STAS WMI Access Denied after Windows Update

Question

Hello all, 
 We are facing several problems with STAS Logoff detection method - WMI after the lasted Windows updates mid of June. All computers are returned Access Denied when we execute WMI test over STAS. This is causing a big problem with discnnection users. 
 Is there any Sophos Staff or someone that has the solution for this ? 
 We already try change several Regedit entries, but without sucess. 
 Regards 
 Carlos

Carlos Cesario · Answer

Vivek, all communications are OK. From STAS and Windows. As I told, there are other hosts that are working. Is not a general problem. This problem happen after Windows Update, there are other vendros facing the similar problem https://knowledgebase.progress.com/articles/Article/wmi-monitor-fails-after-a-windows-update-kb5014747 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail https://community.icinga.com/t/wmi-access-denied-after-that-install-windows-cumulative-update-kb5014702/10016/4 
 Regards

Nicolas CARLI1 · Answer

I have found a workaround from microsoft. It is fonctionnal. But in a couple of month, we have to try another solution. 
 https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

RichBaldry · Answer

I also tried to reproduce this issue today and found that STAS WMI polling continued to work fine after updating Windows 10 Workstation and Windows 2019 Server to the latest versions, and enabling the Microsoft registry key (i.e. setting the value to '1' which is supposed to force the new authentication level requirements). 
 Perhaps some other permission or rights setting to allow WMI to work is being changed when these devices apply updates in your environment. Have you re-checked the usual things, such as necessary permissions to the WMI Control service (in Computer Management -> Services and Applications) on the workstations, and confirmed that the account that STAS is using to log in, is still correctly included in those permissions, and that the DCOM options in Local Security Policy/Security Options have the correct permissions, and the Windows Firewall is not blocking the access.

Carlos Cesario · Answer

Hi Folks, sorry by delay.
Only to report. In some of my environments the solution it was apply this Update KB5015807 and change key as describe in this kb support.microsoft.com/.../kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c in Windows Servers (Domain Controller) and Windows 11, 10, 07 versions

STAS WMI Access Denied after Windows Update

Top Replies