[BUG]: AgentService.exe gets blocked by Windows Security #5295
Description
What happened?
When installing the agent as a Windows service on a deployment target, registration as a service fails with "Access is denied" error.
After a lot of digging, I found that Windows Security is blocking the AgentService.exe process as part of its "Attack surface reduction" feature.
I will check with the system administrators whether we can make an exemption. But it would be nice if the installation procedure avoids triggering this protection.
Versions
Agent version 4.258.1 / Windows Server 2022
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
Windows Server 2022
Version controll system
No response
Relevant log output
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Calculated unique group name VSTS_AgentService_G31560
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Trying to create group VSTS_AgentService_G31560
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Group VSTS_AgentService_G31560 already exists
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Trying to add userName NT AUTHORITY\SYSTEM to the group VSTS_AgentService_G31560
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Account NT AUTHORITY\SYSTEM is already member of group VSTS_AgentService_G31560
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Set full access control to group for the folder C:\azagent\A1
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Set full access control to group for the folder C:\azagent\A1\_work
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Local group 'VSTS_AgentService_G31560' already has full control to path 'C:\azagent\A1\_work'.
[2025-08-20 16:04:17Z INFO Terminal] WRITE LINE: Granting file permissions to 'NT AUTHORITY\SYSTEM'.
[2025-08-20 16:04:17Z WARN NativeWindowsServiceHelper] NetIsServiceAccount return code is 3221225695
[2025-08-20 16:04:17Z INFO NativeWindowsServiceHelper] Account 'NT AUTHORITY\SYSTEM' is managed service account: False.
[2025-08-20 16:04:17Z INFO HostContext] Well known directory 'Bin': 'C:\azagent\A1\bin'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Starting process:
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] File name: '"C:\azagent\A1\bin\AgentService.exe"'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Arguments: 'init'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Working directory: ''
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Require exit code zero: 'True'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Encoding web name: ; code page: ''
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Force kill process on cancellation: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Redirected STDIN: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Persist current code page: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Keep redirected STDIN open: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] High priority process: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] ContinueAfterCancelProcessTreeKillAttempt: 'False'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Sigint timeout: '00:00:07.5000000'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Sigterm timeout: '00:00:02.5000000'
[2025-08-20 16:04:17Z INFO ProcessInvokerWrapper] Try to use graceful shutdown: False
[2025-08-20 16:04:17Z ERR Agent] System.ComponentModel.Win32Exception (5): An error occurred trying to start process '"C:\azagent\A1\bin\AgentService.exe"' with working directory 'C:\azagent\A1'. Access is denied.
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Microsoft.VisualStudio.Services.Agent.Util.ProcessInvoker.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, InputQueue`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, Boolean continueAfterCancelProcessTreeKillAttempt, CancellationToken cancellationToken) in D:\a\_work\1\s\src\Agent.Sdk\ProcessInvoker.cs:line 299
at Microsoft.VisualStudio.Services.Agent.ProcessInvokerWrapper.ExecuteAsync(String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, InputQueue`1 redirectStandardIn, Boolean inheritConsoleHandler, Boolean keepStandardInOpen, Boolean highPriorityProcess, Boolean continueAfterCancelProcessTreeKillAttempt, CancellationToken cancellationToken) in D:\a\_work\1\s\src\Microsoft.VisualStudio.Services.Agent\ProcessInvoker.cs:line 329
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.NativeWindowsServiceHelper.InstallService(String serviceName, String serviceDisplayName, String logonAccount, String logonPassword, Boolean setServiceSidTypeAsUnrestricted) in D:\a\_work\1\s\src\Agent.Listener\Configuration.Windows\NativeWindowsServiceHelper.cs:line 500
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.WindowsServiceControlManager.ConfigureService(AgentSettings settings, CommandSettings command) in D:\a\_work\1\s\src\Agent.Listener\Configuration.Windows\WindowsServiceControlManager.cs:line 142
at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.ConfigureAsync(CommandSettings command) in D:\a\_work\1\s\src\Agent.Listener\Configuration\ConfigurationManager.cs:line 403
at Microsoft.VisualStudio.Services.Agent.Listener.Agent.ExecuteCommand(CommandSettings command) in D:\a\_work\1\s\src\Agent.Listener\Agent.cs:line 104
[2025-08-20 16:04:17Z ERR Terminal] WRITE ERROR: An error occurred trying to start process '"C:\azagent\A1\bin\AgentService.exe"' with working directory 'C:\azagent\A1'. Access is denied.