WMI issues after upgrading agents to 2022 rtm

Stephen Morrison 91 Reputation points
2022-11-15T22:49:20.357+00:00

After we upgraded our Windows SCOM agents from 2019 UR4 to 2022 we started to get some new WMI error messages. These seem to be limited to Windows Clusters where the WMI call is trying to connect to virtual names name space. I updated this workflow to change the remotable property to false and this seemed to clear up the error but why did this work before and not now? Also I am not sure what side affects this property change will have.

Anybody experience this or know what changes in the 2022 agent might have affected these workflows? We are also seeing this on a particular windows service monitor when it tries to collect performance metrics.

260694-image.png

I ran a trace on the agent and this is what the logs show

[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIConnect::ConnectServerRemote{WMIConnect_cpp170}CoSetProxyBlanket failed DCAM<HOSTNAME.Domain> FQDN, error 0x800706d3(RPC_S_UNKNOWN_AUTHN_SERVICE)
[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIAsyncProbe::OnTimerCallback{WMIProbe_cpp243}Attempt 1 to connect to WMI failed - 0x800706d3(RPC_S_UNKNOWN_AUTHN_SERVICE)
[23]597188.772004::11/15/2022-17:56:41.904 [ModulesWMI] [] [Error] :CWMIAsyncProbe::OnTimerCallback{WMIProbe_cpp244}Will retry in 300 seconds

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,445 questions
{count} votes

5 answers

Sort by: Most helpful
  1. Anonymous
    2022-11-15T22:54:57.257+00:00

    WMI is being removed from later builds.
    https://learn.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Anonymous
    2022-11-15T23:02:51.78+00:00

  3. SChalakov 10,371 Reputation points MVP
    2022-11-16T08:38:13.99+00:00

    Hi @Stephen Morrison ,

    I think it is important to check in this particualr case if only instances of the "Microsoft Windows Server 2012 R2" class are reporting this? Please check the "Instance name" of all the alerts. What do you see there? can you also please check if everytime the same workkflow (PBC.InPAtient.........) is affected?

    Regards,
    Stoyan


  4. Bob Cornelissen 251 Reputation points MVP
    2022-11-17T09:41:19.403+00:00

    Not sure why this is happening suddenly, like you said between 2019UR4 and 2022. Seems not many have the issue.
    What are those discoveries targeting, like Windows Computer? Because that might give these event IDs on cluster nodes when they try to access something which doesn't exist there.
    The unknown authentication service is a nice one. Assuming your DNS client is running, like the linked article above.
    I do not see how the removal of local system dependency on management servers would cause this issue on a cluster instance somewhere else in your network.
    I can imagine doing a flush agent cache could help.
    I saw somewhere with an older agent an issue regarding authentication which was solved by resetting the winsock catalog (netsh winsock reset) followed by a reboot. I never had to do this though.


  5. Stephen Morrison 91 Reputation points
    2023-02-15T21:45:59.83+00:00

    Microsoft is still investigating but they believe there is a bug in the 2022 Agent.

    "There was a new WMI Remote Call method added to the code of the 2022 agent that is having issues when calls are being run against "remote systems" (such as the CNOs) and parsing the authentication method. We have filled a bug this morning with the Product Group"

    I will try to remember to post an update if there is a KB released or if they plan to make a change in UR 2.