This error typically appears in monitoring platforms like FortiSIEM when trying to discover or communicate with a Windows host via the Open Management Infrastructure (OMI). It indicates that while a connection may have been initiated, the specific WMI class responsible for returning operating system details (Win32_OperatingSystem) could not be retrieved. Common Causes
Authentication Mismatch: The connection often fails if the credentials are set to use NTLM instead of Kerberos.
Insufficient Permissions: The user account must be part of the local Administrators Group on the target Windows machine to query WMI remotely.
Network Blocking: Essential ports for OMI/WMI communication—specifically TCP/135, UDP/137, and TCP/5985-5986—may be closed by a firewall.
Corrupted WMI Repository: If the WMI service on the Windows host is in a failed status or its repository is inconsistent, it will fail to return any class results. How to Fix It
Switch Authentication: Change the credential configuration from NTLM to Kerberos-auth.
Verify User Access: Ensure the monitoring user is a member of the local Administrators group or has specific Remote Enable permissions in the WMI Control for the root\cimv2 namespace.
Check Port Connectivity: Use tools like ping or telnet to confirm that the management ports (135, 5985, 5986) are open between the collector and the host.
Repair WMI: On the target Windows machine, run winmgmt /verifyrepository in an elevated command prompt. If it returns "inconsistent," you may need to rebuild the repository.
Test Manually: Use the omic command from your collector to run a manual query:/opt/phoenix/bin/omic -U DOMAIN/USER%PASSWORD //.
Are you seeing this error during initial discovery or with an already added device? FortiSIEM AIO - Collector questions and WMI/OMI issues win32operatingsystem result not found via omi new
"failed (Win32_OperatingSystem results not found via OMI)" a common troubleshooting roadblock for IT administrators, particularly those using to discover and monitor Windows hosts
Here is the "story" of how this error typically unfolds and how it is resolved. 1. The Setup: The "First Discovery" Attempt
An admin is setting up a new Windows host (like a Domain Controller) in their monitoring environment. They configure a credential using Open Management Infrastructure (OMI)
—a lightweight, cross-platform alternative to traditional WMI—and click the "Test" button. 2. The Conflict: "Result Not Found"
The test fails. Instead of a list of system details, they see: failed (Win32_OperatingSystem results not found via OMI)
This message means the OMI service on the collector reached out to the Windows target, but the target refused to hand over the basic OS information. It’s the digital equivalent of a "No Entry" sign. 3. The Investigation: Finding the Root Cause The admin usually finds the culprit in one of three places: Authentication Mismatch : The collector is trying to use
authentication, which often fails or is blocked by modern security policies. Switching the credential to frequently solves the issue instantly. Permission Walls
: Even if the login works, the user account might not be in the local Administrators Group on the target machine, or the /Domain Admins group hasn't been granted explicit OMI permissions. Closed Gates (Firewalls) : OMI needs specific ports to be open. If (HTTPS) are blocked, the query never makes it to the Win32_OperatingSystem 4. The Resolution: The Manual Test
To confirm it’s a setup issue and not a bug, the admin runs a manual query directly from the collector's command line using the /opt/phoenix/bin/omic -U DOMAIN/USER%PASSWORD //
If this command returns the OS version, they know the network is fine and the problem lies in the specific credential settings within their monitoring software. FortiSIEM AIO - Collector questions and WMI/OMI issues This error typically appears in monitoring platforms like
The error message "Win32_OperatingSystem Result not found via OMI" typically occurs in monitoring environments like FortiSIEM when an Open Management Infrastructure (OMI) client fails to retrieve data from a Windows host's Windows Management Instrumentation (WMI) repository.
This guide breaks down the common causes—ranging from authentication mismatches to corrupted WMI repositories—and how to resolve them. 1. Resolve Authentication and Protocol Mismatches
The most common reason for "result not found" via OMI is an issue with how the collector authenticates with the target Windows server.
Switch to Kerberos: Many users report that NTLM authentication frequently fails with OMI. Configuring your credentials to use Kerberos-auth instead can often resolve the "Result not found" error immediately.
Check Encryption Settings: Ensure your OMI client is using the correct port and encryption. For example, if you are using omicli to test the connection, verify you are targeting the correct port (typically 5985 for HTTP or 5986 for HTTPS). 2. Troubleshoot Network and Firewall Blocks
If the OMI client cannot reach the WMI/CIM service, it will return an empty result or a timeout error.
Port Requirements: Ensure that RPC/WMI ports (TCP 135 and the dynamic range 49152-65535) are open between the collector and the target.
WMI Firewall Exception: On the target Windows machine, go to Security > Windows Firewall > Change Settings and ensure the Windows Management Instrumentation (WMI) exception is enabled. 3. Repair a Corrupted WMI Repository
If networking and credentials are correct but the Win32_OperatingSystem class still returns no data, the target server's WMI repository may be corrupted.
omi new Commandomi new is often used in OMI scripting or shell commands to create a new instance of a class or to initiate a query. For example: If the result is "not found," OMI cannot
omi new root/cimv2 Win32_OperatingSystem
If the result is "not found," OMI cannot map the requested class to the target machine’s WMI repository.
Symptom: Win32_ComputerSystem also fails, or log shows access denied.
Solution:
On the Windows target – Add the user to the OMI Users local group:
lusrmgr.mscOMI Users → Add the user (e.g., DOMAIN\username or .\localuser)net stop omiengine && net start omiengineGrant DCOM/WMI permissions for WMI remoting (if using legacy WMI bridge):
wmimgmt.mscroot → cimv2 → SecurityEnsure WinRM is configured (even if OMI uses DCOM, it may fallback):
winrm quickconfig
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
omi query 'root/cimv2' "SELECT * FROM Win32_OperatingSystem"
If this returns empty, check the OMI log (/var/log/omiserver.log on Linux OMI client, or Event Viewer on Windows).
Ensure your omi new syntax is correct:
# Correct form (namespace class)
omi new root/cimv2 Win32_OperatingSystem
Step 4: Use the Correct OMI Command for Retrieval
If your original script used omi new, rewrite it to use omi enumerate or, better yet, use the CIM_OperatingSystem class (the cross-platform standard):
# Recommended cross-platform approach
omicli query "SELECT * FROM CIM_OperatingSystem" -n root/cimv2
Why? CIM_OperatingSystem is the DMTF-standard class that maps to Win32OperatingSystem on Windows, but is also available on Linux OMI servers.
3. Diagnostic Steps
Fix D: Elevate OMI Service Privileges
Symptom: Error only occurs when the user is in OMI Users but Local System queries fail.
Solution:
- Open
services.msc
- Find Open Management Infrastructure (OMI Engine)
- Right-click → Properties → Log On tab
- Change from
Local System (default) to a domain account with WMI admin rights, or ensure "Allow service to interact with desktop" is checked (though typically, Local System is correct).
- Note: Changing away from Local System often breaks more things than it fixes. Instead, ensure the service runs as
NT AUTHORITY\SYSTEM and that this account has WMI permissions (which it does by default).
Minimal Diagnostic Checklist to Run Now
- On target:
Get-CimInstance -ClassName Win32_OperatingSystem (Windows) — success? yes/no
- From client: test connectivity to target management port.
- Confirm namespace root\cimv2 exists and contains Win32_OperatingSystem.
- Check logs on target and client for provider or authentication errors.