The error was misleading. When I checked the powershell results directory ("D:\MSSQL10.CMS\EPM\Results" on my installation), I found the XML files for each of the policies and buried within those I found the following:
<DMF:Exception type="string">
Microsoft.SqlServer.Management.Dmf.PolicyEvaluationException:
Exception encountered while executing policy 'Windows Event Log System Failure Error'.
...
---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
So my problem is with security permissions. Here's what I did to fix it:
In order to monitor Windows log files on remote server we need to make the following security changes. Connect to the remote server, and perform the following steps to grant access to the WMI:
Start > Run > wmimgmt.msc
In the tree view on the left, right-click on WMI Control (Local) and select Properties.
Click on the Security tab, expand the tree and click on CIMV2 to highlight it.
Click on the Security button.
Click Add, type in <monitoring_account> and click on Check.Names.
Click OK. Now grant <monitoring_account> additional access by putting a checkmark in “Execute Methods”, “Full Write”, “Partial Write”, “Provider Write”, “Remote Enable” and “Read Security”. Make sure that “Edit Security” remains unchecked. Click Apply and
OK.
Repeat the same steps for the “ms_409” branch directly under CIMV2.
Click on ms_409 > Security > Add > <monitoring_account> > Check Names > OK > Checkmarks on Execute Methods, Full Write, Partial Write, Provider Write, Enable Account (checked by default), Remote Enable and Read Security. Make sure Edit Security is not checked.
Click Apply > OK > OK.
The grants to the WMI is now complete, close the WMI management console.
The next step is to grant access to DCOM.
1.Click Start > Run > DCOMCNFG > OK.
2.In the treeview on the left, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
3.In the My Computer Properties dialog box, click the COM Security tab.
4.Under Launch and Activation Permissions, click Edit Limits to open the “Launch and Activation Permissions” dialog box.
Click Add and enter <monitoring_account> and click Check Names then click OK
Leave the Allow check on “Local Launch” and place checks on “Remote Launch” and “Remote Activation” as well. Click OK when done.
Click Apply and OK. Close the component service application as DCOM security changes are now complete.