This article is a guide to resolving a failed Sandbox publish task that results in an error of "Cannot connect to CIM server.Access is denied".
The Sandbox Publish task fails with the following error:
{"reason":"FGA_PLAY_FAILED","description":"\"Play aborted due to failed task 'firewall:add-rules' with error-policy 'abort'. Task failure reason
\"Adding the rule failed. Get-NetFirewallPortFilter : Cannot connect to CIM server. Access is denied. \r\nAt line:2 char:22\r\n+ $NegativeRuleList = Get-NetFirewallPortFilter
| Where-Object {$_.Pro ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ResourceUnavailable: (MSFT_NetProtocolPortFilter:String) [Get-NetFirewallPortFilter],
Ci \r\n mJobException\r\n + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-NetFirewallPortFilter\r\n \r\nGet-NetFirewallPortFilter :
Cannot connect to CIM server. Access is denied. \r\nAt line:7 char:22\r\n+ $PositiveRuleList = Get-NetFirewallPortFilter | Where-Object {$_.Pro ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo
: ResourceUnavailable: (MSFT_NetProtocolPortFilter:String) [Get-NetFirewallPortFilter], Ci \r\n mJobException\r\n + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-NetFirewallPortFilter\r\n \r\nNew-NetFirewallRule :
Cannot connect to CIM server. Access is denied. \r\nAt line:14 char:2\r\n+ New-NetFirewallRule -DisplayName 'Frame Port 88' -Direction Inbound ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ResourceUnavailable: (MSFT_NetFirewallRule:String) [New-NetFirewallRule], CimJobExceptio \r\n n\r\n + FullyQualifiedErrorId : CimJob_BrokenCimSession,New-NetFirewallRule\r\n \r\n\"\""}
You will see the below error in the Frame Admin portal:
Possible causes of such behaviour are:
- The Windows OS or Image is locked, PowerShell or scripts will not run under normal operation.
- The Execution of the commands is not allowed to run remotely.
Solution
f Windows OS is locked or PowerShell is blocked by any security application or software (for example, Nyotron Paranoid) complete the steps below:
- Bypass the security for the Sandbox
- Run the publish task
- Re-enable the security.
If the PowerShell execution is not allowed remotely, follow the below steps:
- Open Computer Management Console. Right-click WMI Control (under Services and Applications) and click property.
- In the newly open Window, click on the Security tab.
- Expand Root tree, and then click on the node CIMV2, and click the button Security.
- In the newly open Window, click the button Advanced.
- In the newly open Window, click the button Add under the permission tab.
- In the newly open Window, click on “select a principal”, then search and add the account or group you want to have access as the principal, then click OK.
- In the 'Applies to', choose “this namespace and subnamespace”.
- For permission, check on “Execute Methods”, “Enable Accounts” and “Remote Enable”.
- Click accept on all the open dialogue boxes.
- Restart WMI services.