0

I'm trying to retrieve a WMI objects on a remote machine using the following powershell code :

Get-WmiObject -ComputerName mymachine -class Win32_operatingSystem -Authentication PacketIntegrity

However, as the KB5004442(https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c) is installed and activated on my computer (RequireIntegrityActivationAuthenticationLevel registry key set to 1), I get an "Access denied" error.

In the event viewer on the server side, I can see the related error 10036 : The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application

From my point of view, specify "PacketIntegrity" as the authentication level should have done the trick (I've always tried with the PacketPrivacy level)

When disabling the KB (setting RequireIntegrityActivationAuthenticationLevel to 0 and reboot), the command works perfectly.

I've always tried to make this call using VBscript with the same result GetObject("winmgmts:authenticationLevel=packetIntegrity}!\\mymachine\Root\CIMv2")

My objective here is to be able to continue to request WMI objects after March 14, 2023 when it will be impossible to disable the KB5004442.

nmariot
  • 61
  • 5

2 Answers2

1

Actually and after opening an incident ticket at Microsoft, it seems there is no problem.

In my configuration, the client was not update to the latest patch level and so that didn't work. i.e both client & server must have the patch deployed (at least KB5006714 or Windows 8.1 and Windows Server 2012, see https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c)

So, as not clearly explained in the Microsoft KB, nothing needs to be done to have DCOM continue to work after the application of the patch kb5004442, just upgrade your systems !

nmariot
  • 61
  • 5
0

There are things that seem to have issues even if you disable it for example we had problems with a script that installed an RDS cluster. The only way we could get it to work was to set the security to "packet integrity" on all the machines that were part of the deployment.

DaveH
  • 1