMgr Remote Control utility, DameWare, VNC. The cause has been found to be the Windows Firewall/ICS service that cannot be started. When an attempt is made to start the service, the resulting error is: Error 0x80004015: The class is configured to run as a security id different from the caller.

Possible solutions ( I say possible because it was linked to our environment) :

  • This appears to be the same error as reported in MS Support Article ID 892199, applicable to Windows XP SP2. The FEP client however is only installed on XP SP3 machines. When we used method 1 of the support article applied on the conflicting machine, the issue is resolved and is remotely accessible again. However we where not convinced and digged some deeper into it

 

  • I went with the default descriptor D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

The Authentic Users group only gets read permissions, not start/stop permissions as I feared, so I’m fine with that. I just left out the Power Users group as it’s not used in our environment.

It is imperative that you test this on one or two systems before rolling it out, and make sure it works well in your environment. I used this KB to identify Local Service and Network Service: http://support.microsoft.com/kb/243330

     

    Hope it Helps ,

    Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest