Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67604

WMI Windows Agent will no longer connect after Microsoft KB5004442 security update

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Critical Critical
    • windows-slaves-plugin
    • None
    • jenkins controller: 2.319.2 on centos7, adoptium jdk-11.0.13+8, Windows Agents v1.8 plugin
      jenkins build node: Windows 10 Enterprise, 10.0.19042 Build 19042, includes updates through 2022-01-13

      • A connection attempt to windows build node generates the following EventViewer system log message on the build node:
        • source: DistributedCOM
        • Event ID: 10036
        • Level: Error
          The server-side authentication level policy does not allow the user ***** from address ***** to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

       

          [JENKINS-67604] WMI Windows Agent will no longer connect after Microsoft KB5004442 security update

          Mike Butterfield created issue -
          Kalle Niemitalo made changes -
          Description Original: * A connection attempt to windows build node generates the following EventViewer system log message on the build node:
           ** source: DistributedCOM
           ** Event ID: 10036
           ** Level: Error
          {noformat}
          The server-side authentication level policy does not allow the user ***** from address ***** to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.{noformat}

           * The _Troubleshooting WMI Windows Agents_  page  at [https://github.com/jenkinsci/windows-slaves-plugin/blob/master/docs/troubleshooting.adoc] was reviewed for possible causes without success. 
           * The log message is described in the following security update: _KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)_ ([https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c])
           * Editing the registry setting as described in KB5004442 followed by a reboot of the build node had no effect. The system log message is still generated.
           * NOTE that the behavior changes section in KB5004442 show that the bypass will no longer be an option after Q2 2022:
           *
          {noformat}
          June 8, 2021
          Hardening changes disabled by default but with the ability to enable them using a registry key.{noformat}

           *
          {noformat}
          Q1 2022
          Hardening changes enabled by default but with the ability to disable them using a registry key.{noformat}

           *
          {noformat}
          Q2 2022
          Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.{noformat}

           
          New: * A connection attempt to windows build node generates the following EventViewer system log message on the build node:
           ** source: DistributedCOM
           ** Event ID: 10036
           ** Level: Error
          {noformat}
          The server-side authentication level policy does not allow the user ***** from address ***** to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.{noformat}

           * The _Troubleshooting WMI Windows Agents_  page  at [https://github.com/jenkinsci/windows-slaves-plugin/blob/master/docs/troubleshooting.adoc] was reviewed for possible causes without success. 
           * The log message is described in the following security update: _KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)_ ([https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c])
           * Editing the registry setting as described in KB5004442 followed by a reboot of the build node had no effect. The system log message is still generated.
           * NOTE that the Timeline section in KB5004442 show that the bypass will no longer be an option after March 2023:
          |June 8, 2021|Hardening changes disabled by default but with the ability to enable them using a registry key.|
          |June 14, 2022|Hardening changes enabled by default but with the ability to disable them using a registry key.|
          |March 14, 2023|Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.|

           
          Mark Waite made changes -
          Resolution New: Won't Fix [ 2 ]
          Status Original: Open [ 1 ] New: Closed [ 6 ]
          Mike Butterfield made changes -
          Link New: This issue relates to JENKINS-70301 [ JENKINS-70301 ]
          Mike Butterfield made changes -
          Comment [ Follow-up ticket at: {{Resolve implied dependencies on WMI Windows Agent plugin}} https://issues.jenkins.io/browse/JENKINS-70301 ]

            escoem Emilio Escobar
            mb_austex Mike Butterfield
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: