[German]In Windows 10 version 1803 and above remote WMI is no longer possible. A bug causes an error 0x80070005 during remote WMI operations. Here is some information about this topic.
Advertising
What is Remote WMI?
Windows Management Instrumentation (WMI) is a build in feature of Windows. According to this Microsoft WMI page it provides the following feature:
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers but WMI also supplies management data to other parts of the operating system and products, for example System Center Operations Manager, formerly Microsoft Operations Manager (MOM), or Windows Remote Management (WinRM).
WMI does not only work locally, but also remotely via network for other Windows machines. Microsoft explains the necessary steps in the document Connecting to WMI on a Remote Computer.
BTW: Microsoft has documented several Remote Desktop Services WMI Provider error codes here.
What the problem with Remote WMI?
It seems Remote WMI does not work from Windows 10 version 1803 upward. I became aware of the problem through a tweet of @PhantomofMobile:
REMOTE CONNECTION "ACCESS DENIED" for REMOTE WMI:
Started in 1803 continues 1809@Microsoft seems nobody is LISTENING!ICYMI: @SBSDiva @woodyleonhard @AskWoody @AdminKirsty @bdsams @mehedih_ @ruthm @etguenni @SwiftOnSecurity @Karl_F1_Fan @JobCackahttps://t.co/vdOkpARVQg
1/3
— Crysta T. Lacey (@PhantomofMobile) 29. November 2018
The issue was raised at patchmanagement.org and Susan Bradley has been involved (see this thread for example). At MSDN is this forum thread, which sheds a bit more details into the issue.
Advertising
We have a custom service using system.managementscope.connect to connect to a remote wmi to gather it's system/hardware/software data.
This service runs on a windows 1803 as Local System and adds the correct impersonation & authentication level and also sets the connection options with the local username & password on the remote target.
This worked on target machines running windows 10 pro <= 1703 but started returning "access denied" on targets windows 10 pro >= 1803.
Remark: This problem only occurs when a windows 1803 (or later) machine is trying to remotely connect wmi to another 1803 (or later) machine.
We can simulate this malfunction using wbemtest.exe:
We have a problem getting a windows 10 pro machine (both in domain and workgroup) to connect to remote WMI to a windows 10 >= 1803 target in a domain or a workgroup.
Every time we try to access it, we get "access denied". This is related to the user executing the remote WMI connection.
If this user does not exist on the target machine, the remote WMI connection will always fail with "access denied", even when this user has been passed with the connection options. This has worked on targets with windows 10 <= 1703.
We did our tests using wbemtest.exe with the same impersonation & authentication level as the target (configured using dcomcnfg.exe).
Until 1703:
Test wbemtest.exe with local user of remote destination filled in in the credentials section:
Able to connect and retrieve data
Starting from 1803:
Test wbemtest.exe with local user of remote destination filled in in the credentials section):
0x80070005 access denied
Request:
We need to specifically find which LocalSecurityPolicy/Registry settings have been modified in 1803 which is blocking the remote WMI connects.
We already tried disabling windows defender, modifying remote uac, LocalAccountTokenFilterPolicy (and rebooting) but none of these changes worked so far.
Within this forum post, the thread starter encountered the issue through a special application. However, he was able to prove the error with the Windows program wbemtest.exe:
- WMI queries can be executed locally on Windows 10 machines using via wbemtest.exe.
- Remote WMI queries can be successfully executed via wbemtest.exe on Windows 10 V1709 machines.
- From Windows 10 V1803 upwards, remote WMI calls using wbemtest.exe ends with error 0x80070005 access denied.
The issue also exists in Windows 10 V1809 and Windows Server 2019 (and probably also in Windows Server V1809). This behavior has been confirmed by several users, so it is not related to access rights granted from a user – it seems it's a bug in Windows 10.
not only this, also if you use Event Manager the Event Collections are not shown remotely, only local
e.g. open Event Viewer and remotely connect on a Server with NPS role, locally you see Event Collection view, not so remote, also affect other services— al Qamar (@Karl_F1_Fan) 29. November 2018
Currently the discussion has been running on MSDN since the beginning of November 2018. On Twitter @Karl_F1_Fan confirms that the Event Manager cannot display remote events. So the whole thing has a lot of side effects that make remote WMI related task impossible. As it looks, @AzureSupport has taken note of the topic according to this tweet. If any of you are affected by the topic, you could left a feedback at twitter or drop a command here.
Addenum: A German blog reader wrote, that the issue isn't present, if Kerberos authentication is used.
