Why am I getting a permission error for AgentService.exe after Azure agent installation from Agent Pool?

Question

Why am I getting a permission error for AgentService.exe after Azure agent installation from Agent Pool?

Chris 0

I've currently trying to install an agent from Azure Devops > Project Settings > Agent Pools > Agents. I've set up the machines, and am able to get the agent itself onto the machine, and run them manually. However, I cannot run them as a service because during the installation, I get the following error:

An error occurred trying to start process '"C:\agent\bin\AgentService.exe"' with working directory 'C:\azagent'. Access is denied.

I would really appreciate any help resolving this error.

I have tried several credentials, admin, non-admin, new users, etc. but for some reason, I cannot seem to get past this error. Is there a particular user I'm supposed to use from Azure? Is it an issue with the security settings on my computer? I've even tried testing giving the current user full access to that specific file through the property settings. None of these work. I'm wondering what I did wrong.

I can still run the agent manually via the .\run.cmd command in Powershell, but I cannot start the AgentService.exe in C:\agent\bin\AgentService.exe.

EDIT (Some more details):

PS C:\agent> .\config.cmd
  ___                      ______ _            _ _
 / _ \                     | ___ (_)          | (_)
/ /_\ \_____   _ _ __ ___  | |_/ /_ _ __   ___| |_ _ __   ___  ___
|  _  |_  / | | | '__/ _ \ |  __/| | '_ \ / _ \ | | '_ \ / _ \/ __|
| | | |/ /| |_| | | |  __/ | |   | | |_) |  __/ | | | | |  __/\__ \
\_| |_/___|\__,_|_|  \___| \_|   |_| .__/ \___|_|_|_| |_|\___||___/
                                   | |
        agent v4.251.0             |_|          (commit 69c6517)
>> Connect:
Enter server URL > https://xxx.visualstudio.com
Enter authentication type (press enter for PAT) >
Enter personal access token > ***
Connecting to server ...
>> Register Agent:
Enter agent pool (press enter for default) > TEST-QA1
Enter agent name (press enter for SRVR1) >
Scanning for tool capabilities.
Connecting to the server.
Pool TEST-QA1 already contains an agent with name SRVR1.
Enter replace? (Y/N) (press enter for N) > Y
Successfully replaced the agent
Testing agent connection.
Enter work folder (press enter for _work) >
2025-02-27 21:32:31Z: Settings Saved.
Enter run agent as service? (Y/N) (press enter for N) > y
Enter enable SERVICE_SID_TYPE_UNRESTRICTED for agent service (Y/N) (press enter for N) >
Enter User account to use for the service (press enter for NT AUTHORITY\NETWORK SERVICE) > ******@abc.com
Enter Password for the account SRVR1\******@abc.com > ***
Error reported in diagnostic logs. Please examine the log for more details.
    - C:\agent\_diag\Agent_00000000-000000-utc.log
Granting file permissions to 'SRVR1\******@abc.com'.
An error occurred trying to start process '"C:\agent\bin\AgentService.exe"' with working directory 'C:\agent'. Access is denied.
PS C:\agent>

Mounika Reddy Anumandla 2,975 Reputation points Microsoft External Staff

2025-02-28T03:49:45.63+00:00

Hi Chris,

Welcome to Microsoft Q&A Platform!

I understand that you are trying to install an Azure DevOps Self-Hosted Agent on a windows virtual machine and configure it to run as a service. The installation works when run manually, but when trying to run it as a service, it fails with:

"An error occurred trying to start process 'C:\agent\bin\AgentService.exe' with working directory 'C:\agent'. Access is denied."

This suggests a permissions issue when attempting to install and start the agent service.

Uses NT AUTHORITY\NETWORK SERVICE by default. This account has elevated system privileges. I see you have specified a different user. Make sure you have sufficient permissions for the user account you provided. You can specify a built-in account or a user account. If you specify a user account, it must have Log on as a service permission.

For more information:
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/windows-agent?view=azure-devops#windows-only-startup

https://learn.microsoft.com/en-us/azure/devops/server/account-requirements?view=azure-devops-2022

Hope this helps!

Let me know if you have any further queries!

If the comment is helpful, please click "upvote" or tag me in the comments to let us know!
Arko 335 Reputation points Microsoft External Staff

2025-03-04T12:42:25.2+00:00

Hello Chris, hope Mounika's answer was helpful, if so kindly accept the answer.
Chris 0 Reputation points

2025-03-04T21:11:15.3866667+00:00

Hello, the above did not resolve the issue and produces the same results regardless of the account that is being used (I've tried quite a few). Is there any way, without reconfiguring it, to view the configuration account tied to the created config? If so, I could attempt to review the config of other machines where this process (the service) is working properly. Also, if it helps, I used the Microsoft-provided PowerShell script from "https://{organization}.visualstudio.com/_settings/deploymentpools?view=pool&poolid={id}&tab=Details".
Chris 0 Reputation points

2025-03-06T22:39:45.6333333+00:00

Yes, that is correct. Sure.

