We are looking to pull MBAM related data from endpoints using relevance. The source of the data is WMI (despite the perils of using WMI, this is the only source we are aware of for the data we require), namely the root\Microsoft\MBAM namespace which is created when the MBAM agent is installed. I’m wondering if anyone else out there has used Bigfix in conjunction with MBAM with any success as to me it appears that trying to query the mbam_Volume or mbam_Machine classes from the namespace is not possible from any 32 bit process. From the FixletDebugger in both local and client evaluator modes
Q: exists wmi "root\Microsoft\MBAM"
A: True
T: 1.985 ms
I: singular boolean
Q: selects "* from mbam_Volume" of wmi "root\Microsoft\MBAM"
E: The expression could not be evaluated: Windows Error 0x80041013: Provider load failure
From PowerShell (x86)
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam | select DriveLetter
Get-WmiObject : Provider load failure
At line:1 char:1
- Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam | sel …
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
From PowerShell 64 bit
Get-WmiObject -Class mbam_volume -Namespace root\microsoft\mbam | select DriveLetter
DriveLetter
D:
C:
First time I’ve encountered WMI data not being accessible due to the process architecture and as its not limited to just Bigfix process it doesn’t strike me as a client/debugger bug.