Recently, Microsoft posted a security vulnerability around SCOM 2019 agents:
Subsequently, we released a KB article about it: KB4601269
Let me give a little background data on it.
This vulnerability is that in SCOM 2019 agents, by default the Network Service account has a high level of privilege to the Operations Manager event log. This access to the event log was new for SCOM 2019, and did not exist in previous versions of SCOM. The update/patch simply removes this access as it is not necessary.
We released the update as Post SCOM 2019 UR2 Hotfix. We state that this hotfix requires UR2 as a prerequisite. That actually is not completely accurate. It will apply to SCOM 2019 RTM, UR1, or UR2. The reason they stated UR2 was required was simply because we took a fix in UR2 that addressed issues in putting agents into Pending Management in the console, after applying an update on the server. That’s it. That’s the only reason.
Honestly, I cannot imagine the work involved to get this patch distributed to ALL your agents in really large environments. Many customers are often way behind on agent Update Rollups as it is, because pushing these updates can be very time consuming if you don’t use Windows Update/SCCM for software deployments.
To make this a little easier I added a monitor and recovery to my SCOM Management Pack.
This monitor will inspect the Operations Manager event log security, and if Network Service has a high level of access, it will turn the SCOM management classes unhealthy (warning). This monitor also includes a recovery which is disabled by default, which will fix the issue. You can enable this recovery if you want to run automatically anytime it detects a SCOM 2019 agent with the issue.
This update is included in SCOM 2019 UR3.
This issue is not present on SCOM 2012R2 and SCOM 2016 agents.