HSLockdown breaks agent on domain controllers

This applies to SCOM 2016 but likely affects any later versions too.

When you install the agent on a DC it breaks communication to the management group. Kev explains it here but you need to do this on the affected agent.

To show current permissions:

cd C:\Program Files\Microsoft Monitoring Agent\Agent

HSLockdown.exe /L

To grant permission:

HSLockdown.exe /A "NT AUTHORITY\SYSTEM"

net stop healthservice & net start healthservice