Azure Arc fails to connect because NT SERVICES\himds is not allowed to log on as a service

Johnathan Sagar 75 Reputation points
2024-09-19T18:02:36.52+00:00

The short version: How do I get Azure Arc to connect to Azure if GPO is limiting which accounts are allowed to log on as a service and the himds service requires "NT SERVICE\himds" to log in as a service? (I am unable to add "NT SERVICE\himds" to the GPO due to the account failing lookup/validation.)

The long version:

  1. Azure Arc is installed on a domain controller.
  2. All domain controllers in the environment have a GPO defining which accounts can log on as a service.
  3. Running "azcmagent show" returns the following output:
    1. azcmagent show INFO Exit Code: AZCM0064: Unable to establish communication with himds server INFO Please check if the Hybrid Instance Metadata Service (HIMDS) is running. If it is in the stopped state, review the relevant logs (himds.log, event log (Windows), and journal/system log (Linux)); start the service if it was deliberately stopped or report crashes to the Microsoft Support. HIMDS could be busy if encountering networking issues, which can be identified in himds.log. INFO For more troubleshooting tips, please refer to https://aka.ms/arc/azcmerror FATAL open \.\PIPE\himds: The system cannot find the file specified.
  4. Unable to start "Azure Hybrid Instance Metadata Service" (himds) due to Error 1069: logon failure
  5. the service "Azure Hybrid Instance Metadata Service" (himds) is configured to log on using "NT SERVICE\himds" automatically during installation.
  6. Found that GPO is defining which accounts are allowed to log on as a service and "NT SERVICE\himds" is not in that list
  7. The Deny log on as a service policy is enabled but there are no accounts listed
  8. I'm unable to add "NT SERVICE\himds" into the allow log on as a service policy due to the account failing validation/lookup (see screenshot)User's image
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
415 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,076 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,540 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Johnathan Sagar 75 Reputation points
    2024-09-24T16:54:00.0933333+00:00

    Well... I set the himds "Azure Hybrid Instance Metadata Service" Log On settings to use the Local System account and started the himds service. The machine is now online in Azure Arc and I was able to scan for updates. I assume that not running the service with the himds accounts might break some functionality, but it appears to be managing Windows Updates which is all I need it for.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.