SCVMM 2012 R2 Bare Metal Deploy WinRM Error

I’ve been getting to know SCVMM much better, in particular the ability to provision new hosts using the iLO port on a fresh HP server and I found this problem that the search engines don’t seem to have an answer for.

Towards the end of the deploy process, after the OS is installed, joined to the domain and the agent is installed, it stops with this error:

VMM Bare Metal Deploy Error

Error (20552)
VMM does not have appropriate permissions to access the resource C:\Windows\system32\qmgr.dll on the server.domain.com server.

Recommended Action
Ensure that Virtual Machine Manager has the appropriate rights to perform this action.

Also, verify that CredSSP authentication is currently enabled on the service configuration of the target computer server.domain.com. To enable the CredSSP on the service configuration of the target computer, run the following command from an elevated command line: winrm set winrm/config/service/auth @{CredSSP=”true”}

As a result the network connections and a few other bits don’t correctly apply but the host does appear in VMM.

Looking at the host properties, you can see it’s a WinRM issue:

VMM Bare Metal Deploy Error 2

Error (20506)
Virtual Machine Manager cannot complete the Windows Remote Management (WinRM) request on the computer server.domain.com.

Recommended Action
Ensure that the Windows Remote Management (WinRM) service and the Virtual Machine Manager Agent service are installed and running. If a firewall is enabled on the computer, ensure that the following firewall exceptions have been added: a) Port exceptions for HTTP/HTTPS; b) A program exception for scvmmagent.

Having checked all of the obvious, including that WinRM is enabled as it should be, GPOs aren’t getting in the way and firewall rules are set up to allow the traffic, I took a look at the security log on the new host:

VMM Bare Metal Deploy Error 3

In the Microsoft Documentation, it says very specifically that when creating a Host Profile for the deployment, the Run As account that you use to join the host to the domain should have “very limited privileges” and “should be used only to join computers to the domain”. Hence the dedicated Domain Join account I used.

So why is this account logging into the server after deployment? A quick trip to the host properties reveals the answer:

VMM Bare Metal Deploy Host Properties

D’oh! Nicely done SCVMM.

Go back into the Host Profile:

VMM Bare Metal Deploy Host Profile

And there is our Domain Join account. Create a new Run As account with the appropriate permissions to administer newly created hosts (unfortunately this is possibly Domain Admins, depending on your environment), update the Host Profile and redeploy the host and you should be good. Please note that you cannot use the SCVMM service account for this task, it has to be separate account.

One thought on “SCVMM 2012 R2 Bare Metal Deploy WinRM Error

  1. Pingback: Monthly Round-Up: October 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s