During one of our Go-To-Cloud project in One Step Beyond, one customer was facing an issue after he tried to upgrade to the latest version of Azure AD Connect  available at that moment (1.1.880.0).

The error message in the UI was not really helpful so we started to verify the log file (you can find the path directly in the wizard window) and Bingo!

Upgrade failed with the following error:

GetProductName: Unexpected exception occurred. Details System.Security.SecurityException: Requested registry access is not allowed.

OK. It seems the application during the upgrade is trying to access some registry keys and it’s not able to.

We started again the upgrade, but this time we ran Sysinternals Process Monitor in parallel with the wizard to verify which one is the registry key (or keys..) affected.

Process Monitor was pretty clear: Access Denied on the following Registry key

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADHealthAgent\Sync

 

We verified the key permissions and actually they were very suspicious: Inheritance was disabled and ALL APPLICATION PACKAGES has only Read Access.

 

 

To fix the error, we just enabled the inheritance in the Advanced Option on the Permission Tab.

 

 

Then we ran again the wizard and upgrade went smooth. Problem Solved!

Just as additional step (we just guessed what permissions where required by Azure AD Connect to work) we checked again the permission on that key and we found the inheritance disable but the correct permission applied: it seems that the upgrade overwrites and align the registry permission required. Perfect!

As additional tips please remember

  • Always to run the AD Connect using an account with the right privileges. You can find the requirements here.
  • Enable Auto-Upgrade is (most of the times) a good option. You can find information here.

 

Comments are closed.