Troubleshooting Agent Management Jobs

If agent managements are not completing successfully, additional configuration may be required.

If the Ivanti Endpoint Security server or an applicable network endpoint has lost its trust relationship with the domain, Agent Management Jobs will fail with an error of access denied.
To verify if this issue is causing Agent Management Job failure, ensure that the Ivanti Endpoint Security server can connect to the applicable endpoints C$, and that the applicable endpoints can connect to the server's C$. To verify these connections, type the following command from the applicable endpoint or server prompt: \\EndpointIPAddress\C$.

If the following system output results from the command, your endpoint or server has lost its trust relationship with the domain: The trust relationship between this workstation and the primary domain failed.
To resolve this issue, remove the applicable server or endpoint from the domain, and then add it back. This process forces the domain to refresh the endpoint password. The endpoint password prompts users for resetting at scheduled intervals according to its security settings.
To disable password changes, see below.

Resolving Endpoint UAC Issues

On endpoints running Windows, UAC security features are set to highly restrictive levels by default. These settings must be configured properly to ensure Agent Management Job success.
When a Windows endpoint is in this default UAC configuration, Agent Management Jobs fail with an access denied error.

Use one of two methods to resolve this issue:

Adding a domain account to the applicable endpoint's local administrator's group will typically resolve the issue. To use this method, add the endpoint to a domain (provided it isn't already added), and then add a domain user to the endpoint's local administrator group. Running an Agent Management Job configured to use this domain account's credentials will allow the job to complete successfully.

The domain account added to the local administrator's group must be an individual domain account; you cannot add a domain group.

If the user of a local administrative account is desired or required, you can set a registry value to resolve this issue.
Create a DWORD registry value named LocalAccountTokenFilterPolicy in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ registry hive. Set its value to 1.
No reboot is required. This method allows a local administrative account to successfully run Agent Management Jobs.

Refer to How to change the Remote UAC LocalAccountTokenFilterPolicy registry setting for additional information about this method.

Disabling Password Changes

Do disable password changes, create a registry key for the applicable endpoint. Perform this task from the applicable endpoint.

  1. Select Start > Run.
    The Run dialog opens.
  2. Type regedit in the Open field.
  3. Click OK.
    The Registry Editor opens.
  4. Expand the directory tree structure to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
  5. Right-click DisablePasswordChange.
  6. Select Modify.
    The Edit DWORD Value dialog opens.
  1. In the Value data field, type 1.
  2. Click OK.
    The key value is updated. User profile passwords can no longer be edited on the applicable endpoint.