This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 80%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM7%3C/text%3E%3C/svg%3E)
I recently found out that the DCom hardening soluition Microsoft shipped with the June updates causes remote WMI from Windows PE to fail with an access denied message. When implementing the temporary registry key workaround, remote WMI queries do work.
My situation is one where I use a pre-start command in the Configuration Manager boot image to run a powershell script that uses WMI to query the configuration manager environment to check the local UUID against the database to see whether a system is already in Config Manager. The script uses a valid user account for the WMI query. With the June updates this query returns an access denied message.
When implementing the registry key highlighted in KB5004442 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat) on the server, the WMI request works again.
Running the same piece of code form a regular Windows 10 machine, with the same credentials, does not get an access denied and returns the request like expected.
My question is how can I configure DCOM/Remote WMI in Windows PE to use the same security level as a regular Windows 10 system?
Hi,
Do you mean to get the expected query result without the access denied error when not implementing the registry key workaround to disable the hardening changes on the server? If I have any misunderstood, please feel free to let me know.
Have a nice day!
Best regards,
Simon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 45%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I have a script that runs during an Endpoint Configuration Manager Operating System Deployment Task Sequence which needs to function with increased security. The script queries my Management Point for basic machine information and uses the returned data to pre-populate a form. I've updated my code to be compliant with DCOM hardening, but it seems Windows PE can't accommodate this. I set RaiseActivationAuthenticationLevel = 2 in my Boot Image (via the registry edit intended for Windows 10) but that didn't work. The boot image is version 10.0.19041.1 and MECM is Current Branch version 2111. As of now, I have to disable hardening on the server side for the script to work properly.
How can I get Windows PE to be compliant with DCOM hardening?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 19%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Just starting to have same issue from WINPE to compare to a WINDOWS 2019 Workgroup which still works with exact same scripts. Impossible to have a successful DCOM communication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 69%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Have you found a solution for this issue, experiencing the same issue in WinPE environment to query sccm.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 10%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Having the same issue, have a PS script making calls to the SCCM server to pull build relevant data and now failing. Please can this be remediated for Windows PE, it's a real problem for our build solutioning.
Rewrite your scripts to use the administration service.
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/usage
We fixed this issue by replacing wmi querys with admin service based query's.
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/overview