When I try to connect to WMI from Powershell, ConfigMgr, or WMI explorer, I can talk to the majority of my computers, but some (maybe 30%?) return an 0x800706ba (RPC server is unavailable).

If I turn the firewall off on the remote machine, the queries start working. I have tried a bunch of different configurations of firewall settings, though, and I can't seem to figure out what the right combination of exceptions is.

Here's the relevant bits of my firewall config on the remote machine. The crazy part is that there are no drops listed in pfirewall.log when it doesn't work - but again, if I turn off the firewall on the remote computer, everything starts to behave.

I will babysit this thread since I know you'll probably need more details to diagnose this.

Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Domain profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
3389   TCP       Enable   Remote Desktop

Standard profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Remote Desktop

Allowed programs configuration for Standard profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   McAfee Framework Service / C:\Program Files\McAfee\Common Framework\FrameworkService.exe
Enable   Network Diagnostics for Windows XP / C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
3389   TCP       Enable   Remote Desktop

Log configuration:
-------------------------------------------------------------------
File location   = C:\WINDOWS\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

Bluetooth Network Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

Wireless Network Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

1394 Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

The general fix for this is to allow the exception for "Remote Administration" which is built into the firewall. The problem is that WMI uses an RPC endpoint mapper, so multiple ports become involved. http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx is probably the definitive discussion on the topic.

The Domain setting should be active when the machine is logged into a domain. The Standard setting when run at other times. As a test, I'd recommend getting this set up in the GUI first - it's easier to see what's going on and confirm that things "took." I'd also add the exception to both profiles - again, as a test. Read the in-product help on the Domain and Standard modes; you'll need to look at some specifics to see which one is active on the machine and the docs offer a good walkthrough.

I found that on our network the following setting was required for Vista and Win 7 machines, even after Remote Administration was enabled via gpo:

Windows Firewall: Allow ICMP exceptions (Enabled) - Allow inbound echo request (Enabled)

The setting should be redundant when Remote Administration is enabled, but for some reason seems to be necessary.