We recently assisted a customer that was having problems accessing the WEDM nodes in a remote ConfigMgr 2007 admin console if the user was not an admin on the remote site server. We checked WMI and DCOM permissions and everything appears to be configured correctly. However after further investigation we discovered that WEDM has its own WMI namespace separate from the ConfigMgr namespace. Once we set the permissions correctly on that namespace, the issue was resolved. The below article describes the errors generated when you experience this problem and the actions to take to fix it.

Note: We are planning to publish the below article as a KB article. If not already available, it should be available soon as KB2723355.

 

Symptoms

When using WEDM 2011 and trying to access the Deployments, Configuration Items, and Configuration Packages nodes under the Embedded Device Management node in a remote ConfigMgr 2007 console, the nodes will display the error

 

[*The ConfigMgr Provider reported an error.*]

 

The issue only happens if the logged in user does not have Administrator privileges on the remote site server. The user can access all other nodes in the remote ConfigMgr 2007 console that they have access to without issue. Additionally if the user logs directly into the server and uses the ConfigMgr 2007 console directly on the site server, they do have access to the WEDM nodes.

Examining the SMSAdminUI.log on the PC running the remote console reveals the following errors:

 

[3][<Date> <Time>] :Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe ConfigMgr Provider reported an error.\r\n
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryProcessor.ProcessQueryWorker(AsyncOperationDatabase asyncData)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\nConfigMgr Error Object:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "SELECT DeploymentID,JobCreationTime,CollectionID,CollectionName,DeploymentName,DeploymentComment,IncludeSubCollection,OEMPluginID,ImageFileLocation,
                           StartTimeEnabled,StartTimeIsGMT,ExpirationTimeEnabled,ExpirationTimeIsGMT,StartTime,ExpirationTime,DeploymentStatusName,DeploymentStatus,RemoteServerName
                          FROM EDM_ImageDeployment";
 ProviderName = "WinMgmt";
};
Error Code:
ProviderLoadFailure
\r\nSystem.Management.ManagementException\r\nProvider load failure \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()\r\nManagementException details:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "SELECT DeploymentID,JobCreationTime,CollectionID,CollectionName,DeploymentName,DeploymentComment,IncludeSubCollection,OEMPluginID,ImageFileLocation,
                         StartTimeEnabled,StartTimeIsGMT,ExpirationTimeEnabled,ExpirationTimeIsGMT,StartTime,ExpirationTime,DeploymentStatusName,DeploymentStatus,RemoteServerName
                          FROM EDM_ImageDeployment";
 ProviderName = "WinMgmt";
};
\r\n

[3][<Date> <Time>] :Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe ConfigMgr Provider reported an error.\r\n
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryProcessor.ProcessQueryWorker(AsyncOperationDatabase asyncData)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\nConfigMgr Error Object:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "SELECT ProvisioningItemUniqueId, Type, Description, SupportedDeviceTypes, SourceSite FROM EDM_ProvisioningItem";
 ProviderName = "WinMgmt";
};
Error Code:
ProviderLoadFailure
\r\nSystem.Management.ManagementException\r\nProvider load failure \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()\r\nManagementException details:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "SELECT ProvisioningItemUniqueId, Type, Description, SupportedDeviceTypes, SourceSite FROM EDM_ProvisioningItem";
 ProviderName = "WinMgmt";
};
\r\n 

[3][<Date> <Time>] :Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe ConfigMgr Provider reported an error.\r\n
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryProcessor.ProcessQueryWorker(AsyncOperationDatabase asyncData)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)\r\nConfigMgr Error Object:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "Select ProvisioningPackageUniqueId, Description,ProvisioningItemUniqueIds,SourceSite,PlatFormType,PackageID FROM EDM_ProvisioningPackage";
 ProviderName = "WinMgmt";
};
Error Code:
ProviderLoadFailure
\r\nSystem.Management.ManagementException\r\nProvider load failure \r\n   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
   at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()\r\nManagementException details:
instance of __ExtendedStatus
{
 Operation = "ExecQuery";
 ParameterInfo = "Select ProvisioningPackageUniqueId, Description,ProvisioningItemUniqueIds,SourceSite,PlatFormType,PackageID FROM EDM_ProvisioningPackage";
 ProviderName = "WinMgmt";
};
\r\n

 

The SMSProv.log on the site server does not reveal any errors.

Using WBEMTest on the PC running the remote console to perform either one of the following two actions on the \\<site_server>\root\SMS\site_<site_code> namespace:

  1. Trying to run the WMI queries shown in the SMSAdminUI.log 
  2. Trying to access the instances of the EDM_ImageDeployment, EDM_ProvisioningItem, or EDM_ProvisioningPackage classes

will generate the following error message:

Error

Number: 0x80041013
Facility: WMI
Description: Provider load failure

Error 0x80041013 is:

hex 0x80041013 / decimal -2147217389
WBEM_E_PROVIDER_LOAD_FAILURE

 

Cause

In addition to the standard ConfigMgr WMI namespace of \\<site_server>\root\SMS\site_<site_code>, WEDM 2011 also has a second WMI namespace it utilizes under \\<site_server>\root\EDM. The EDM namespace is used by the ConfigMgr 2007 console when accessing the WEDM 2011 nodes. Although the classes and instances for WEDM can be seen under the ConfigMgr namespace, they actually map back to the WEDM namespace via a proxy provider. By default administrators on the site server have remote privileges on the EDM namespace. However non-administrators on the site server do not have remote privileges to the EDM namespace.

 

Resolution

To resolve the issue, on the site server give the appropriate permissions on the EDM WMI namespace to the local group SMS Admins:

  1. On the site server, open Server Manager.
  2. In the Server Manager console expand the Configuration node.

  3. Right click on WMI Control and choose Properties.

  4. In the WMI Control Properties window, click on the Security tab.

  5. Expand the Root tree and select Edm.

  6. With the Edm node selected, click on the Security button.

  7. In the Security for ROOT\Edm window, click on the Add... button.

  8. In the Select Users, Computers, Service Accounts, or Groups window, click on the Locations... button.

  9. In the Locations window, select the local site server instead of a domain under Entire Directory. The local site server will usually be the first item in the list.

  10. After selecting the local site server in the Locations window, click on the OK button.

  11. In the Select Users or Groups window, in the text box under Enter the object names to select, type in

    SMS Admins

    In the Select Users or Groups window, click on the OK button.

  12. Under Group or user names:, make sure that SMS Admins is highlighted.

  13. Under Permissions for SMS Admins, check the Allow box for the following items:

    Execute Methods
    Provider Write
    Enable Account
    Remote Enable

  14. In the Security for ROOT\Edm window, click on the OK button.

  15. In the WMI Control Properties window, click on the OK button.

 

Frank Rojas
Senior Support Escalation Engineer