Frustration with remoting

[Kurt Buff, GSEC/GCIH/PCIP]

I've some a fair amount of SFTW, and am not finding my answers, so any help appreciated. We don't yet have LAPS applied to servers, which is on my list of things to do.

Any suggestions very welcome.

I'm working from my laptop, on which I'm logged in using my DA credentials.

I'm trying to use PSWindowsUpdate cmdlets to get a couple of servers to talk with our WSUS server.

I've started a powershell session using runas for my server admin account "runas /user:kbuff-...@example.org powershell"

When I try using get-windowsupdate in that session, I get the following:

PS C:\Temp> get-windowsupdate -ComputerName <server> -AcceptAll -AutoReboot -Verbose
get-windowsupdate : To perform operations you must run an elevated Windows PowerShell console.
At line:1 char:1
+ get-windowsupdate -ComputerName gfcaadconnect -AcceptAll -AutoReboot  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Get-WindowsUpdate], Exception
    + FullyQualifiedErrorId : AccessDenied,PSWindowsUpdate.GetWindowsUpdate

I also have an elevated PowerShell session with my DA credentials, and out of frustration tried the cmdlet there, just to see what would happen. It was even less successful:

PS C:\Temp> get-windowsupdate -ComputerName <server> -AcceptAll -AutoReboot -Verbose
get-windowsupdate : gfcaadconnect: Access denied. You don't have permission to perform this task.
At line:1 char:1
+ get-windowsupdate -ComputerName gfcaadconnect -AcceptAll -AutoReboot  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Get-WindowsUpdate], Exception
    + FullyQualifiedErrorId : 80070005,PSWindowsUpdate.GetWindowsUpdate

[Michael B. Smith]

What version of OS on the servers?

 

I think I’ve seen this before. The error is actually about RPC permissions, if I remember correctly. You may need to run your powershell session as system.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4%3D61zQ8BOt3FNMKB8D7ZuZviK5h4LVicFVHqLxTWWbjg%40mail.gmail.com.

[Kurt Buff, GSEC/GCIH/PCIP]

Ah yes - forgot to mention that the servers are 2012 R2 and 2016.

How would I run the powershell session as system?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/4ea359cc31414e2ab7c273426e19db7d%40smithcons.com.

[Matt Stork]

Two things. First, the Get-WindowsUpdate cmdlet requires it is run from an elevated prompt, even when making the remote call. I get around it by using Invoke-Command. Second, Windows does not allow the installation of updates to be installed remotely. You have to use the -ScheduleJob parameter. The module will create a scheduled task that runs the command that should work but locally and as System. Dumb but that is how I get around this exact issue.

-Matt

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Kurt Buff, GSEC/GCIH/PCIP
Sent: Friday, August 14, 2020 11:57 AM
To: ntpowe...@googlegroups.com
Subject: [ntpowershell] Frustration with remoting

 

I've some a fair amount of SFTW, and am not finding my answers, so any help appreciated. We don't yet have LAPS applied to servers, which is on my list of things to do.

--

[Kurt Buff, GSEC/GCIH/PCIP]

On Fri, Aug 14, 2020 at 1:38 PM Matt Stork <mst...@northwestern.edu> wrote:
>
> Two things. First, the Get-WindowsUpdate cmdlet requires it is run from
> an elevated prompt, even when making the remote call.

I've noticed that, and not only with that cmdlet. I'd really like to
know how to start a remote interactive session with elevation, as it
would help with lots of tasks.

> I get around it by using Invoke-Command. Second, Windows does not allow
> the installation of updates to be installed remotely. You have to use the
> -ScheduleJob parameter. The module will create a scheduled task that runs
> the command that should work but locally and as System. Dumb but that is
> how I get around this exact issue.

OK - that makes no sense, though I think I understand it. I'll go read
up on that.

Thanks.

Kurt

[Kurt Buff, GSEC/GCIH/PCIP]

Oh, wait...

Does the use of invoke-command for Get-WindowsUpdate require that the
PSWindowsUpdate module be installed on the remote machine?

If it does, how do you distribute that to your fleet?

Kurt

On Fri, Aug 14, 2020 at 1:38 PM Matt Stork <mst...@northwestern.edu> wrote:
>

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/DM6PR05MB6538C593B2D089729184297EBF400%40DM6PR05MB6538.namprd05.prod.outlook.com.

[Matt Stork]

It does require the module is installed on the remote system. I make the module part of the VM templates / system images. For updates, since the module is just a few files, you can use whatever method you have to copy files around. That can be copy-item to "\\servername\C$\Program Files\WindowsPowerShell\Modules\PSWindowsUpdate\2.2.0.2" or zip it up any use SCCM or similar products to deploy the files.

I believe using Enter-PSSession will give you an interactive-ish session with full admin rights on a remote system. I say -ish because you still need to use the -ScheduleJob parameter to install updates. I have yet to try enabling SSH and trying it that way.

"OK - that makes no sense, though I think I understand it. I'll go read up on that."

