Altiris Agent DCOM settings changes will not remain after a reboot of the SMP server.

book

Article ID: 158982

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Altiris Agent DCOM settings changes will not remain after a reboot of the SMP server.

Cause

The Altiris Agent service is resetting these on start-up. This is by design. The default or custom DCOM permissions often allow local DCOM server launch. User scripts, 3rd party applications, or other elements can start the SMA service by simply executing any SMA COM method. They could do that at any time without actually checking that the time is right. The fix for this was implements to disallow anyone to starts SMA service by invoking a COM method. 

 

Resolution

These changes are not recommended by Symantec. If there are a lot of errors in the log, the cause needs to be indentified and the solution below is only meant as a temporary workaround. For example, if there is a keep alive script on the endpoint that checks to see if the agent is started and then invokes a COM object to start it, we will fail it because it can interfere with upgrades or other solution installs.

After making the desired settings to the Altiris Agent DCOM Config, follow these steps to lock it down so the settings are not changed upon reboot or restart of agent:

  1. Open the Registry Editor (regedit.exe)
  2. Browse to HKEY_CLASSES_ROOT\AppID\{5E038245-CF81-44BE-8018-9A2981B9DC9B}
  3. Right-click on {5E038245-CF81-44BE-8018-9A2981B9DC9B} and select Permissions…
  4. Click the Advanced button
  5. Select the row with the name SYSTEM
  6. Click the Edit… button
  7. For Set Value, check the Deny box
  8. Click OK
  9. Click OK
  10. On the Windows Security warning, click Yes.
  11. Click OK
  12. Close Registry Editor

The System account will now be unable to edit the settings for the Altiris Agent service. If you ever need to make changes to these settings, you will need to return to Registry Editor and remove the Deny from SYSTEM account.