Hi Everyone, I have been getting the So called DCOM EVENT ID: 10016 , I checked through the following site See(http://social.technet.microsoft.com/Forums/eu/configmgrgeneral/thread/95cf98dd-d7c0-47d6-9ac9-605484f80503) I have been through number of fixes, like setting the NAP agent to Automatic , Stopping the Wireless Zero config services. Etc. We have Win XP SP3 systems all over. We do have SCCM server and often while it reboots automatically it pops a window asking the user for a reboot, if the reboot is not allowed at that moment, still it gets rebooted. We have been getting this error during production hours and no one is happy about it. The event error is as as follows: [The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}{ DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.] The CLSID is pointing me towards the Quarantine Private SHA Binding class / Quarantine Private QEC binding Class on the registry Fixes used: Started The NAP services and set to automatic. I checked the NAP agent Security with Local Launch. Question: Is it the right fix or should I look more into it? Is it happening due to the SCCM patching activities? We have around 5000 systems, how am I supposed to make changes in these many systems.Sudip Bhowmik

Hello Sudip, I suggest you check similar kind of issue (Event ID:10016) http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8085a7d5-ab08-4bcd-bf28-e412c5e38fff/Regards, Ravikumar P

please see if following article helps in your scenario Permission settings do not grant Local Launch permission for the COM Server application with CLSID http://blog.paulgu.com/windows/permission-settings-do-not-grant-local-launch-permission-for-the-com-server-application-with-clsid/ We have around 5000 systems, how am I supposed to make changes in these many systems. When you say 5000 machines, are all of them have this DCOM errors ? Are all those machines, imaged from a single master image ?I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Dear Santosh, I have been through your proposed article regarding allowing permissions like the below mentioned to the User and so on: Local Launch Remote Launch Local Activation Remote Activation How do I treat this particular issue with 5000 systems, where the DCOm error or the reboot issue does not occur on all the systems.The Users complain about the reboot about any random systems (any 7 or 8), and we found out that happens when the MS patch activity is scheduled. The event logs says that the reboot happened when the patch was deployed and after that we found those DCOM errors. Should we go ahead and apply the changes to all the 5000 systems to avoid this ? If this is the case,then why all the systems not getting rebooted? Many thanks for your help! Sudip IBM INDIA PVt.LtdSudip Bhowmik

Picture is bit clear now ! Machines might have been rebooted due to patch updates not because of DECOM errors. Moreover, you should change the DECOM permissions on only affected machines not on all the machines. why all the systems not getting rebooted? When patches are pushed on machines and updated via BigFix, users would get a prompt to defer the reboot; few might ignore that prompt when that appears and due to which machines are rebooted. Maybe, we can have a chat about this topic on IBM SAME TIME ! I would be coming online at 1:30 PM IST today, do give me a buzz on SAME TIME if you wish. Thanks I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Hi Santosh, "When you say 5000 machines, are all of them have this DCOM errors ? Are all those machines, imaged from a single master image ?" Yes, they are all from a single master Image. Thanks for your reply. Sudip Sudip Bhowmik

Hi Santosh, I have seen the event when it asks for a reboot and yes it also prompts to be deffered. The machines have been installed from a single master image, however making changes in the master copy and deploying the same to 5000 systems is way long process and would also require approvals from different levels. The main concern is with the reboot during production hours due to which the issue is being raised by the users.Since the MS patch is currently not being deployed by local SCCM team and we are unaware about the schedule of the deployment. The requirement is to avoid the reboot request or the actual reboot. Is ther any fix? or we need to communicate with the Remote SCCM team? Thanks and regards, Sudip BhowmikSudip Bhowmik

Hi Sudeep, The machines have been installed from a single master image, however making changes in the master copy and deploying the same to 5000 systems is way long process and would also require approvals from different levels. Yes, I can understand that. It's highly difficult or next to impossible to re-image 5000 machines at a time. However, you do need to change the golden image for sure for future use. The main concern is with the reboot during production hours due to which the issue is being raised by the users.Since the MS patch is currently not being deployed by local SCCM team and we are unaware about the schedule of the deployment. The requirement is to avoid the reboot request or the actual reboot. Is ther any fix? or we need to communicate with the Remote SCCM team? As I mentioned in my previous post, AFAIK reboots are not caused by DECOM errors. Yes, you had rightly anticipated, you need to approach the Remote SSCM team and convince them to change/modify the patch deployment schedule and reboot options which can be of very little inconvenience to the users. Also, it would be better to educate users on monthly patch deployment schedules and how it works, so that they could also be aware whats going to happen. Mass mailers would come in handy. Just wondering, if you had tried the suggestion mentioned the link which was posted before to fix DECOM error ? Any luck on that ? If that didn't fix your issue, you might want to Unmark the thread as an answer. You might as well check this issue in SCCM forum to know if there is any correlation between sccm patch deployment and DECOM errors. http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/threads ThanksI do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Dear Santosh, Thanks for your valuable suggestions, Currently I have suggested the below mentioned steps and observing the same for the Outcome. 1. Open regedit 2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{24FF4FDC-1D9F-4195-8C79-0DA39248FF48} 3. Right click the {B292921D-AF50-400c-9B75-0C57A7F29BA1} folder and select "Permissions" 4. Click Advanced 5. Click the "Owner" tab 6. Change owner to the local "Administrators" group and click OK. 7. Grant the local "Administrators" group Full Control over the {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} key and click OK. 8. Launch Component Services under Start -> Programs -> Administrative Tools 9. Navigate to Component Services -> Computers -> My Computer -> DCOM Config 10. Right-click the "NAP Agent Service" and select properties.Also Set the Network Access protection Service, as automatic and not Manual. 11. Click the security tab 12. Click the "Edit" button under the "Launch and Activation Permissions" 13. Highlight the "SYSTEM" user. Grant the user "Local Launch" permission. 14. Click OK and exit out of Component Services and regedit. 15 Apply changes to 2-3 systems which do not show any Patches installation, Observe in case if it reboots again. Source: http://social.technet.microsoft.com/Forums/eu/configmgrgeneral/thread/95cf98dd-d7c0-47d6-9ac9-605484f80503 Thanks, I am coordinating with the Remote SCCM team for the same. Sudip Sudip Bhowmik