NetBackup 8.X - Windows 2016 - KB4048953 - AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

Test environment:
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
NetBackup 8.X


Error from job details :

Dec 20, 2017 10:15:52 PM - Warning bpbrm (pid=20340) from client test-windows-2016.netbackup.local: WRN - can't open object: System State:\System Files\System Files (WIN32 3758134305: Unknown error)
Dec 20, 2017 10:15:52 PM - Error bpbrm (pid=20340) from client test-windows-2016.netbackup.local: ERR - Error encountered while attempting to get additional files for System State:\

Windows error :
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:Access is denied.

Details :

This problem occurs because VSS System Writer does not have permission to read the NT AUTHORITY\SERVICE (service account). When System Writer runs as a cryptographic service and tries to read the Mslldp.sys information from a Microsoft Link-Layer Discovery Protocol driver, the "access denied" error is generated.

The binary security descriptor for the driver is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

Microsoft KB - https://support.microsoft.com/en-us/help/3209092/event-id-513-when-running-vss-in-windows-server

This event log entry can be safely ignored. To prevent this entry from being logged, grant the required permission to the Microsoft Link-Layer Discovery Protocol driver (Mslldp.dll) to process System Writer.

To do this, follow these steps:

Open an administrative Command Prompt window, and then run the following command to check the current permissions:
sc sdshow mslldp
Copy the output string from step 1, append it with (A;;CCLCSWLOCRRC;;;SU), and then run the following command to add the access permission to Mslldp.dll:
sc sdset mslldp <string>

For example, run the following command:
sc sdset mslldp D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)