Agent Status Icons Suddenly Not Appearing in Console

Version 28

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.x

    Purpose:

    This document will provide you with a potential fix for the following issues:

     

    • Device not responding on 9595 (not network related)
    • Agent status icons do not appear
    • Communication issues with the device

     

    The resolution involves modifying group policy in your domain.

    On the client side, this can be done by opening gpedit.msc.

     

    Resolution depends upon version of LDMS:

    Note: If the status icons were working before and you have neither changed LDMS versions nor changed GPO settings, Please reboot your LDMS core server. If, after you follow the below steps, you continue to have this issue, it may indicate a deeper issue where we recommend working with support.

    NOTE: If the following does not correct the icon issue, you may not be receiving inventory scans properly and seeing 4100 event IDs on your core server. Please see Database Exception: Error Committing on Table:

     

    LDMS 2016.3 SU3+

    NOTE:CBA account has been removed from these versions and future versions. We have started using local account and GPO/permissions are no longer needed. The account can be deleted and will not be added when the new agent is installed.

     

    LDMS 2016 (10.0) SU3+

    LDMS 9.6 SP3

    LDMS 9.6 SP2 May 2016 Component Patch

    NOTE: With these versions, cba_anonymous changed the way it authenticates and now uses Interactive Logon. It was also removed from the local Guests group for security reasons. Cba_anonymous need to have "Allow log on locally" for communication to work. The "Everyone" group could also be used. However, Landesk advises to add cba_anonymous explicitly.

     

    DO NOT Forget that you need to allow log on locally for "Users" somewhere in the policy propagation structure to reach the machine or your users cannot login!

     

    • Open (Group Policy Management) GPMC.msc on a domain controller
    • Edit the policy for the machines to be controlled. This can be at the domain level or whichever OU level you desire.
    • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

    35704-1.jpg

    • Add the following user to the policy settings: cba_anonymous

    35704-2.png

    • Apply the group policy.  Once the device gets this policy and is rebooted, the issue should be resolved.
    • The cba_anonymous user cannot be present in the "Deny log on locally" policy, as it will override the policy specified above.
    • A workaround has been found that deleting the cba_anonymous on the local PC. Deleting the user will force the LANDESK agent to rebuild the user and add the user to the correct policies and groups on that machine. This workaround will work until the domain policy overrides the local policy on the machine.

     


    LDMS 9.6 SP2 - LDMS 9.6 SP2 March 2016

    LDMS 2016 (10.0) flat - SU2

    • Modify the following area of your domain policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
    • Modify the "Log on as a batch job" policy.  This policy is most likely manually set if you are experiencing this issue.  If it is set to "Not Defined", you may need to make the adjustments on the local security policy.

     

    35704-1.png

    • Add the following user to the policy settings: cba_anonymous

     

    0953--000109.png

     

    • Apply the group policy.  Once the device gets this policy and is rebooted, the issue should be resolved.
    • cba_anonymous also belongs to the Guests local group. To ensure proper function, the guests group, and the CBA_Anonymous user cannot be present in the "Deny log on as a batch job" policy, as it will override the other policy.
    • A workaround has been found that deleting the cba_anonymous on the local PC. Deleting the user will force the LANDESK agent to rebuild the user and add the user to the correct policies and groups on that machine. This workaround will work until the domain policy overrides the local policy on the machine.

     

     

    Additional Information:

    When this policy is manually set, the cba_anonymous user cannot be accessed by the resident agent, causing some features to not function properly.  We need to allow this user to log on as a batch job to function.

     

    The user cba_anonymous has always been a requirement for the LANDESK agent. CBA is used for communication back to the core from the client. CBA is responsible for showing the different icons. We found that with prior to 9.6 SP2, if the core couldn't communicate with the client using CBA, it would fail over to a local admin account on the machine. When we discovered this security hole, we patched it with SP2. Now, if the communication can't happen with CBA, the fail over doesn't happen and no communication takes place.The reason for the change at GPO level is that GPO will eventually override whatever settings the local machine has. As part of the install, we'll put the CBA user in the correct local policies and groups. This will allow the agent to work correctly until the GPO comes down and makes changes (such as removing from logon as batch or adding to the deny policy).