Fixing EPT_NT_CANT_PERFORM_OP (0XC0020035) on Windows Server
Hit this when a remote WMI or RPC call fails on Windows. Almost always a DCOM or firewall issue. Here's how to fix it fast.
This error — EPT_NT_CANT_PERFORM_OP (0XC0020035) — shows up when you're trying to run a remote WMI query, connect to the RPC endpoint mapper, or start a DCOM component on another Windows machine. I've seen it most often when a monitoring tool like SolarWinds or a simple wmic /node:REMOTE-PC process list call fails. The exact message is "The operation cannot be performed." Trigger scenario: You're on Windows 10 or Server 2019, trying to connect to a Windows Server 2016 or 2022 box, and boom — access denied or this error.
What Actually Causes This
The culprit here is almost always one of three things: DCOM launch/access permissions are locked down, the Remote Registry service is dead, or the Windows Firewall is blocking RPC dynamic ports. Rarely it's a corrupt WMI repository. Don't bother reinstalling WMI — that's a waste of time unless you see corruption errors in the WMI logs.
Fix It in 4 Steps
Do these in order. Test after each step if you want, but I'd run through all four — they're quick and the interaction between them can be tricky.
Step 1: Enable Remote WMI through Firewall
On the target computer (the one you're connecting to), run this as Administrator:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=YesThis opens the inbound firewall rules for WMI. If that command fails (old Windows version), use the GUI: Control Panel > Windows Defender Firewall > Allow an app or feature through Windows Defender Firewall. Scroll to "Windows Management Instrumentation (WMI)" and check both Private and Public.
Step 2: Fix DCOM Permissions
This is where the real fix lives 80% of the time. DCOM has its own security — separate from the WMI namespace ACLs.
- Press Win + R, type
dcomcnfg, hit Enter. - Expand Component Services > Computers > right-click My Computer and choose Properties.
- Go to the COM Security tab.
- Under Access Permissions, click Edit Limits.
- Make sure ANONYMOUS LOGON and Everyone are listed with Remote Access allowed. If not, add them. Yes, adding Everyone is safe here because DCOM access is restricted by the launch permissions.
- Under Launch and Activation Permissions, click Edit Limits.
- Add ANONYMOUS LOGON and Everyone and give them Remote Launch and Remote Activation.
- Click OK and close dcomcnfg. Reboot the machine or restart the RPC service (but reboot is cleaner).
Step 3: Verify the Remote Registry Service is Running
DCOM needs the Remote Registry service. Without it, WMI calls fail with this error. Run:
sc query RemoteRegistryIf it's not running, start it and set it to Automatic:
sc start RemoteRegistry
sc config RemoteRegistry start= autoStep 4: Check RPC Dynamic Port Range
If the firewall is blocking RPC dynamic ports (TCP 49152-65535 by default on Server 2008 and later), you'll get this error. Confirm with:
netsh int ipv4 show dynamicport tcpThe default start port is 49152 with a range of 16384 ports. Make sure your firewall between the machines allows this range inbound. If you're in a locked-down environment, you can restrict the port range using netsh rpc set port, but that's a separate article.
Still Broken? Check These
- WMI namespace ACLs: Open
wmimgmt.msc, right-click WMI Control, Properties > Security. Ensure the user account has Remote Enable permission on theroot/cimv2namespace. - UAC remote restrictions: On Server 2012 R2 and earlier, the LocalAccountTokenFilterPolicy needs to be set to 1 to allow remote WMI over admin accounts. Registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = 1(DWORD). - Windows updates: KB5004442 (for Windows Server 2022) changed DCOM hardening defaults. You might need to add a registry key to allow unauthenticated RPC — but only do this if absolutely necessary for legacy apps. Key:
HKLM\SOFTWARE\Microsoft\Ole\AppCompat\{your-app-GUID}with DWORDValue= 0.
If none of that works, run wbemtest on the target machine and try connecting locally to root/cimv2. If it fails locally, you've got a corrupted WMI repository. Then and only then run winmgmt /salvagerepository or winmgmt /resetrepository.
Was this solution helpful?