Problems running Get-WUHistory against remote computers

[Mike Leone]

This is driving me nuts. I'm trying to query my hosts for the last Windows Update applied, using the PSWindowsUpdate module. The command I am running is:

$LastWUAppliedDate = (Get-WUHistory -ComputerName $ServerName -Last 1 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue).Date

And  it works for most hosts, and not for others. On the hosts where it doesn't connect, I get this:

 >Get-WUHistory -ComputerName DC1APP001 -Last 1

 >Get-WUHistory : DC1APP001: Connection failure, check firewall on destination machine.

At line:1 char:2
+  Get-WUHistory -ComputerName DC1APP001 -Last 1
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [Get-WUHistory], Exception
    + FullyQualifiedErrorId : 800706BA,PSWindowsUpdate.GetWUHistory

I do test that the machine is responding:

> Test-NetConnection -ComputerName DC1APP001

ComputerName           : DC1APP001
RemoteAddress          : 10.64.126.125
InterfaceAlias         : Ethernet0 2
SourceAddress          : 10.64.7.39
PingSucceeded          : True
PingReplyDetails (RTT) : 0 ms

Now, on that machine, I do have a GPO that makes a firewall rule that allows Dynamic RPC ports, which my searches say may be required for the PSWindowsUpdate module to connect:

program path: %SystemRoot%\System32\dllhost.exe
protocol type: TCP
local port: RPC Dynamic Ports
remote port: all ports.

I have verified that this policy is creating the firewall rule on that problematic host. 

 I do have PSRemoting enabled, via GPO, for all my hosts (WinRM service enabled, and firewall rule enabled).

> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

So what else do I need to do, to get it to connect?? What am I missing, on the hosts that refuse to connect? This is a Win 2019 host, but I have the problem on some older Win 2012 R2 hosts, too. 

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Gordon Pegue]

Wild guess from a PS noob, but does the user context you’re using on your client to run the script have admin permissions on the remote host?

 

I had a similar issue to yours: PS script would run on some remote hosts but not all. As soon as I added my service account to the local admins group on the remote hosts, all my “weird” connection issues vanished.

 

Gordon

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, March 31, 2022 10:21 AM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Problems running Get-WUHistory against remote computers

 

  [EXTERNAL]

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjJfNmVwQrLYHzMsdF2TGqdvL%2BwWFyEZuGT62SVtTn5Pg%40mail.gmail.com.

[Mike Leone]

On Thu, Mar 31, 2022 at 12:42 PM Gordon Pegue <gpe...@unm.edu> wrote:

Wild guess from a PS noob, but does the user context you’re using on your client to run the script have admin permissions on the remote host?

yes. That account is a member of an AD group that is added to Local Admins on all hosts. I verified that, too. :-)

 

I had a similar issue to yours: PS script would run on some remote hosts but not all. As soon as I added my service account to the local admins group on the remote hosts, all my “weird” connection issues vanished.

I'm pretty sure mine is a firewall issue, since when I turn off the domain firewall on that host, it connects right up:

> Get-WUHistory -ComputerName DC1APP001

WARNING: To perform some operations you must run an elevated Windows PowerShell console.

>

(I had cleared the update history, that's why it returns nothing. But you'll see that it doesn't error out ....)

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CY4PR07MB3144D944153050AD0FB6C180D3E19%40CY4PR07MB3144.namprd07.prod.outlook.com.

[Gordon Pegue]

Just spotted this Mike:

 

https://serverfault.com/questions/737691/firewall-blocking-pswindowsupdate

 

It’s an older post but towards the bottom, mention is made of this:

 

You can run PS> enable-WUremoting on the remote host. This will create a new inbound rule called PSWindowsUpdate (RPC Dynamics Ports) which covers all the settings mentioned previously.

 

Maybe this’ll help.

 

Gordon

[Mike Leone]

You have to install the module locally on the remote host, in order to issue that Enable-WURemoting (that command is only available in the module). I was hoping to avoid installing the module locally on every server.

