After a long long period with no post, here is a new article with an issue I've encountered on SCOM 2019 UR2.
All starts with a single administration action in the SCOM console: Approving agent in pending update after having applied patch on Management Servers. I had to apply 'Update for event log channel in System Center Operations Manager 2019 (KB4601269)' to fix CVE-2021-1728 | System Center Operations Manager Elevation of Privilege Vulnerability.
You all know that 'Approving' an Agent in pending required update state results in giving credentials that have administrative right on the targeted agent and click on Update button. This generaly run smoothly.
In my case, Agent Management task is failing with an access denied message and this generate an error event 10607, source Health Service Modules in the Operations Manager Event Log :
The Operations Manager Server cannot process the install/uninstall request for computer <Computer Name> due to failure of operating system version verification.
Operation: Agent Install
Install account: <Admin Account>
Error Code: 80070005
Error Description: Access is denied.
Note: This action has been done because of a prioritized recommendation in the Azure AD Security assessment : Place privileged users in the Protected Users Group. The protected users groups provides additional security, because users can only authenticate using Kerberos (everything else is blocked) and hardenning is applied to the Kerberos authentication used by enforcing AES encryption.
Are we talking here about a SCOM bug ?
- The deployement start by creating an RPC connection and this connection is well using Kerberos authentication.
- Then it uses an SMB session by using IP address and since IP address alway use NTLM, kerberos is not used at this step.
- For NON-Domain Controller servers, use a domain account that have local administrator right. That's true but in my case, the SCOM environment is dedicated to Active directory servers and the few non-DC servers are monitored using System account to avoid managing a domain account that have local admin rights...
- For DC servers, use a Domain admin account that is allowed to used NTLM!!! And if getting an exception is not option, a workarround is to deploy the update through group policy (or similar approach) or event manually.
This posting is provided "AS IS" with no warranties.