- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2019 05:41 AM
Last weekend the various windows teams were pressed to apply the most recent set of Microsoft "Security Patches" . Looks like we applied KB4512489 and KB4511872. When we run a discovery shazzam finds port 135 (wmi) and 5985 (winrm) open but then spawns WMI: CLassify probe and we get a
Connection failed to WMI service. Error: Permission denied
This is happening on all of our Windows Servers.
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2019 06:16 AM
I found that all of the failed Discoveries were associated with MID Servers that got rebooted during the patch cycle, and had the following Message in the MID Server Issues table (ecc_agent_issue)
Error encountered when invoking PowerShell, the result from running '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -nologo -noprofile -command "$ver = if (Test-Path Variable:\PSVersionTable) { $PSVersionTable.PSVersion } else { (get-host).Version }; 'full_version:' + $ver.ToString() + ', major_version:' + $ver.Major"' is
Restarted the MID Server service on the offending MID Server; the issue went away and discovery works. I am going to have a couple of my test Windows servers rebooted and see if the problem re-emerges after the reboot.
The Occams's razor principle of MID server troubleshooting. "Suppose there exist two explanations for an occurrence. In this case the one that requires the least speculation is usually correct"
Or in this case step 1 should be restart the MID Server Service.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2019 01:05 PM
When one of these security patches turns off a service or changes a protocol, I'd be real nervous about undoing the change. There is, at least sometimes, very good reason for the changes. Often, they are reasons related to security exploits. Do we know whether DCOM negotiation or, especially, mid.use_legacy_wmi would revert to some inherently vulnerable service or protocol? Unless we know positively that the change had nothing to do with security issues, I'd be careful about some of the suggestions on here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2019 06:16 AM
I found that all of the failed Discoveries were associated with MID Servers that got rebooted during the patch cycle, and had the following Message in the MID Server Issues table (ecc_agent_issue)
Error encountered when invoking PowerShell, the result from running '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -nologo -noprofile -command "$ver = if (Test-Path Variable:\PSVersionTable) { $PSVersionTable.PSVersion } else { (get-host).Version }; 'full_version:' + $ver.ToString() + ', major_version:' + $ver.Major"' is
Restarted the MID Server service on the offending MID Server; the issue went away and discovery works. I am going to have a couple of my test Windows servers rebooted and see if the problem re-emerges after the reboot.
The Occams's razor principle of MID server troubleshooting. "Suppose there exist two explanations for an occurrence. In this case the one that requires the least speculation is usually correct"
Or in this case step 1 should be restart the MID Server Service.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2019 02:55 PM
One last update. After we found that the MID Server service needed a restart, we decided to test what happens when the Server is Rebooted. Well When the server is rebooted, the problem re-emerges and we then have to restart the MID Server service again.
So we are opening a HI on this issue. Likely some kind of timing issue with when MID Server service is getting started.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2019 04:12 PM
Thanks for the update and reporting the issue, Duane.