Create a Post
Showing results for 
Search instead for 
Did you mean: 
Jump to solution

WMI Permission denied - From this months Windows Update


We have a number or R81.10 gateways which are still using AD lookups and we have the workaround in place to permit this to still work as per:

The next Microsoft date relating to this is supposed to be March 2023, however with this months patches going in on the domain controllers we have noticed our firewalls receiving the error WMI permission Denied when attempting to authenticate against the servers. Rolling back the patches on the AD server has fixed the issue. 

Is anyone else facing this and aside from moving to AD Collector is there a fix for it?


0 Kudos
33 Replies

We have made some progress with this. When we made the ldap account unit service account a member of domain admins, all gateways that were reporting wmi permissions errors are now showing connection established to the DCs and the logon events/IDs are now being received.

We have re-confirmed that all actions as in sk93938 have been applied, this does not resolve the problem. 

0 Kudos


JHF does not help??

To apply the Microsoft hardening and continue using AD Query and Identity Logging, you must install a hotfix.


The hotfix is included in Jumbo Hotfix Accumulators for these supported versions of Security Gateways / Security Management / Multi-Domain Servers:

0 Kudos


Thanks for the sharing this experience. 
After investigating the issue together with Microsoft, its related to a security hardening Microsoft had introduced in the October 2022 update.
As part of the hardening (not the DCOM which is described in sk176148), they changed the read privileges that affect the GW query to the DC.
In case ADQuery is configured with an admin user, there is no issue. but in case ADQuery is configured with a non admin user (sk93938) the query will fail with WMI error. We are looking on a way to adjust the default query to work in all cases.

Current suggestion is to change the query to the reduced query (sk104900).
**please note the reduced query will not read security events on specific DC which are forwarded from other DCs.
Identity Collector is not affected by this update.

Liel Shaish
Group Manager, Identity Awareness R&D


Hi Liel,

Thanks for the update,

One question for you, we have some SMB devices running R80.20.x. when I try to run adlogconfig on these devices I get "adlogconfig: command not found". Is there a method to define the reduced query mode on SMB devices.



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events