Microsoft to Remove WMIC Tool After Windows 11 25H2 Update
▼ Summary
– Microsoft will remove the WMIC tool from Windows 11 25H2 and later versions, recommending PowerShell and other modern tools as replacements.
– WMIC is a legacy command-line interface for interacting with Windows Management Instrumentation (WMI), which itself remains unaffected by this change.
– The removal aims to improve security by eliminating a tool often exploited by malware for malicious activities like deleting backups or disabling antivirus software.
– Microsoft had previously deprecated WMIC in 2016 for Windows Server and 2021 for Windows 10, converting it to an optional feature before deciding on full removal.
– IT administrators are advised to update their documentation and processes, with further guidance available in a Microsoft support document.
Microsoft has officially confirmed that the Windows Management Instrumentation Command-line (WMIC) tool will be removed following the installation of the Windows 11 25H2 update and all subsequent releases. This decision marks the final step in a long-planned transition toward more modern and secure system management tools.
WMIC, a legacy command-line utility, has historically enabled users to interact with the Windows Management Instrumentation (WMI) framework through text-based commands. In a recent advisory via the Microsoft 365 message center, the company is urging IT administrators to migrate their workflows to Windows PowerShell for WMI, scripts, and other administrative tasks. Future Windows versions will no longer include WMIC as a default component.
According to Microsoft, “We recommend using PowerShell and other contemporary tools for any functions previously handled by WMIC. Programmatic alternatives include WMI’s COM API, .NET libraries, or various scripting languages. Once a migration path is chosen, organizations should update their internal documentation and procedures accordingly.”
It is important to note that this change applies only to the WMIC interface itself. The underlying Windows Management Instrumentation (WMI) infrastructure remains fully supported and unaffected by this removal. Additional guidance for administrators currently relying on WMIC is available in a dedicated support document published by Microsoft.
The deprecation process for WMIC has been gradual. Microsoft first announced its obsolescence in Windows Server 2012 back in 2016, followed by Windows 10 version 21H1 in 2021. With the release of Windows 11 22H2, WMIC was converted into an optional Feature on Demand (FoD). Earlier this year, in January 2024, the company declared its intention to completely remove the tool after initially disabling it by default.
Microsoft explained the reasoning behind this move, stating, “Significant investment has been directed toward PowerShell in recent years. Newer tools offer more efficient methods for querying WMI. Eliminating deprecated components reduces system complexity while enhancing security and productivity.”
Beyond simplifying the operating system, retiring WMIC brings considerable security benefits. The tool has frequently been abused by malware authors and attackers as a LOLBIN (living-off-the-land binary), a legitimate Microsoft-signed executable that threat actors repurpose for malicious activities.
For example, numerous ransomware strains have used WMIC commands to delete Shadow Volume Copies, preventing victims from restoring their files. Other attacks have leveraged the tool to identify and remove installed antivirus software. Malware has also been observed adding exclusions to Microsoft Defender via WMIC, effectively bypassing detection mechanisms.
(Source: Bleeping Computer)
