push WMI privilege using GPO

I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing  WMI privilege manually  (ROOT>CIMV2>Security>MicrofostVolumeEncryption) and adding manually the specif account and giving him  "execute method" privilege allow the user to run the encryption without possessing admin rights.

I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method  without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
H DAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
That is hard to follow.

By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.

Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):
gpresult /h %temp%\results.html

Open in new window

0
H DAuthor Commented:
Hello,
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.
Allowing them to use other type of encryption is not an option.
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.
Thanks.
0
McKnifeCommented:
Ah, I see, SID protectors need admin privs and you have found out that WMI namespace rights suffice. Where did you read that?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

H DAuthor Commented:
In stackoverflow and it works. You have to give the user the "method execute" right on the node ROOT>CIMV2>Security>MicrofostVolumeEncryption  to allow him to run encryption with manage-bde.exe .
My problem is how to script this operation.
0
McKnifeCommented:
It works here as soon as I execute the vbs-script as system account.
0
H DAuthor Commented:
I dont want to give the users the local admin password . That's the problem.
0
McKnifeCommented:
They don't need it. As I said, it works here. I used the process you outlined to create a VBS script that sets the ACL correctly and afterwards, the user may add a SID protector on his BL encrypted usb stick without being admin.

As said, you need to execute the VBscript as system account. That could be done in a startup script.
0
H DAuthor Commented:
That's the point. I executed my script with the exported array of parameter but no change is done .
I tested it on Windows 10 pro.
Any ideas please?
0
McKnifeCommented:
Hm, when will you understand that you write "Both operations are done with local admin account" while I advise you, to use the system account? For me, it does not work as local admin, either, and it returns "Privilege not held".
0
McKnifeCommented:
To use the system account, use psexec to start a command shell as system like this (launch the following on an elevated command prompt):
psexec -s -i cmd
Then, launch your vbs script.
0
McKnifeCommented:
Another thing, I noticed a typo, you should check your script as you wrote "microfost"
0
H DAuthor Commented:
I got the same problem with the system account.
No error and the same configuration is kept.
0
McKnifeCommented:
Ok, show me your scripts, both the one creating the output that you paste and the script that the system account executes.
0
H DAuthor Commented:
This is the command that I'm using  to "dump" the rights:
wmic /namespace:\\root\CIMV2 /output:sd.txt path __systemsecurity call getSD

Open in new window

This is the script :
strSD =array(1,0,4,129,....,0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2")


set security = namespace.get("__systemsecurity=@")


nStatus = security.setsd(strSD)

Open in new window

I tested both as local admin and as SYSTEM.
0
McKnifeCommented:
No, to create it, take
wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption  /output:sd.txt path __systemsecurity call getSD

Open in new window

and to write the ACL, take
strSD = array(1,0,4,129,148,0,0,0,164,0,0,0,0,0,0,0,20,0,0,0,2,0,128,0,5,0,0,0,0,0,36,0,1,0,0,0,1,5,0,0,0,0,0,5,21,0,0,0,216,37,44,114,11,95,44,7,34,199,223,9,83,4,0,0,0,18,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
H DAuthor Commented:
Thank you :)
0
McKnifeCommented:
You are welcome.

And by the way, this method might prove useful someday, I did not know it before.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.