Is there a way to set access to WMI using GroupPolicy?

Made some research on this and looks like the method below should work:

For Windows 2003 with Group Policy Management Console (GPMC), perform the following steps:

1. Navigate to Start Menu > Administrative Tools > Group Policy Management.
2. In the left-hand pane, navigate to Forest: Domain Name -> Domains -> Domain Name, where Domain Name is the name of the domain you wish to modify.
3. Right-click on Domain Name in the left-hand pane and select Create and Link a GPO Here.
4. Name the new policy WMI Permissions.

NOTE: Since WMI must establish a DCOM connection to remote host, this is enough to configure access permissions for DCOM.

Configuring Distributed Component Object Model (DCOM) Permissions:

1. Navigate to the WMI Permissions group policy, either by the Group Policy Management plug-in or by the ADUC plug-in.
2. Ensure that the WMI Permissions policy is highlighted and click on the Edit button.
3. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
4. In the right-hand UI pane, double-click on DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax.
5. Put a checkmark in the box beside Define this policy setting.
6. Click on the Edit Security button.
7. Click on the Add button; in the resulting pop-up window, specify the domain administrator account that will be used.
8. Click OK.
9. In the Group or user names field, select the domain administrator you specified in step #7.
10. In the Permissions for Administrators field, ensure that there is a checkmark in the Allow column for the Remote Access option.
11. Click OK.
12. Click OK.
13. In the right-hand UI pane, double-click on DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
14. Put a checkmark in the box beside Define this policy setting.
15. Click on the Edit Security button.
16. Click on the Add button; in the resulting pop-up window, specify the domain administrator account that will be used.
17. Click OK.
18. In the Group or user names field, select the domain administrator you specified in step #16.
19. In the Permissions for Administrators field, ensure that there is a checkmark under the Allow column for both Remote Launch and Remote Activation.
20. Click OK.
21. Click OK.
22. Close the Group Policy Object Editor window.
23. Click OK and close the Active Directory Users and Computers window.

Referencing https://answers.splunk.com/answers/2703/how-to-enable-wmi-data-collection-on-a-domain-server.html

There's no non-esoteric way at this time to globally configure WMI security settings domain-wide. Each machine has its own setting. There is an MSDN blog, however, that lists the steps you can take to create a script that contains the appropriate security descriptors, which you can then subsequently throw into a GPO as a startup script and have your computers get the updated security settings at boot time.

Here's the link to the blog post w/ method for the creating a script: https://blogs.msdn.microsoft.com/spatdsg/2007/11/21/set-wmi-namespace-security-via-gpo-script/

This approach gave me a usable method to enable WMI access for a non-Domain Admin service account using GPO.

Microsoft have another, more recent article demonstrating how to do this via Group Policy with a PowerShell script:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/delegate-wmi-access-to-domain-controllers/ba-p/259535

Not sure why they do it with a scheduled task. I believe Group Policy Startup Scripts now support PowerShell natively.

The original script is still available but I suggest using this copy which fixes a bug.