Basically, that was my reaction and went with it. Life is too short to try to make sense of every part of an OS, let alone Windows.
-Matt

> + ~

> + CategoryInfo : PermissionDenied: (:) [Get-WindowsUpdate], Exception
> + FullyQualifiedErrorId :
> AccessDenied,PSWindowsUpdate.GetWindowsUpdate
>
> I also have an elevated PowerShell session with my DA credentials, and out of frustration tried the cmdlet there, just to see what would happen. It was even less successful:
>
> PS C:\Temp> get-windowsupdate -ComputerName <server> -AcceptAll
> -AutoReboot -Verbose get-windowsupdate : gfcaadconnect: Access denied. You don't have permission to perform this task.
> At line:1 char:1
> + get-windowsupdate -ComputerName gfcaadconnect -AcceptAll -AutoReboot ...
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> + ~

> + CategoryInfo : PermissionDenied: (:) [Get-WindowsUpdate], Exception
> + FullyQualifiedErrorId :
> 80070005,PSWindowsUpdate.GetWindowsUpdate
>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4*3D61zQ8BOt3FNMKB8D7ZuZviK5h4LVicFVHqLxTWWbjg*40mail.gmail.com__;JSU!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnoT98m5R$ .

>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/DM6PR05MB6538C593B2D089729184297EBF400*40DM6PR05MB6538.namprd05.prod.outlook.com__;JQ!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnu9ohaPh$ .

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4HM*2B_gjAtjJRvkWKyUm69rEDZ94SHJovNn1LL-pCg_vA*40mail.gmail.com__;JSU!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnoIgGI4W$ .

[Matt Stork]

I remembered I had a testing 2019 box with SSH enabled. SSH will not allow installation of updates. Same access is denied message. Works fine if I used -ScheduleJob to install the update.

I look at it this way, with -ScheduledJob, I can schedule installation of patches at odd times. I want one server to start installing updates at 3:35 a.m. and a second 3:45 a.m., I can do that.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/DM6PR05MB65381A72696A0FDD9493FCAABF400*40DM6PR05MB6538.namprd05.prod.outlook.com__;JQ!!Dq0X2DkFhyF93HkjWTBQKhk!HKVr_ckcxRuxOS9It8gAdwqQGV60uzbxPP9GTD6JRJID71XNxsuYSICwMjvObuNwuz2D$ .

[Michael B. Smith]

I use psexec or Invoke-CommandAs (a more-or-less equivalent PS tool) to run as system on a remote host.

Once you are there, you can deliver the module or use the native tools to schedule updates (different for 2012r2 and 2016).

-----Original Message-----
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Matt Stork
Sent: Friday, August 14, 2020 4:35 PM
To: ntpowe...@googlegroups.com
Subject: RE: [ntpowershell] Frustration with remoting

> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + ~
> + CategoryInfo : PermissionDenied: (:) [Get-WindowsUpdate], Exception
> + FullyQualifiedErrorId :
> AccessDenied,PSWindowsUpdate.GetWindowsUpdate
>
> I also have an elevated PowerShell session with my DA credentials, and out of frustration tried the cmdlet there, just to see what would happen. It was even less successful:
>
> PS C:\Temp> get-windowsupdate -ComputerName <server> -AcceptAll
> -AutoReboot -Verbose get-windowsupdate : gfcaadconnect: Access denied. You don't have permission to perform this task.
> At line:1 char:1
> + get-windowsupdate -ComputerName gfcaadconnect -AcceptAll -AutoReboot ..

> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + ~
> + CategoryInfo : PermissionDenied: (:) [Get-WindowsUpdate], Exception
> + FullyQualifiedErrorId :
> 80070005,PSWindowsUpdate.GetWindowsUpdate
>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4*3D61zQ8BOt3FNMKB8D7ZuZviK5h4LVicFVHqLxTWWbjg*40mail.gmail.com__;JSU!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnoT98m5R$ .
>
> --
> You received this message because you are subscribed to the Google Groups "ntpowershell" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/DM6PR05MB6538C593B2D089729184297EBF400*40DM6PR05MB6538.namprd05.prod.outlook.com__;JQ!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnu9ohaPh$ .

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntpowershell/CADy1Ce4HM*2B_gjAtjJRvkWKyUm69rEDZ94SHJovNn1LL-pCg_vA*40mail.gmail.com__;JSU!!Dq0X2DkFhyF93HkjWTBQKhk!HfmOIBpb-I3jrnCiM-sOYfHt0vogOGp1SKHa99GipuBgaB687G7Wo7JgAkTtnoIgGI4W$ .

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/DM6PR05MB65381A72696A0FDD9493FCAABF400%40DM6PR05MB6538.namprd05.prod.outlook.com.

[Kurt Buff, GSEC/GCIH/PCIP]

OK - another command/module to add to the toolbox.

Very nice, and thank you.

Kurt

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/33188a39153d4396a507f2fe0bc26950%40smithcons.com.