push WMI privilege using GPO

H D
H D used Ask the Experts™
on
I'm using manage-bde.exe to allow some power user to encrypt their USB Stick.
I have a DC (Windows Server 2012 R2) with 100 hunder windows 10 pro laptpos.
The users don't have admin privlege on their machines.
I found that changing  WMI privilege manually  (ROOT>CIMV2>Security>MicrofostVolumeEncryption) and adding manually the specif account and giving him  "execute method" privilege allow the user to run the encryption without possessing admin rights.

I'm trying to create a script that I'm going to push via GPO to apply the needed changes.
I tried using this method  without success.
I can dump the privlege. Applying them give no errors but no changes are done.
Both operations are done with local admin account.
Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
That is hard to follow.

By default, users may encrypt removable devices like sticks and there are no admin privileges required to do that.
So it seems your GPOs have been altered to disallow that and now you seek a way to undo that.

Let's have a look at the GPO settings together. please upload results.html from your %temp% folder after running (on an lelevated command prompt):
gpresult /h %temp%\results.html

Open in new window

H D

Author

Commented:
Hello,
The use case is that my boss want to allow some user to encrypt USB Sticks with manage-bde with SID protectors.
Allowing them to use other type of encryption is not an option.
Basically this can be done with the right WMI namespace right. The problem is that the script that is going to push the WMI configuration is not working as expected.
Thanks.
Distinguished Expert 2018

Commented:
Ah, I see, SID protectors need admin privs and you have found out that WMI namespace rights suffice. Where did you read that?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

H D

Author

Commented:
In stackoverflow and it works. You have to give the user the "method execute" right on the node ROOT>CIMV2>Security>MicrofostVolumeEncryption  to allow him to run encryption with manage-bde.exe .
My problem is how to script this operation.
Distinguished Expert 2018

Commented:
It works here as soon as I execute the vbs-script as system account.
H D

Author

Commented:
I dont want to give the users the local admin password . That's the problem.
Distinguished Expert 2018

Commented:
They don't need it. As I said, it works here. I used the process you outlined to create a VBS script that sets the ACL correctly and afterwards, the user may add a SID protector on his BL encrypted usb stick without being admin.

As said, you need to execute the VBscript as system account. That could be done in a startup script.
H D

Author

Commented:
That's the point. I executed my script with the exported array of parameter but no change is done .
I tested it on Windows 10 pro.
Any ideas please?
Distinguished Expert 2018

Commented:
Hm, when will you understand that you write "Both operations are done with local admin account" while I advise you, to use the system account? For me, it does not work as local admin, either, and it returns "Privilege not held".
Distinguished Expert 2018

Commented:
To use the system account, use psexec to start a command shell as system like this (launch the following on an elevated command prompt):
psexec -s -i cmd
Then, launch your vbs script.
Distinguished Expert 2018

Commented:
Another thing, I noticed a typo, you should check your script as you wrote "microfost"
H D

Author

Commented:
I got the same problem with the system account.
No error and the same configuration is kept.
Distinguished Expert 2018

Commented:
Ok, show me your scripts, both the one creating the output that you paste and the script that the system account executes.
H D

Author

Commented:
This is the command that I'm using  to "dump" the rights:
wmic /namespace:\\root\CIMV2 /output:sd.txt path __systemsecurity call getSD

Open in new window

This is the script :
strSD =array(1,0,4,129,....,0)

set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2")


set security = namespace.get("__systemsecurity=@")


nStatus = security.setsd(strSD)

Open in new window

I tested both as local admin and as SYSTEM.
Distinguished Expert 2018
Commented:
No, to create it, take
wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption  /output:sd.txt path __systemsecurity call getSD

Open in new window

and to write the ACL, take
strSD = array(1,0,4,129,148,0,0,0,164,0,0,0,0,0,0,0,20,0,0,0,2,0,128,0,5,0,0,0,0,0,36,0,1,0,0,0,1,5,0,0,0,0,0,5,21,0,0,0,216,37,44,114,11,95,44,7,34,199,223,9,83,4,0,0,0,18,24,0,63,0,6,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,20,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,19,0,0,0,0,18,20,0,19,0,0,0,1,1,0,0,0,0,0,5,11,0,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0,1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)

Open in new window

H D

Author

Commented:
Thank you :)
Distinguished Expert 2018

Commented:
You are welcome.

And by the way, this method might prove useful someday, I did not know it before.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial