Set WMI permissions using PowerShell RRS feed

  • General discussion

  • The topic of setting WMI access permissions via script and GPO has come up over the years. There are a couple of scripts posted on Microsoft blogs that work great, but I came up with a short three liner PS script that I wanted to share here. It uses the __SystemSecurity.setSD method, which requires that you obtain the security descriptor byte array prior. This means you have to set the security to how you want it using the something like the WMI Control mmc and then querying the security to obtain the SD in byte array. Once you have set the SD as desired using the WMI Control mmc, use getSD to obtain the byte array (Note: Using root\cimv2 namespace as an example):
    (Invoke-WmiMethod -namespace "root\cimv2" -class __SystemSecurity -Name GetSD).SD
    Next, you will need to make that byte array a comma separated value that you will use in the script to set the security as shown below. In this example, the value of SD will set security to Windows out-of-box default security on the root\cimv2 and root\DEFAULT namespaces. Simply replace the byte array (comma separated list between the parentheses) with the value returned in the prior query, after setting the security using the mmc.
    $SD = (1,0,4,128,148,0,0,0,164,0,0,0,0,0,0,0,20,0,0,0,2,0,128,0,4,0,0,0,0,18,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)
    $NameSpaces = "root\cimv2","root\DEFAULT"
    foreach($ns in $NameSpaces){Invoke-WmiMethod -Namespace $ns -Class __systemsecurity -Name setSD (,$SD)}

    • Edited by Brandon.M Monday, November 18, 2019 9:29 PM
    Monday, November 18, 2019 9:24 PM