Well... I set the himds "Azure Hybrid Instance Metadata Service" Log On settings to use the Local System account and started the himds service. The machine is now online in Azure Arc and I was able to scan for updates. I assume that not running the service with the himds accounts might break some functionality, but it appears to be managing Windows Updates which is all I need it for.
Azure Arc fails to connect because NT SERVICES\himds is not allowed to log on as a service
Johnathan Sagar
75
Reputation points
The short version: How do I get Azure Arc to connect to Azure if GPO is limiting which accounts are allowed to log on as a service and the himds service requires "NT SERVICE\himds" to log in as a service? (I am unable to add "NT SERVICE\himds" to the GPO due to the account failing lookup/validation.)
The long version:
- Azure Arc is installed on a domain controller.
- All domain controllers in the environment have a GPO defining which accounts can log on as a service.
- Running "azcmagent show" returns the following output:
- azcmagent show INFO Exit Code: AZCM0064: Unable to establish communication with himds server INFO Please check if the Hybrid Instance Metadata Service (HIMDS) is running. If it is in the stopped state, review the relevant logs (himds.log, event log (Windows), and journal/system log (Linux)); start the service if it was deliberately stopped or report crashes to the Microsoft Support. HIMDS could be busy if encountering networking issues, which can be identified in himds.log. INFO For more troubleshooting tips, please refer to https://aka.ms/arc/azcmerror FATAL open \.\PIPE\himds: The system cannot find the file specified.
- Unable to start "Azure Hybrid Instance Metadata Service" (himds) due to Error 1069: logon failure
- the service "Azure Hybrid Instance Metadata Service" (himds) is configured to log on using "NT SERVICE\himds" automatically during installation.
- Found that GPO is defining which accounts are allowed to log on as a service and "NT SERVICE\himds" is not in that list
- The Deny log on as a service policy is enabled but there are no accounts listed
- I'm unable to add "NT SERVICE\himds" into the allow log on as a service policy due to the account failing validation/lookup (see screenshot)