MAP Toolkit: Prepare the Environment - WMI

Article
1/17/2024

IMPORTANT: Keep checking the MAP Blog and MAP Toolkit Content Index (en-US) for updates and changes , especially after new versions of MAP are released.

The WMI collector in the MAP Toolkit is used to gather hardware, device, and software information from remote Windows based computers. This collector technology is used for these inventory scenarios and must be enabled on the remote target computers.

Windows computers
Windows Volume Licensing
Active devices and users
Exchange Server
Forefront Endpoint Protection Server
Lync Server
Software ID (SWID) tags
SQL Server
SQL Server with Database Details
Windows Azure Platform Migration
Oracle
Client access tracking for Windows Server 2012
Client access tracking for SQL Server 2012
Client access tracking for Configuration Manager
Client access tracking for SharePoint Server 2013
Client access tracking for Remote Desktop Services

The Inventory and Assessment Wizard will not provide an option to enable WMI: You must enable it through Group Policy settings, logon scripts, or manually on each computer.

To connect remotely and perform the WMI inventory, you must provide accounts that are members of the local Administrators group on the computer being inventoried. For most networks, the network administrator will have a domain or local account that is a member of the local Administrators group on all the computers in the environment. These are the accounts you should enter on the Active Directory Credentials page in the Inventory and Assessment Wizard to perform the WMI inventory. By default, in Windows domain environments, the Domain Admins security group is added to the local Administrators group on a computer when it is joined to a domain.

Common WMI Firewall Considerations

Many host-based and software-based firewall products will block DCOM traffic across the network adapters on the computer. For example, remote WMI connections will likely fail when attempting to connect to a computer running the Microsoft Internet Security and Acceleration (ISA) Server firewall service. To enable remote WMI access, make sure that the appropriate TCP/UDP ports are open on the computer running the software firewall.

If your firewall doesn't accept listing a service like WMI or Remote Administration, you will also need to open ports 135 and 1024-65535. The reason for this has to do with the way RPC works. WMI uses DCOM to communicate with remote machines, and DCOM uses RPC extensively.

When a computer boots, WMI is assigned a dynamic port by the RPC service. When the MAP computer makes a WMI request, it first talks to the target computer’s RPC Endpoint Mapper which is listening on port 135 and asks it what port has WMI been assigned. The RPC Endpoint Mapper replies with the port for that machine and then MAP sends the WMI query to that port. The port can be different for each machine that MAP tries to connect to, which is why we can’t be more specific than 1024-65535; since many applications and services use RPC for remote communications, this is how they work as well.

See this MSDN topic to force WMI to use a static port. (http://msdn.microsoft.com/en-us/library/bb219447(VS.85).aspx)

Computers running Windows Firewall introduce some challenges to the inventory process. By default, Windows Firewall is configured to block remote requests to authenticate and connect to the computer via WMI. The following sections describe how to enable the required exceptions using Group Policy and scriptable commands.

WMI in Active Directory Environments

Use the Group Policy Editor or the Group Policy Management Console to edit Group Policy for the organizational units (OUs) that contain the computers on which you will perform the assessment. For instructions, see the following resources:

For Windows XP, see the Microsoft Support article How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP.
For Windows Vista, see Deploying Group Policy Using Windows Vista.
For Windows 7, see What's New in Group Policy.

To Enable Remote Administration Exception Using Group Policy

You need to enable the Remote Administration exception for computers that have Windows Firewall enabled. This exception opens TCP port 135 used by RPC and DCOM. If you have another host firewall installed or a network firewall, you will need to consult that system's documentation on allowing the WMI service through the firewall.

Click Start and then click Run. In the Open box, type gpedit.msc and then click OK.
Under Console Root, expand Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall and then click Domain Profile.
Right-click Windows Firewall: Allow remote administration exception and then click Properties.
Click Enabled and then click OK.

To enable Windows Firewall exceptions Using Group Policy

Using the Local Group Policy Editor, expand Computer Configuration\Windows Settings\Security Settings\Local Policies and then click Security Options.
In the Network access: Sharing and security model for local accounts section, click Classic – local users authenticate as themselves.
Expand Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall and then click Domain Profile.
In the Windows Firewall: Allow remote administration exception section, click Enabled.
In the Allow unsolicited incoming messages from box, type the IP address or subnet of the computer that will perform the inventory.

After saving the policy changes, you need to wait for up to two hours for the Group Policy settings to be applied to the client computers.

WMI In Workgroups and Windows NT 4.0 Based Domains

For computers in a workgroup, you need to manually configure each computer. For computers in a Windows NT® 4.0–based domain, use logon scripts to configure the Windows Firewall exceptions.

Set password for Local Accounts

If a computer is in a workgroup and the local account used for inventory does not have a password configured, logon is limited to the console by default. For a WMI inventory of the computer to be successful, the local account needs to be a member of the local Administrators group and must have a password defined.

Configure Network Access Policy

If the computer is in a workgroup, you must manually change the “Network access: Sharing and security model for local accounts” policy setting from Guest only to Classic on the local computer.

Using the Local Group Policy Editor, expand Computer Configuration\Windows Settings\Security Settings\Local Policies and then click Security Options.
In the Network access: Sharing and security model for local accounts section, click Classic – local users authenticate as themselves.

For more information, see Network access: Sharing and security model for local accounts.

UAC behavior in workgroups

When you attempt to remotely connect to a machine that has UAC enabled, UAC will automatically downgrade the credentials you use for remote access to only have guest level access. This even applies to accounts that are part of the local machine's Administrators group. To successfully inventory computers in a workgroup that are running operating systems that support User Account Control (UAC):

Add this DWORD registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy
Set the value to 1 and restart the machine.

Alternatively, you can use an account that is part of a local Administrators group and has UAC disabled for that account.

For more information about handling remote connections of this type, please check this link http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx.

To Configure Windows Firewall Exceptions for Workgroups and Windows NT 4.0–Based Domains

From a command prompt run the following command, or run it from logon script on each computer to enable the remote administration exception:

For XP or older:

netsh firewall set service RemoteAdmin enable

For Vista or newer:

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Share via