Exchange 2019 CU 11 Installation Failed – SeSecurityPrivilege

Issue

Exchange 2019 CU 10 to Exchange 2019 CU 11 upgrade failed with below error, which includes multiple entry SeSecurityPrivilege.

[01/09/2022 08:23:30.0446] [2] Active Directory session settings for 'Set-LocalPermissions' are: View Entire Forest: 'True', Configuration Domain Controller: 'dct01.learntechfuture.com', Preferred Global Catalog: 'DCT01.learntechfuture.com', Preferred Domain Controllers: '{ DCT91.learntechfuture.com }'
[01/09/2022 08:23:30.0446] [2] User specified parameters: 
[01/09/2022 08:23:30.0446] [2] Beginning processing Set-LocalPermissions
[01/09/2022 08:23:30.0464] [2] [ERROR] The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
[01/09/2022 08:23:30.0474] [2] [ERROR] The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
[01/09/2022 08:23:30.0481] [2] Ending processing Set-LocalPermissions
[01/09/2022 08:23:30.0486] [1] The following 1 error(s) occurred during task execution:
[01/09/2022 08:23:30.0486] [1] 0.  ErrorRecord: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
[01/09/2022 08:23:30.0487] [1] 0.  ErrorRecord: System.Security.AccessControl.PrivilegeNotHeldException: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.Deployment.SetLocalPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[01/09/2022 08:23:30.0488] [1] [ERROR] The following error was generated when "$error.Clear(); 
          if ($RoleIsDatacenter -eq $true)
          {
            # CommonPermissionSet in LocalPermissions.xml has not changed since 2007
            # directory permission does not change in BuildToBuild mode, skipping it in Datacenter is fine.
            Write-ExchangeSetupLog -Info "Skip Set-LocalPermissions"
          }
          else
          {
            Set-LocalPermissions
          }
        " was run: "System.Security.AccessControl.PrivilegeNotHeldException: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.Deployment.SetLocalPermissions.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
[01/09/2022 08:23:30.0488] [1] [ERROR] The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.


[01/09/2022 08:23:30.0488] [1] [ERROR-REFERENCE] Id=AllRolesCommonFirst_RunOnce___00573a17b6e34c26842a6646830d57fa Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/09/2022 08:23:30.0488] [1] Setup is stopping now because of one or more critical errors.
[01/09/2022 08:23:30.0488] [1] Finished executing component tasks.
[01/09/2022 08:23:30.0518] [1] Ending processing Install-AdminToolsRole
[01/09/2022 08:24:01.0824] [0] CurrentResult setupbase.maincore:396: 0
[01/09/2022 08:24:01.0826] [0] End of Setup
[01/09/2022 08:24:01.0826] [0] **********************************************

[01/09/2022 08:23:30.0446] [2] Active Directory session settings for ‘Set-LocalPermissions’ are: View Entire Forest: ‘True’, Configuration Domain Controller: ‘dct01.learntechfuture.com’, Preferred Global Catalog: ‘DCT01.learntechfuture.com’, Preferred Domain Controllers: ‘{ DCT91.learntechfuture.com }’
[01/09/2022 08:23:30.0446] [2] User specified parameters:
[01/09/2022 08:23:30.0446] [2] Beginning processing Set-LocalPermissions
[01/09/2022 08:23:30.0464] [2] [ERROR] The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
[01/09/2022 08:23:30.0474] [2] [ERROR] The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
[01/09/2022 08:23:30.0481] [2] Ending processing Set-LocalPermissions
[01/09/2022 08:23:30.0486] [1] The following 1 error(s) occurred during task execution:
[01/09/2022 08:23:30.0486] [1] 0. ErrorRecord: The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
[01/09/2022 08:23:30.0487] [1] 0. ErrorRecord: System.Security.AccessControl.PrivilegeNotHeldException: The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.SetLocalPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)
[01/09/2022 08:23:30.0488] [1] [ERROR] The following error was generated when “$error.Clear();
if ($RoleIsDatacenter -eq $true)
{
# CommonPermissionSet in LocalPermissions.xml has not changed since 2007
# directory permission does not change in BuildToBuild mode, skipping it in Datacenter is fine.
Write-ExchangeSetupLog -Info “Skip Set-LocalPermissions”
}
else
{
Set-LocalPermissions
}
” was run: “System.Security.AccessControl.PrivilegeNotHeldException: The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Deployment.SetLocalPermissions.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.
[01/09/2022 08:23:30.0488] [1] [ERROR] The process does not possess the ‘SeSecurityPrivilege’ privilege which is required for this operation.

[01/09/2022 08:23:30.0488] [1] [ERROR-REFERENCE] Id=AllRolesCommonFirst_RunOnce___00573a17b6e34c26842a6646830d57fa Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[01/09/2022 08:23:30.0488] [1] Setup is stopping now because of one or more critical errors.
[01/09/2022 08:23:30.0488] [1] Finished executing component tasks.
[01/09/2022 08:23:30.0518] [1] Ending processing Install-AdminToolsRole
[01/09/2022 08:24:01.0824] [0] CurrentResult setupbase.maincore:396: 0
[01/09/2022 08:24:01.0826] [0] End of Setup
[01/09/2022 08:24:01.0826] [0] ****

Cause

This version requires the account installing must have Manage auditing and security log permission. Also researching the SeSecurityPrivilege value brings this web page, which says detail that it’s related to Manage auditing and security log.

SeSecurityPrivilege – Manage auditing and security log

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672

Fix

Modified GPO and included the user installing the CU, re-running the job after running gpupdate /force fixed the problem and installation succedded.