NetWorker: Backup is failing with error: "Unable to perform the ASR backup: Cannot obtain emitter status."

Environmental information:
=====================================================================
NW client version: 9.2.1.2.Build.204
Operating system client version: Windows NT Server on Intel
Save set: All

Logs snippets:
====================================================================

+++ NetWorker's workflow logs:
6684:save: Could not stat \\?\VOLUME{AECB5840-A0DF-11E0-A883-806E6F6E6963}\: No such file or directory
client_name: C:\ level=incr, 246 MB 00:28:10 136 files
Completed savetime=1543528852
90015:save: The backup of VSS emit save set 'C:\' succeeded.
94694:save: The backup of save set 'C:\' succeeded.
101087:save: Cleanup VSS MBS emitter thread: Received cancel signal. Terminating VSS emitter save set \\?\VOLUME{AECB5840-A0DF-11E0-A883-806E6F6E6963}\.
74209:save: Quit signal received.
99123:save: Handling an abort while processing Windows backup.
90097:save: ASR Backup: aborting VSS volume save because Quit flag is set.
99123:save: Handling an abort while processing Windows backup.
90117:save: Unable to perform the ASR backup: cannot obtain the VSS MBS status.
86024:save: Error occured while saving disaster recovery save sets.

+++ Client's Application Event log:

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          13/12/2018 9:42:39
Event ID:      513
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      client_name.domain.com
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
 
System Error:
Access is denied.
.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"
  <System>
    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
    <EventID Qualifiers="49154">513</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-12-13T08:42:39.000Z" />
    <EventRecordID>8983257</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>client_name.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
 
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
 
System Error:
Access is denied.
</Data>
  </EventData>
</Event>

"Microsoft Link-Layer Discovery Protocol" binary is \Windows\system32\DRIVERS\mslldp.sys
Its config registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp

The binary security descriptor for the record is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsLldp\Security

It should be modified using SC.EXE and Sysinternals'ACCESSCHK.EXE to fix it.

The original security descriptor looked like below:
>accesschk.exe -c mslldp
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549             <- these are server operators
  R  NT SERVICE\NlaSvc

No service account is allowed to access the MSLLDP driver.
The security descriptor for the drivers that were processed successfully looked this way:
>accesschk.exe -c mup
mup
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  R  NT AUTHORITY\INTERACTIVE
  R  NT AUTHORITY\SERVICE          <- this gives access to services

How to add access rights for NT AUTHORITY\SERVICE to MSLLDP service:
1. Run: SC sdshow MSLLDP
You get something like below (SDDL language is documented on MSDN):
D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

2. Run: SC sdshow MUP
You get:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

3. Take the NT AUTHORITY\ SERVICE entry, which is (A;;CCLCSWLOCRRC;;;SU) and add it to the original MSLLDP security descriptor properly, right before the last S:(AU... group.

4. Apply the new security descriptor to the MSLLDP service:
sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

5. Check the result:
>accesschk.exe -c mslldp
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc
  R  NT AUTHORITY\SERVICE

6. Run NetWorker backup and check if it runs fine.

!!! Do not forget to use your security descriptor for the MSLLDP driver because there can be some rare cases when it is different for your machine. Do not copy my SDDL descriptions and backup the old descriptor in case!!!