I can confirm that in secpol.msc, "Log on as a service" contains the user "SRVR1\user" and "Deny log on as a service" does not.

After the restart, I when back to the AgentService.exe file to run it, and it still fails, saying "Windows cannot access the specified device path, or file. You may not have the appropriate permissions to access the item." This is even will having "Full Control" of the file, and the parent directory ("C:\agent") for the user "SRVR1\user".

Upon reviewing the documentation, it also appears that ".\run --diagnostics" is running fine with no issue, but the service cannot be started.

Does AgentService.exe need to access resources of directories outside of the C:\agent directory that may be blocked?
Chris 0 Reputation points

2025-03-06T22:43:09.57+00:00

Yes, that is correct. Sure.

I can confirm that in secpol.msc, "Log on as a service" contains the user "SRVR1\user" and "Deny log on as a service" does not.

After the restart, I when back to the AgentService.exe file to run it, and it still fails, saying "Windows cannot access the specified device path, or file. You may not have the appropriate permissions to access the item." This was done with "Full Control" of both the file its parent directory ("C:\agent") and everything else inside it. Does AgentService.exe need to access resources of directories outside of the "C:\agent" directory that may be blocked?

Upon reviewing the documentation, it also appears that ".\run --diagnostics" is running fine with no issue, but the service cannot be started.
Arko 335 Reputation points Microsoft External Staff

2025-03-07T04:39:58.0266667+00:00

Thanks for checking these things for me Chris, let's do few more checks to narrow down the problem. Even though "SRVR1\user" has Full Control over C:\agent, there could be a possibility that the AgentService.exe may be trying to access other directories. Let's check that.
first check-
Try running Process Monitor (ProcMon.exe) from Sysinternals to capture any "ACCESS DENIED" errors when attempting to start the service. If "ACCESS DENIED" errors are found, grant SRVR1\user permissions to the required directories.

Second check-
Do a Get-Item "C:\agent\bin\AgentService.exe" | Unblock-File to check if the file is blocked and accordingly set the execution policy using Set-ExecutionPolicy RemoteSigned -Scope LocalMachine . Locate the agent service under services.msc, goto it's properties and under Log On tab verify that the correct account (SRVR1\user) is being used.

Third check-
We will check the group policy as well under gpedit.msc and check for policies related to user rights assignment, software execution policies, service restrictions

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

And last check under eventvwr.msc under Windows Logs > Application Windows Logs > System and look for errors related to AgentService.exe

Kindly share with me these details so that we can negate out all the other possibilities and narrow down on the actual issue inorder to provide you with a better resolution.
Chris 0 Reputation points

2025-03-10T16:50:51.8166667+00:00
First Check:

Ok, when running ProcMon.exe, upon running AgentService.exe, I see the following errors:

BUFFER_TOO_SMALL errors coming from the QueryEAFile (MsMpEng.exe)

BUFFER_OVERFLOW errors coming from QueryInformationVolume, QueryAllInformationFile (MsMpEng.exe)

OPLOCK_HANDLE_CLOSED errors coming from FileSystemControl (MsMpEng.exe)

Second Check:

Upon running "Get-Item C:\agent\bin\AgentService.exe" | Unblock-File, there was no output. I also ran Set-ExecutionPolicy RemoteSigned -Scope LocalMachine on the directory C:\agent. Was that the correct thing to do?

Third Check:

While I could access "Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options", I didn't see any explicit references to "user rights assignment", "software execution policies", or "service restrictions". Are there specific policies I am supposed to be looking for?

Fourth Check:

When I review the eventvwr.msc while trying to run AgentService.exe, I get the following results in the logs:

In Application Logs:

The HostOptions.BackgroundServiceExceptionBehavior is configured to StopHost. A BackgroundService has thrown an unhandled exception, and the IHost instance is stopping. To avoid this behavior, configure this to Ignore; however the BackgroundService will not be restarted.

BackgroundService failed

Failed to determine the https port for redirect.

In System Logs:

A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Arko 335 Reputation points Microsoft External Staff

2025-03-11T08:18:03.49+00:00

Thanks for sharing the requested details Chris.
These errors you see (BUFFER_TOO_SMALL, BUFFER_OVERFLOW, OPLOCK_HANDLE_CLOSED) are likely caused by Windows Defender (MsMpEng.exe) interfering with your agent service.

We can try excluding the C:\agent directory from Windows Defender->Virus & threat protection->Exclusions->Add the entire C:\agent folder

and restart your VM/system.

Secondly if Unblock-File gave no output, that means the file wasn’t blocked and yes that was the correct thing you did.

