Symantec Endpoint Protection Manager 12.1 Password Reset

UPDATE: SEPM 12.1.5 and higher

A few kind people reported that this doesn’t seem to work with 12.1.5. I have tested the script with 12.1.6 and it still works however you might need to set the JRE_HOME system variable first.

To do this:

  1. Navigate to the “Advanced System Settings” section of the Control Panel.
  2. In the “System variables” section of the Environment Variables window that opens, ensure that the JRE_HOME environment variables are pointed at the following location:  C:\Program Files\Java\jre<version>
  3. Click OK and Apply to close the System Properties Window.

You can check it worked if you try going to %JRE_HOME% and end up in the folder you’ve just set.

If you run into any problems do comment below.

UPDATE: Download the script from here:

I’ve spent some time today trying to reset the admin account for Symantec Endpoint Protection Manager. In earlier versions you could use resetpass.bat file as detailed in However for greater security Symantec haven’t included this utility in version 12.1. Instead you can use the Forgotten Password link on the logon screen. The main problem is that if you haven’t set up email server settings in the Manager console previously this won’t be any help to you.

Quite a few forum posts suggest logging a support case with Symantec to obtain a new version of the resetpass.bat file but I couldn’t find anybody actually offering this up for download so I thought I’d share the love and save other people logging support calls:

@echo off

set CATALINA_HOME=%CD%..\tomcat
set JRE_HOME=%CD%..\jre

“%JRE_HOME%\bin\java.exe” -Xms64m -Xmx256m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=40 -classpath “%CD%..\bin\inst.jar;%CD%..\bin\inst-res.jar” -Dcatalina.home=”%CATALINA_HOME%” -Djava.library.path=”%CATALINA_HOME%\bin;%CATALINA_HOME%..\ASA\win32″ setpassword admin admin

You can download the file here: resetpass.bat or just copy and paste into notepad and save as resetpass.bat in \Program Files\Symantec\Symantec Endpoint Protection Manager\Tools folder

You will need to run this from command prompt with admin priviledges and your admin login will be set to:

username: admin
password: admin


51 thoughts on “Symantec Endpoint Protection Manager 12.1 Password Reset

  1. didnt work for me 😦
    When i tried to save it as a batch it said something about unicode vs asci
    when I ran it it didnt run right…

    • The copy and paste can be a pain with batch files. I think the formatting adds some funky characters at the beginning of each line. You could always try typing it in which should definitely work but will be a bit painful.

  2. Folks, the pasted resetpass.cmd content in the blog post isn’t working because the trailing backslash is missing after the %CD% variable throughout the script. If you do a search and replace and change all ‘%CD%’ to ‘%CD%\’ then it should work. But I recommend downloading the file instead, as that is correct.

    • Sorry Afiffe, I didn’t manage to replicate your error. Did you get it sorted in the end? Maybe have a look at the latest update on the post to see if it helps even though I suspect your issue may be different.

    • I too tried it on 12.1.5 running on a 2008r2 server, and it doesn’t work.

      I’m not a programmer, but I put pauses into the script to troubleshoot, and the first 2 ‘set directory’ commands work. On the next set of commands where it is defining JRE_HOME and CATALINA_HOME it says the path is not found, or not available, I forget.

      My server is in a secure lab without connection to outside so I have to keep running back and forth. Symantec says I have to save a recovery file and then uninstall/reinstall. If I have to do that, I will, but I’d prefer to just reset the PW.

    • Right I’ve got it to work with 12.1.6 but had to set the system variable for JRE_HOME first. Check out the edit in the article for details and let me know if it does the trick for you.

      • Sorry for the delay, but wanted to come back and give you an update. My install didn’t have a java directory in program files. SEPM must have been using java from it’s own directory (I didn’t do the original install). I had the person who did the original install look at it and he tried to hardcode the script to point to the proper paths, but we never got it running and finally threw up our hands and did a reinstall.

        I did originally open a trouble ticket with Symantec, but their answer was ‘do a reinstall’. I was trying to avoid that, but in the end it wasn’t as painful as I thought, just grab the security key backup directory from the SEPM folder before you start, and during the reinstall it will ask you for the backup file. Once you’re back in SEPM, if any of the clients fail to reconnect you can generate an executable to run on the clients that will point them back to the server.

      • Nice to hear the end of the story Tom even if it didn’t quite work out as planned. I guess the main thing is you’ve got it all back again and as you said the reinstall isn’t too painful. I wonder if installing Java separately on the server would have done the trick. In my case it’s a management server with a lot of different tools so perhaps one of them required Java . I’m sure you’ve configured the smtp server settings already anyway so hopefully won’t need it again.

  3. Had to leave a comment because this was so clutch. Worked on 12.1.5 after creating JRE_HOME variable. Thank you so much!

  4. When I ran the batch file but didn’t get a changed password I looked though the logs at Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\logs and notice a few of the logs were saying it couldn’t find dbjdbc16 or something like that. From the batch I could see that it wanted the dbjdbc16.dll file to be at the -Djava.library.path=”%CATALINA_HOME%\bin;%CATALINA_HOME%\..\ASA\win32 location. it wasn’t there. however I DID see a dbjdbc16.dll file in the win64 folder. I modified that in the resetpwd.bat file and viola. Worked like a champ.

  5. HI This works but you need to edit the %CD% environmental variable because its not correct. I basically removed the %CD% and based on the command figured out where inst.jar and inst-res.jar live.

    This is how my version looks like
    #@echo off

    set CATALINA_HOME=C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat
    set JRE_HOME=C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre

    “%JRE_HOME%\bin\java.exe” -Xms64m -Xmx256m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=40 -classpath “%CATALINA_HOME%\..\bin\inst.jar;%CATALINA_HOME%\..\bin\inst-res.jar” -Dcatalina.home=”%CATALINA_HOME%” -Djava.library.path=”%CATALINA_HOME%\bin;%CATALINA_HOME%\..\ASA\win32″ setpassword admin admin


    After those corrections it worked like a charm.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s