Notifications

146 views

Description

Discovery in Madrid Patch 3, New York and Orlando added Windows WMI probe code that required Powershell and admin$ share access on targets, breaking discovery for any that only had WMI access. Many customers have applied workarounds and update sets to allow the previous WMI functionality to work. Those workarounds are summarized in KB0753561 Windows Discovery on Madrid Patch 3 and later - known issues and workarounds

Discovery in Paris adds that WMI support back, and in order to allow Discovery to work in Paris, any customizations need reverting, and the update sets backed-out.

Release or Environment

This applies to all instances that are about to be upgraded to Paris and later, to avoid breaking Discovery. If you have already upgraded, these instructions will also allow you to fix Discovery again.

Instructions

These update sets will need Backing Out. 

  1. Log into the instance as a user with 'admin' role
  2. From the System Update Sets - Local Update Sets list, open the update set "Revert_To_Legacy_WMI"
    (Note: If you also have the New_WMI_Discovery_Support_Service_account update set, then please do the same for that)



  3. Click the Back Out button at the top of the form, and then Proceed with Back Out on the popup.


    If it worked, you will see:


  4. If you had further customised any of the records since originally committing the update set in the first place, then you will see an error like this:



    If this happens, select all the records in the "Backout Problems" related list, and in the list actions, select "Decide to use Previous".



    Then click "Back Out" again, and it should work this time.

  5. To confirm you are now using the Paris versions of files, you can open any of them, e.g. the "Windows - Installed Software", and check the Versions related list. The 'Current' version should be your most recent system upgrade version. If you have not upgraded to Paris yet, then your current instance version needs to be shown, and not the update set version.


Additional Information

The files involved

The above "Revert_To_Legacy_WMI" update set Back-Out process will revert or delete the following. If you applied any of these customizations manually, or by importing XML records, then the revert/delete will also need doing manually.

Name

Record ID

Revert or Delete

Windows – Active Connections

discovery_probes_1a9c233dc0a8000b005c58d007c94a03

Revert

Windows - Azure

discovery_probes_8d028772dbd532003398f1351d961992

Revert

Windows – Installed Software

discovery_probes_wmi_df4905820a0a0ba500b7ea51b460326c

Revert

is.azure.ps1 (Windows – Azure probe parameter)

discovery_probe_parameter_59224b72dbd532003398f1351d96196f

Revert

WMI_ActiveConnections.ps1 (Windows – Active Connections probe parameter)

discovery_probe_parameter_7dfc5f870a000483000169d19b46c06d

Revert

output_format (Windows – Classify probe parameter)

discovery_probe_parameter_a88ef9405368330087e5ddeeff7b1255

Revert

output_format (Windows – Installed Software probe parameter)

discovery_probe_parameter_c2efed54c75523008ec44c4c8a976301

Revert

mid.use_legacy_wmi (MID server property)

ecc_agent_property_62cad5d3533133008ec4ddeeff7b12d8

Delete

Symptoms in a Paris instance that has not reverted these customisations

(This section will be expanded, as tech support see more symptoms)

  • Windows – Installed Software Major version mismatch error when running the Windows – Installed Software sensor. The ecc_queue input will be Error state. Discovery log:
    Sensor error when processing Windows - Installed Software: The sensor's major version = 5 while its related probe's major version = 4
  • Windows - Azure will check if the MID server host is Azure, instead of the target host.
  • Windows - Classify probe may error for attempting to retrieve the result from the admin share. Admin share errors should not be seen any more in Paris, because we check if the admin share is available or not.
    ECC Queue input error in payload:
    The result file \\10.102.75.120\admin$\temp\psscript_output_4ca7d0cc-f3ef-48c7-b720-5cdd31d36b12.txt can't be fetched because it doesn't exist

Article Information

Last Updated:2020-10-08 02:24:18
Published:2020-10-01