Get-WmiObject Access Denied: SCCM Detection Method

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Jennyfer Rusnak Jennyfer Rusnak 4 years, 1 month ago.

  • Author
    Posts
  • #4160
    Profile photo of Jennyfer Rusnak
    Jennyfer Rusnak
    Participant

    On the old fourm I had a topic about PowerShell detection methods in System Center 2012. The fourm is here: https://powershell.org/discuss/viewtopic.php?f=32&t=1859

    This script is working for me to detect if the SCCM cache size is less than 30 GB. When I run the Application as a normal user, I'm getting Get-WmiObject Access Denied.

    The PowerShell script I am using is:
    `
    Set-ExecutionPolicy Unrestricted
    $cache = Get-WmiObject -Namespace root\ccm\softmgmtagent -class cacheconfig
    If ($cache.size -lt 30000) {
    $cache.size = 30000
    $cache.Put()
    Restart-Service ccmexec
    Write-EventLog System -source System -eventid 15401 -message "Set-SCCMCacheSize Script: Set cache size to 3000 and restarted SCCM service"
    Write-Verbose "The SCCM Cache size has now been set to $($cache.size)"
    } #if
    else {
    Write-EventLog System -source System -EventId 15400 -message "Set-SCCMCacheSize Script: Script did not run"
    Write-Verbose "The script did not run"
    } #else
    `

    The error I am getting in the AppDiscovery.Log is:

        In-line script returned error output: Get-WmiObject : Access denied 
    At C:\Windows\CCM\SystemTemp\e6e2106c-daf5-43bb-a8ca-0f017742e302.ps1:1 char:23
    + $cache = Get-WmiObject < <<<  -Namespace root\ccm\softmgmtagent -class cacheco
    nfig
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], Managemen 
       tException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.C 
       ommands.GetWmiObjectCommand
    A script execution error has occurred. The script has no output in stdout and an error message in stderr.
    Script Execution returned error message: Get-WmiObject : Access denied 
    At C:\Windows\CCM\SystemTemp\e6e2106c-daf5-43bb-a8ca-0f017742e302.ps1:1 char:23
    + $cache = Get-WmiObject <<<<  -Namespace root\ccm\softmgmtagent -class cacheco
    nfig
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], Managemen 
       tException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.C 
       ommands.GetWmiObjectCommand
      Script Execution Returned :4294967295, Error Message: Get-WmiObject : Access denied 
    At C:\Windows\CCM\SystemTemp\e6e2106c-daf5-43bb-a8ca-0f017742e302.ps1:1 char:23
    + $cache = Get-WmiObject <<<<  -Namespace root\ccm\softmgmtagent -class cacheco
    nfig
        + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], Managemen 
       tException
        + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.C 
       ommands.GetWmiObjectCommand

    I was able to use the WMI Control mmc to modify the permissions on the root\ccm\softmgmtagent and allow Authenticated Users read security on this and the detection method is working.

    My question is, how can I use this script (or a similar script) as a detection method in SCCM 2012.
    Why would the detection method not run as System or Administratior since System Center is running it? It seems silly that it's running with the local users rights. I can run the same application logged in as administrator and I don't have this issue. I know you can use the credential switch with the Get-WmiObject but I want this script to run as a detection method so it can't require interaction. Does anyone have any better ideas?

  • #4168
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I think it's more an SCCM question, but the agent does run as the local user in their context. You'd have to ask MS why they designed it that way. Aside from modifying your repository permissions as you've done, I can't think of a workaround, no.

  • #4173
    Profile photo of Rob Campbell
    Rob Campbell
    Participant

    Would setting up a remote session on the SCCM server for the script to use, configured to use a proxy account and constrained to just doing that WMI query work?

  • #4452
    Profile photo of Jennyfer Rusnak
    Jennyfer Rusnak
    Participant

    Don, Thanks for the feeback.

    Rob, thanks for your suggestion but I think for the simple script I'm trying to run I just decided to try it as a package instead of an application (no detection method). It isn't as smart, and I can't use it as a dependency to my large packages like I wanted to...but it seems to be working.

You must be logged in to reply to this topic.