Discovery of a Windows system requires that the TCP 135 (RPC), RPC range, and TCP 445 (SMB) ports remain open and that the SMB service is enabled on the agent computer.
After a target device has been discovered, an agent can be deployed to it. Agent installation requires:
Open the Local Security Policy on the SCOM management server, go to Local Policies > User Rights Assignment and find Log on as a service and add the account to the Log on as a service group and then try pushing the SCOM agent again.
In the Operations Manager event log on the SCOM management server, we receive the an error with the event ID 10602:
The most common issue in these cases is the firewall, check that both physical and virtual firewalls are not blocking the communication from the SCOM management server to the computer which the SCOM agent will be installed on.
pending repair,
pending update
135/TCP,
137/UDP,
138/UDP,
139/TCP,
445/TCP
*RPC/DCOM High ports (2008 OS and later)
Ports 49152-65535 TCP
Another thing to make sure is that the SCOM management server is able to resolve the DNS name of the destination agent computer, try running an nslookup on the destination agent computer from the SCOM management server. nslookup "AgentComputer.domain.com" nslookup <IP address of Agent Computer>
Now we can clearly see that the account which was used to push the SCOM agent does not have enough permissions on the destination agent computer.
Make sure the account used to push the SCOM agents have local administrator privileges on the destination agent computer.