Relevance for CIM NetConnectionProfile

Content Authoring
1

Hi guys,

Im hoping that someone would be able to help me with a CIM instance based relevance for an analysis. Essentially, end goal, I want to know what firewall profile is active.

I can achieve this in PowerShell by doing the following;

Get-CimInstance -Namespace “root/standardcimv2” -ClassName MSFT_NetConnectionProfile | Select NetworkCategory

and

Get-WmiObject -Namespace “root/standardcimv2” -Class MSFT_NetConnectionProfile | Select NetworkCategory

I tried to do the same in BigFix qna with the following but it didn’t work;

selects “NetworkCategory FROM MSFT_NetConnectionProfile” of wmis “ROOT\StandardCimv2”

I get the error “Error: The expression could not be evaluated: Windows Error 0x80041013: Provider load failure”

Any ideas on what I could do to get this relevance statement working?

Cheers,
Blake

2

I find that several WMI queries fail with a provider error, and I suspect it may be that there are not 32-bit providers for some of these properties.

I had a similar post at Windows Firewall - Local Policy vs GPO for looking up the active profile.

The method I’d use is

q: types of profiles of local policies of firewall
A: Public
T: 32.927 ms
I: plural firewall profile type

The simple (ignoring Group Policy) method to see whether the firewall is Active in this profile would be

q: (type of it, firewall enabled of it) of profiles of local policies of firewall
A: Public, True
T: 33.875 ms
I: plural ( firewall profile type, boolean )

The complex method (i.e. handle multiple profiles, handle GPO management of the active profiles), that I’m still hoping to improve & make more readable, is

Q: (type of it as string,(if exists (type of it as string & "Profile", keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of native registry) whose (item 0 of it = name of item 1 of it and exists value "EnableFirewall" of item 1 of it) then ("GPO" , (exists value "EnableFirewall" whose (it as integer = 1) of item 1 of (type of it as string & "Profile", keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of native registry) whose (item 0 of it = name of item 1 of it )) as string ) else ("Local" , firewall enabled of it as string))) of profiles of local policies of firewall

A: Domain, ( Local, False )
A: Public, ( GPO, True )
1 Like
3

Worked like a charm, thank you