Below are the steps the Microsoft support came up with to rectify the problem. They must be run on each remote server that the EPM connects to.
Start > Run > wmimgmt.msc
In the tree view on the left, right-click on WMI Control (Local) and select Properties.
Click on the Security tab, expand the tree and click on CIMV2 to highlight it.
Click on the Security button.
Click Add, type in the name of the domain account that the job runs under ("APACORP\svcsql_2008epm" in my case) and click on Check.Names.
Click OK. Now grant svcsql_2008 additional access by putting a checkmark in “Execute Methods”, “Full Write”, “Partial Write”, “Provider Write”, “Remote Enable” and “Read Security”. Make
sure that “Edit Security” remains unchecked. Click Apply and OK.
Repeat the same steps for the “ms_409” branch directly under CIMV2:
Click on ms_409 > Security > Add > APACORP\svcsql_2008epm (or whatever your account is) > Check Names > OK > Checkmarks on Execute Methods, Full Write, Partial Write, Provider Write, Enable Account (checked by default), Remote Enable and
Read Security. Make sure Edit Security is not checked. Click Apply > OK > OK.
The grants to the WMI is now complete, close the WMI management console.
The next step is to grant access to DCOM.
Click Start > Run > DCOMCNFG > OK.
In the treeview on the left, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits to open the “Launch and Activation Permissions” dialog box.
Click Add and enter “svcsql_2008EPM” (our whatever your account is) and click Check Names then click OK
Leave the Allow check on “Local Launch” and place checks on “Remote Launch” and “Remote Activation” as well. Click OK when done.
Click Apply and OK. Close the component service application as DCOM security changes are now complete.
To test the security changes, connect to server running the EPM using the svcsql_2008EPM account and select Start > Run > wbemtest
Click the Connect button in the upper right-hand corner. In the Namespace field, append the server name to the beginning so that it appears as: \\app-srv25\root\cimv2
All the buttons should be active (i.e. not grayed out). Click on Query and enter the following:
select EventCode from Win32_NTLogEvent where EventCode=55 and Logfile="System"
The query should not retrieve any data but should complete with a status of “Done”
Click Close and Exit to finish with the Windows Management Instrument Tester.
Re-run the EPM data collection job - the Windows Log policies will no longer complete with an error.