DCom hardening breaks remote WMI in Windows PE?

Question

DCom hardening breaks remote WMI in Windows PE?

Marco[73] 6

I recently found out that the DCom hardening soluition Microsoft shipped with the June updates causes remote WMI from Windows PE to fail with an access denied message. When implementing the temporary registry key workaround, remote WMI queries do work.

My situation is one where I use a pre-start command in the Configuration Manager boot image to run a powershell script that uses WMI to query the configuration manager environment to check the local UUID against the database to see whether a system is already in Config Manager. The script uses a valid user account for the WMI query. With the June updates this query returns an access denied message.

When implementing the registry key highlighted in KB5004442 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat) on the server, the WMI request works again.

Running the same piece of code form a regular Windows 10 machine, with the same credentials, does not get an access denied and returns the request like expected.

My question is how can I configure DCOM/Remote WMI in Windows PE to use the same security level as a regular Windows 10 system?

Simon Ren-MSFT 14,856 Reputation points Microsoft Vendor

2022-09-09T07:11:03.997+00:00

Hi,

Do you mean to get the expected query result without the access denied error when not implementing the registry key workaround to disable the hardening changes on the server? If I have any misunderstood, please feel free to let me know.

Have a nice day!

Best regards,
Simon
BGilliamLCSS 0 Reputation points

2023-03-10T21:16:22.72+00:00

I have a script that runs during an Endpoint Configuration Manager Operating System Deployment Task Sequence which needs to function with increased security. The script queries my Management Point for basic machine information and uses the returned data to pre-populate a form. I've updated my code to be compliant with DCOM hardening, but it seems Windows PE can't accommodate this. I set RaiseActivationAuthenticationLevel = 2 in my Boot Image (via the registry edit intended for Windows 10) but that didn't work. The boot image is version 10.0.19041.1 and MECM is Current Branch version 2111. As of now, I have to disable hardening on the server side for the script to work properly.

How can I get Windows PE to be compliant with DCOM hardening?

Simon Ren-MSFT 14,856 Reputation points Microsoft Vendor

2022-09-09T07:11:03.997+00:00

Hi,

Do you mean to get the expected query result without the access denied error when not implementing the registry key workaround to disable the hardening changes on the server? If I have any misunderstood, please feel free to let me know.

Have a nice day!

Best regards,
Simon
BGilliamLCSS 0 Reputation points

2023-03-10T21:16:22.72+00:00

I have a script that runs during an Endpoint Configuration Manager Operating System Deployment Task Sequence which needs to function with increased security. The script queries my Management Point for basic machine information and uses the returned data to pre-populate a form. I've updated my code to be compliant with DCOM hardening, but it seems Windows PE can't accommodate this. I set RaiseActivationAuthenticationLevel = 2 in my Boot Image (via the registry edit intended for Windows 10) but that didn't work. The boot image is version 10.0.19041.1 and MECM is Current Branch version 2111. As of now, I have to disable hardening on the server side for the script to work properly.

How can I get Windows PE to be compliant with DCOM hardening?

DCom hardening breaks remote WMI in Windows PE?

Activity