This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 56.00000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Hello,
I have a question about SCOM Push Agent install / upgrade.
Have you already try to install SCOM Agent with an account in the group Protected Users ?
When, i check in the log i see one event with NTLMv2 authentication :
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
And with an account member of Protected users the push install agent failed with Access Denied.
Have you any solution for this issue ?
Thanks in advance.
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Well, accounts that are members of Protected Users can't logon using NTLM authentication so that explains the issue (cf. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users )
Now the question is "why it using NTLM instead of Kerberos", and that could be for any number of reasons... Maybe the solution to that post could help you : https://social.technet.microsoft.com/Forums/en-US/576a0edc-9a03-4504-b089-47de3a091a20/scom-2016-pushing-agents-without-ntlm-?forum=operationsmanagerdeployment
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
In view of this, there is why you will see error on NTLM with access Denied.
You may consider using another user account has administrative privileges on the targeted computers.
Roger
Thanks for your answers, I know when user is in Protected Users can't logon using NTLM.
But My question is why Push SCOM Client using NTLMv2, it's by design ?
The Operations Manager Server cannot process the install/uninstall request for computer ServerName.domain.local due to failure of operating system version verification.
Operation: Agent Install
Install account: Domain\UserName
Error Code: 80070005
Error Description: Access is denied.
Thanks in advance ;)
No, it's not. SCOM uses whatever mechanism is available to open an SMB connection to copy the .msi file and then uses RPC to start the install.
Did you read the old technet forum thread I provided above? It explains this and has a pretty uncommon resolution... maybe you're facing the same issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 71%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
hi all, we have checked on others SCOM environment, same result... Agent Push uses NTLM, not compatible with Protected Users ;)
Have a good Day and thanks Everybody.