We are having Discovery WMI failures following the most recent Microsoft Patches; anyone else experiencing this?

DuaneNMore
Kilo Guru

Last weekend the various windows teams were pressed to apply the most recent set of Microsoft "Security Patches" . Looks like we applied KB4512489 and KB4511872. When we run a discovery shazzam finds port 135 (wmi) and 5985 (winrm) open but then spawns WMI: CLassify probe and we get a 

Connection failed to WMI service. Error: Permission denied

This is happening on all of our Windows Servers. 

 

 

1 ACCEPTED SOLUTION

DuaneNMore
Kilo Guru

 

I found that all of the failed Discoveries were associated with MID Servers that got rebooted during the patch cycle, and had the following Message in the MID Server Issues table (ecc_agent_issue)

Error encountered when invoking PowerShell, the result from running '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -nologo -noprofile -command "$ver = if (Test-Path Variable:\PSVersionTable) { $PSVersionTable.PSVersion } else { (get-host).Version }; 'full_version:' + $ver.ToString() + ', major_version:' + $ver.Major"' is

Restarted the MID Server service on the offending MID Server; the issue went away and discovery works. I am going to have a couple of my test Windows servers rebooted and see if the problem re-emerges after the reboot. 

The Occams's razor principle of MID server troubleshooting. "Suppose there exist two explanations for an occurrence. In this case the one that requires the least speculation is usually correct"

Or in this case step 1 should be restart the MID Server Service. 

 

 

View solution in original post

8 REPLIES 8

Alberto Consonn
ServiceNow Employee
ServiceNow Employee

Hi,

please refer to the following thread:

https://community.servicenow.com/community?id=community_question&sys_id=31e1073bdb3ebb4413b5fb243996...

in Madrid Patch 5, they created a MID Server property (not documented) called mid.use_legacy_wmi that allows you to revert Windows Discovery back to the way it previously was before the drastic change in Patch 3.

So, you have to upgrade your instance to Madrid (at least Patch 5).

Hope this can help you!

If I have answered your question, please mark my response as correct and/or helpful so that others with the same question in the future can find it quickly and that it gets removed from the Unanswered list.

Thank you

Cheers
Alberto

robertgeen
Tera Guru

Duane,

If you haven't upgraded to Madrid and it's not the issue that Alberto outlined I know one of my clients had an issue (I wasn't involved with it) and it was a patch that was deployed that turned DCOM negotiation off. You may want to look into that route and whether these updates did that as it could be the root cause of your issue (they had a similar issue where after one weekend all windows discovery stopped working and it was due to a patch the Windows team rolled out).

Andrew Pywell
Giga Contributor

Hi,

Can anyone please give a technical explanation of what the drastic change in Patch 3 actually introduced? Is there an explanation somewhere as to how one is now supposed to perform Windows discovery without reverting to this undocumented parameter? 

Thanks

Andrew

Looks like it's PowerShell vs WMI, Andrew.