We have a fairly secure environment that has a large number of GPOs in place to lock things down. I am fairly sure that one of them is preventing Shavlik from working correctly.
Here is a same of the ST.ServiceHost.managed.log:
--------
2014-02-10T23:15:56.7378449Z 0009 I RescanManager.cs:411|No more rescan items, shutting down rescan thread.
2014-02-10T23:16:01.2052916Z 0016 I MachineDeployment.cs:1141|Machine name: %HostName%.
2014-02-10T23:16:01.3353046Z 0016 E MachineDeployment.cs:1093|%HostName%: Access to read the target machines registry using the configured credential was denied
2014-02-10T23:16:01.3893100Z 0016 E AgentDeployment.cs:213|System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at Microsoft.Win32.RegistryKey.Win32ErrorStatic(Int32 errorCode, String str)
at Microsoft.Win32.RegistryKey.OpenRemoteBaseKey(RegistryHive hKey, String machineName, RegistryView view)
at ST.Deployment.MachineDeployment.RemoteSystemDirectory()
at ST.Deployment.MachineDeployment.get_RemoteSystemDirectoryUnc()
at ST.BusinessObjects.Deployment.AgentDeployment.DeployAgent()
2014-02-10T23:16:01.3973108Z 0016 E MachineDeployment.cs:1093|%HostName%: Unable to connect using the configured credential.
2014-02-10T23:16:25.3887097Z 0016 I MachineDeployment.cs:1141|Machine name: %HostName%.
2014-02-10T23:16:25.4627171Z 0016 E MachineDeployment.cs:1093|%HostName%: Access to read the target machines registry using the configured credential was denied
--------
FIPS is required in the environment, but I have it disabled in .config files using:
--------
...
</st>
<runtime>
<enforceFIPSPolicy enabled="false"/>
</runtime>
<system.diagnostics>
...
--------
I had this working at one point, but something changed and now only agents that are currently installed will work, and even then, only "kinda".
What is broken:
- Agent deploys.
- Manual agent installs (fails to get a policy list).
- Automatic patching for currently installed agains.
Ideas?