We upgraded SMS 2003 to SCCM 2007 and CSA isn't liking it very much. We have two main issues, both going to the same root cause, remote registry access.
1. SCCM Client Install
-initiating an install from the managment console generates a series of messages about remote registry access similar to this one:
The process '<remote application>' (as user system\Administrator) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
Numerous registry keys are accessed. I have managed to tune out all other aspects of the agent installation.
2. Remote Control/RDP from outside the firewall
-The new agent does remote control differently than in SMS 2003. If no user is logged in, it attempts RDP. It also generates remote registry logs similar to the following:
TESTMODE: The process '<remote application>' (as user domain\user) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
This only happens if the person attempting to utilize the remote tools is connected by VPN. When physically at the main campus it works fine.
The one difference I have noticed is that the agent install logs indicate the local administrator account of the machine, and the remote tools logs capture the domain user account of the person attempting to utilze the remote tools. For obvious reasons, I do not want to open up full registry access to <remote application> but need at least partial access to solve these issues.
The only thought I have at this point is to create a set of registry keys based on the logs and allow them as an exception to the deny rule.