And from your error logs from event viewer, I can see

A BackgroundService has thrown an unhandled exception, and the IHost instance is stopping

and

TLS client credential. The internal error state is 10013.

First error fix- try reinstalling the latest .NET Hosting Bundle (matching your agent's version)

and the second error means there’s an issue with TLS/SSL settings. The agent may be trying to connect to Azure DevOps, but TLS is misconfigured. You can enable TLS 1.2 and reset Schannel Registry

1 answer

Your answer

Mounika Reddy Anumandla 2,975 Reputation points Microsoft External Staff

2025-02-28T03:49:45.63+00:00

Hi Chris,

Welcome to Microsoft Q&A Platform!

I understand that you are trying to install an Azure DevOps Self-Hosted Agent on a windows virtual machine and configure it to run as a service. The installation works when run manually, but when trying to run it as a service, it fails with:

"An error occurred trying to start process 'C:\agent\bin\AgentService.exe' with working directory 'C:\agent'. Access is denied."

This suggests a permissions issue when attempting to install and start the agent service.

Uses NT AUTHORITY\NETWORK SERVICE by default. This account has elevated system privileges. I see you have specified a different user. Make sure you have sufficient permissions for the user account you provided. You can specify a built-in account or a user account. If you specify a user account, it must have Log on as a service permission.

For more information:
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/windows-agent?view=azure-devops#windows-only-startup

https://learn.microsoft.com/en-us/azure/devops/server/account-requirements?view=azure-devops-2022

Hope this helps!

Let me know if you have any further queries!

If the comment is helpful, please click "upvote" or tag me in the comments to let us know!
Arko 335 Reputation points Microsoft External Staff

2025-03-04T12:42:25.2+00:00

Hello Chris, hope Mounika's answer was helpful, if so kindly accept the answer.
Chris 0 Reputation points

2025-03-04T21:11:15.3866667+00:00

Hello, the above did not resolve the issue and produces the same results regardless of the account that is being used (I've tried quite a few). Is there any way, without reconfiguring it, to view the configuration account tied to the created config? If so, I could attempt to review the config of other machines where this process (the service) is working properly. Also, if it helps, I used the Microsoft-provided PowerShell script from "https://{organization}.visualstudio.com/_settings/deploymentpools?view=pool&poolid={id}&tab=Details".
Chris 0 Reputation points

2025-03-06T22:39:45.6333333+00:00

Yes, that is correct. Sure.

I can confirm that in secpol.msc, "Log on as a service" contains the user "SRVR1\user" and "Deny log on as a service" does not.

After the restart, I when back to the AgentService.exe file to run it, and it still fails, saying "Windows cannot access the specified device path, or file. You may not have the appropriate permissions to access the item." This is even will having "Full Control" of the file, and the parent directory ("C:\agent") for the user "SRVR1\user".

Upon reviewing the documentation, it also appears that ".\run --diagnostics" is running fine with no issue, but the service cannot be started.

Does AgentService.exe need to access resources of directories outside of the C:\agent directory that may be blocked?
Chris 0 Reputation points

2025-03-06T22:43:09.57+00:00

Yes, that is correct. Sure.

I can confirm that in secpol.msc, "Log on as a service" contains the user "SRVR1\user" and "Deny log on as a service" does not.

After the restart, I when back to the AgentService.exe file to run it, and it still fails, saying "Windows cannot access the specified device path, or file. You may not have the appropriate permissions to access the item." This was done with "Full Control" of both the file its parent directory ("C:\agent") and everything else inside it. Does AgentService.exe need to access resources of directories outside of the "C:\agent" directory that may be blocked?

Upon reviewing the documentation, it also appears that ".\run --diagnostics" is running fine with no issue, but the service cannot be started.
Arko 335 Reputation points Microsoft External Staff

2025-03-07T04:39:58.0266667+00:00

Thanks for checking these things for me Chris, let's do few more checks to narrow down the problem. Even though "SRVR1\user" has Full Control over C:\agent, there could be a possibility that the AgentService.exe may be trying to access other directories. Let's check that.
first check-
Try running Process Monitor (ProcMon.exe) from Sysinternals to capture any "ACCESS DENIED" errors when attempting to start the service. If "ACCESS DENIED" errors are found, grant SRVR1\user permissions to the required directories.

Second check-
Do a Get-Item "C:\agent\bin\AgentService.exe" | Unblock-File to check if the file is blocked and accordingly set the execution policy using Set-ExecutionPolicy RemoteSigned -Scope LocalMachine . Locate the agent service under services.msc, goto it's properties and under Log On tab verify that the correct account (SRVR1\user) is being used.

