none
Querying CCM Client SDK as NetworkService account RRS feed

  • Question

  • Hi, 

    TLDR: Is there a way of getting the CCM Client SDK to respond to queries even if the user is not logged in?

    We use a monitoring tool which runs as "nt authority\network service" on each machine. We've been trying to get it to check for currently available maintenance windows. We've got some PowerShell code which works fine when run as our personal users or in the system context:

    $status = invoke-wmimethod -namespace  "ROOT\ccm\ClientSDK" -class "CCM_ServiceWindowManager" -name IsWindowAvailableNow

    When we run as the NetworkService account we were getting WMI permissions errors. When we corrected this using wmimgmt.msc, we got a different and generic access is denied error:

    System.UnauthorizedAccessException
       at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
       at System.Management.ManagementObject.InvokeMethod(String methodName, ManagementBaseObject inParameters, InvokeMethodOptions options)
       at Microsoft.PowerShell.Commands.InvokeWmiMethod.ProcessRecord()
       at System.Management.Automation.CommandProcessor.ProcessRecord() 
    

    In C:\Windows\CCM\Logs\CCMSDKProvider.log I found the following:

    Checking if a service window of a given type is currently
    available
    CCM::CCMSDKProvider::IsServiceWindowAvailableInternal failed
    with error = 0x80070005

    If I run the WMI method as the NetworkService from WMIExplorer, I get a blank error.

    We tried rebooting the machine granting thea user full permissions to the WMI classes on a few machines but this didn't help.

    Weirdly, on one of my machines, after its weekly automated reboot, it suddenly started working.

    I then decided to create a non-admin user on a test machine and try running the WMI method as that user via psexec. This also failed. I then logged in as that user with RDP and ran the WMI method in exact same psexec window and it worked! Logged the user out and it stopped working again.

    I'm not sure why is suddenly started working on one of my machines as the NetworkService user is not logged in (at least not in the traditional sense with a desktop etc).

    Is there a way of getting the CCM Client SDK to respond to queries even if the user is not logged in? Also any thoughts on why the Client would suddenly start responding to the NetworkService account on a server.

    I created a ticket with Microsoft which got instantly moved to the user experience team who suggested I add the NetworkService account to the administrators group :| .

    Seems similar to an issue I posted before: https://social.technet.microsoft.com/Forums/en-US/ConfigMgrCBOSD/thread/b33285b1-df97-4691-98b0-dacbd3f8c697/#04faef3e-cebf-42ff-9c55-40faa769b09f

    Thanks,

    Andrew

    Tuesday, June 25, 2019 3:56 PM