Answer
PROBLEM
When attempting to deploy the GFI EndPointSecurity agent on a remote machine, either of the following error messages is received:
- Failed to read from remote computer's registry
- Failed to connect to remote registry
ENVIRONMENT
- GFI EndPointSecurity
- All Supported Environments
SOLUTION
Remote Registry Service
Ensure that Remote Registry Service is enabled on the target computer:
- Open the Control Panel
- Select Administrative Tools
- Select Services
- Right click the Remote Registry Service and select Properties
- Under Startup Type select Automatic from the drop down menu
Local Firewall
If the target computer has a firewall installed locally, ensure that the firewall will allow connections from the machine that is trying to install the GFI EndPointSecurity agent.
Enable NetBIOS
From the target machine, perform the following to enable NetBIOS:
- Open the Properties of the network card
- Open the Properties of Internet Protocol (TCP/IP)
- From the General tab, click on the Advanced button
- Change to the WINS tab
- Select the option Enable NetBIOS over TCP/IP
Test Connection of Remote Registry
You are able to test if you are able to connect to the Remote Registry service of the target computer from the GFI EndPointSecurity server by performing the following:
- Click on Start and select Run
- Type regedit
- In the Registry Editor select File and then click Connect to Network Registry
- Enter the machine name or the IP Address of the target computer in the Select Computer dialogue box and click Ok
Should the connection of the remote registry be successful, you should be able to browse through the registry of the target machine.
Check Permissions to Access the Remote Registry
Connect to the machine using remote desktop and check the following key:
-
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
Right-click the Winreg key and choose Permissions. The permissions on this key contol access to the remote registry.
- Make sure the account used for deploying has Full Access permissions on this key
- Also the Local Service account must have Read permissions
See also the following Microsoft kbase articles on this:
-
How to Manage Remote Access to the Registry: http://support.microsoft.com/kb/314837
How to restrict access to the registry from a remote computer (Win 2000) : http://support.microsoft.com/kb/153183#appliesto
When you are specifying alternate logon credentials and using a local administrative account on the agent
- Log on to the target machine and open the local group policy editor (gpedit.msc)
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Insure the policy 'Network Access: Sharing and Security Model for Local Accounts' is set to Classic - local users authenticate as themselves
CAUSE
- The remote registry service is disabled on the target computer
- A firewall is started on the target computer denying access to EndPointSecurity deployment mechanism
- Invalid credentials are issued for the deployment of the Agent on the target computer
- NetBIOS is disabled on the remote computer
- The accounts listed above do not have the proper permissions