This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 91%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
After we upgraded our Windows SCOM agents from 2019 UR4 to 2022 we started to get some new WMI error messages. These seem to be limited to Windows Clusters where the WMI call is trying to connect to virtual names name space. I updated this workflow to change the remotable property to false and this seemed to clear up the error but why did this work before and not now? Also I am not sure what side affects this property change will have.
Anybody experience this or know what changes in the 2022 agent might have affected these workflows? We are also seeing this on a particular windows service monitor when it tries to collect performance metrics.
I ran a trace on the agent and this is what the logs show
[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIConnect::ConnectServerRemote{WMIConnect_cpp170}CoSetProxyBlanket failed DCAM<HOSTNAME.Domain> FQDN, error 0x800706d3(RPC_S_UNKNOWN_AUTHN_SERVICE)
[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIAsyncProbe::OnTimerCallback{WMIProbe_cpp243}Attempt 1 to connect to WMI failed - 0x800706d3(RPC_S_UNKNOWN_AUTHN_SERVICE)
[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIAsyncProbe::OnTimerCallback{WMIProbe_cpp244}Will retry in 300 seconds
MS Support is pointing to this
https://learn.microsoft.com/en-us/system-center/scom/whats-new-in-om?view=sc-om-2022#removed-dependency-on-localsystem-account
Can anybody elaborate on this? I think this is saying the the Management Servers will default to the Default Action Account Profile settings instead of localsystem in these cases. MS support is saying that this affects the monitored agents as well. But our Default Action Account Profile for the monitored agents shows localsystem.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
WMI is being removed from later builds.
https://learn.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features
--please don't forget to upvote and Accept as answer if the reply is helpful--
Well interesting but I don't think thats the answer. We are seeing these failures on Server 2012/2016/2019 but only after upgrading the SCOM agent to 2022. Local WMI calls seem to be working fine, its just the windows clusters when its calling the cluster names.
Ok, well maybe this one then.
https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/agent-push-installation-error-800706d3
I checked and this service is running.
Hi @Stephen Morrison ,
I think it is important to check in this particualr case if only instances of the "Microsoft Windows Server 2012 R2" class are reporting this? Please check the "Instance name" of all the alerts. What do you see there? can you also please check if everytime the same workkflow (PBC.InPAtient.........) is affected?
Regards,
Stoyan
Its not just this workflow and we see this across 2012/2016/2022 servers.
MS responded back with something plausible this morning that I will look into.
Removed dependency on LocalSystem account
Operations Manager 2022 provides the following changes:
• LocalSystem is no longer used internally instead of the Default Action Account. This was used earlier for APM configuration, Privileged Monitoring Account, RunAs Profile fallback. There was an association created for the Validate Subscription Account RunAs Profile.
Not sure why this is happening suddenly, like you said between 2019UR4 and 2022. Seems not many have the issue.
What are those discoveries targeting, like Windows Computer? Because that might give these event IDs on cluster nodes when they try to access something which doesn't exist there.
The unknown authentication service is a nice one. Assuming your DNS client is running, like the linked article above.
I do not see how the removal of local system dependency on management servers would cause this issue on a cluster instance somewhere else in your network.
I can imagine doing a flush agent cache could help.
I saw somewhere with an older agent an issue regarding authentication which was solved by resetting the winsock catalog (netsh winsock reset) followed by a reboot. I never had to do this though.
There are many discoveries, most are targeting some kind of Windows Computer or Operation system class so they are wide spread.
In most cases I expect that these discoveries return no results, but the change in behavior is the failure to connect to the virtual cluster name.
I agree with the local system dependency change shouldn't be involved here. I don't think the MS tech understood what he was sending me. He was claiming this was also a change to the agent behavior.
I did try to do a flush and this didn't help, the errors came back right away.
I can research the winsock reset and see if that might help.
Microsoft is still investigating but they believe there is a bug in the 2022 Agent.
"There was a new WMI Remote Call method added to the code of the 2022 agent that is having issues when calls are being run against "remote systems" (such as the CNOs) and parsing the authentication method. We have filled a bug this morning with the Product Group"
I will try to remember to post an update if there is a KB released or if they plan to make a change in UR 2.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 41%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Any update on this. We are having the same issue
So far this is going to be fixed in the UR2 release.
Look like this is going to be fixed in the UR2 release.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 62%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
UR2 is out and it looks like this is still not fixed
I was informed by MS that the fix was pulled from UR2 so that it could be released as it was already behind schedule, Very disappointing.
Still an issue in SCOM 2025
Brandon, is that confirmation or a question?
confirmation, the issue still exists
Disappointing, I see very little on the new feature list for SCOM 2025 and this issue has been open for a long time. Silect is hosting a session on the 26th with MS. I will see if I can get an update.