Third check-
We will check the group policy as well under gpedit.msc and check for policies related to user rights assignment, software execution policies, service restrictions

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

And last check under eventvwr.msc under Windows Logs > Application Windows Logs > System and look for errors related to AgentService.exe

Kindly share with me these details so that we can negate out all the other possibilities and narrow down on the actual issue inorder to provide you with a better resolution.
Chris 0 Reputation points

2025-03-10T16:50:51.8166667+00:00

First Check:

Ok, when running ProcMon.exe, upon running AgentService.exe, I see the following errors:

BUFFER_TOO_SMALL errors coming from the QueryEAFile (MsMpEng.exe)

BUFFER_OVERFLOW errors coming from QueryInformationVolume, QueryAllInformationFile (MsMpEng.exe)

OPLOCK_HANDLE_CLOSED errors coming from FileSystemControl (MsMpEng.exe)

Second Check:

Upon running "Get-Item C:\agent\bin\AgentService.exe" | Unblock-File, there was no output. I also ran Set-ExecutionPolicy RemoteSigned -Scope LocalMachine on the directory C:\agent. Was that the correct thing to do?

Third Check:

While I could access "Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options", I didn't see any explicit references to "user rights assignment", "software execution policies", or "service restrictions". Are there specific policies I am supposed to be looking for?

Fourth Check:

When I review the eventvwr.msc while trying to run AgentService.exe, I get the following results in the logs:

In Application Logs:

The HostOptions.BackgroundServiceExceptionBehavior is configured to StopHost. A BackgroundService has thrown an unhandled exception, and the IHost instance is stopping. To avoid this behavior, configure this to Ignore; however the BackgroundService will not be restarted.

BackgroundService failed

Failed to determine the https port for redirect.

In System Logs:

A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
Arko 335 Reputation points Microsoft External Staff

2025-03-11T08:18:03.49+00:00

Thanks for sharing the requested details Chris.
These errors you see (BUFFER_TOO_SMALL, BUFFER_OVERFLOW, OPLOCK_HANDLE_CLOSED) are likely caused by Windows Defender (MsMpEng.exe) interfering with your agent service.

We can try excluding the C:\agent directory from Windows Defender->Virus & threat protection->Exclusions->Add the entire C:\agent folder

and restart your VM/system.

Secondly if Unblock-File gave no output, that means the file wasn’t blocked and yes that was the correct thing you did.

And from your error logs from event viewer, I can see

A BackgroundService has thrown an unhandled exception, and the IHost instance is stopping

and

TLS client credential. The internal error state is 10013.

First error fix- try reinstalling the latest .NET Hosting Bundle (matching your agent's version)

and the second error means there’s an issue with TLS/SSL settings. The agent may be trying to connect to Azure DevOps, but TLS is misconfigured. You can enable TLS 1.2 and reset Schannel Registry

Answer 1

Hello Chris, In order to install an Azure DevOps Self-Hosted Agent on a windows virtual machine and configure it to run as a service.
Go to Azure DevOps > Select your Organization.
Navigate to Project Settings > Agent Pools.
Click Add Pool > Give it a name (in this case I am using TEST-POOL).
Select Self-hosted and create.

enter image description here

Download and extract the Agent under C:\agent

enter image description here

Configure the Agent under cd C:\agent and then run .\config.cmd

Enter server URL: https://dev.azure.com/Whatever is your ORG NAME
Enter authentication type: Just press Enter first time (default is PAT).
Enter agent pool: Use the pool you created (For example TEST-POOL).
Enter agent name: Any name of your choice (e.g., LAPTOP-AGENT).
Enter work folder: Press Enter to use work.
Enter run agent as a service?: Type y and press Enter.
Enter user account to use for the service: Use NT AUTHORITY\NETWORK SERVICE or a custom user.

enter image description here

The agent should register successfully.

Now coming to your blocker when trying the above steps i.e when you are trying to install the agent on your system and following the prompts upto where it asks to enter user account to use for the service, you are getting Access is denied error correct?

If so, could you kindly check few things for me and let me know-

We can start by checking if the user i.e. you have sufficient permission. For this you can goto run and type secpol.msc which should open Local Security Policy tab.

enter image description here

As highlighted in screenshot, Goto Security Settings > Local Policies > User Rights Assignment > Log on as a service.

Open it and add your specified (SRVR1\user).

Before that once check Deny log on as a service as well. If your user is listed, remove it.

enter image description here

Once the above checks are done, goto the path where your agent is, goto it's property section > security tab and add your user if missing or edit and cross the permission. preferably give full control.

enter image description here

and restart your system.

If your issue persists, check event logs under event viewer and look for error messages related to AgentService.exe and you confirmed those details in comment section. I have replied below your comment on the meaning of those errors and how can you clear them up.

checkout- https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/windows-agent?view=azure-devops#confirm-the-user-has-permission

Share via

Why am I getting a permission error for AgentService.exe after Azure agent installation from Agent Pool?

1 answer

Your answer