Having said that, I did install it locally on a dozen of the servers that weren't connecting, and issued the Enable-WURemoting and Enable-PSRemiting lovely there, , and now my script just connects to those servers.

I'll see if I can push the module out to the rest that aren't connecting ..

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CY4PR07MB31449208BCE9BC6F4BC312C5D3E19%40CY4PR07MB3144.namprd07.prod.outlook.com.

[Shawn Masterson]

Get-Hotfix ?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjKp4fzZ5sv_8kyj5DZ88m_EFE1Urk7N07nDwYdxQ-VwA%40mail.gmail.com.

[Mike Leone]

On Thu, Mar 31, 2022, 4:32 PM Shawn Masterson <smast...@gmail.com> wrote:

Get-Hotfix 

Don't see how that applies... I'm not looking for hotfixes, but the last Windows Update applied, and when, which may not have been a hot fix.

[Gordon Pegue]

Here’s a code fragment from a function I’ve been working on that may help:

 

# Assumes $Session contains a New-PSSession object

# Next, check to see if PSWindowsUpdate module is installed and install if not:

$r1 = Invoke-Command -Session $Session -ScriptBlock {

                If ($null -eq (Get-Module -Name PSWindowsUpdate -ListAvailable) )

                                {

                                Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

                                Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

                                Install-Module PSWindowsUpdate -Force

                                Import-Module PSWindowsUpdate

                                Enable-WURemoting

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjKp4fzZ5sv_8kyj5DZ88m_EFE1Urk7N07nDwYdxQ-VwA%40mail.gmail.com.

[Mike Leone]

On Fri, Apr 1, 2022 at 10:33 AM Gordon Pegue <gpe...@unm.edu> wrote:

Here’s a code fragment from a function I’ve been working on that may help:

 

# Assumes $Session contains a New-PSSession object

# Next, check to see if PSWindowsUpdate module is installed and install if not:

$r1 = Invoke-Command -Session $Session -ScriptBlock {

                If ($null -eq (Get-Module -Name PSWindowsUpdate -ListAvailable) )

                                {

                                Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

                                Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

                                Install-Module PSWindowsUpdate -Force

                                Import-Module PSWindowsUpdate

                                Enable-WURemoting

                                }

}

 

Thanks. I do something similar when installing locally, although I install from a local repository, since most of my servers don't have Internet access:

(lots of screen writes, I know. Sue me LOL)

Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force

# Connect to local repository, so that we can load modules, in case they are not installed locally
$LocalRepoLocation = "\\san2\netadmin\PHA_PS_Internal_Repository"
$LocalRepoName     = "PHA Internal PSRepository"
$NuGetLocation = "\\san2\netadmin\PHA_PS_Internal_Repository\nuget"
$LocalNuGetLocation = "C:\Program Files\PackageManagement\ProviderAssemblies\nuget"
$ModuleName = "PSWindowsUpdate"

 Write-Host -ForegroundColor Green "Checking to see if PHA Internal PSRepository is registered ..."
IF ((Get-PSRepository | Where {$_ -match "Internal"} ) -eq $null ) {
        Write-Host -fore Green "-- Nope, Internal Repository not present"
        Write-Host -ForegroundColor Green "We will first copy, then Import PackageProvider"
# Copy files NuGet Package from network to local machine
        $FileExists = Test-Path $LocalNuGetLocation
        IF ($FileExists -eq $false) {
           Write-Host -ForegroundColor Red "`NUGET` does not exist! Copying over the NuGet files first ..."
           Copy-Item -Path $NuGetLocation -Recurse -Destination $LocalNuGetLocation -Container -Verbose
        } ELSE {
           Write-Host -ForegroundColor Green "`NUGET` exists! Importing ...."
        }
        Write-Host "Importing PackageProvider"
        Get-PackageProvider -ListAvailable
        Import-PackageProvider -Name NuGet -Verbose #  -RequiredVersion 2.855.208
        Write-Host -ForegroundColor Green "Now registering local PSRepository"
        Register-PSRepository -Name $LocalRepoName -SourceLocation $LocalRepoLocation -InstallationPolicy Trusted
} ELSE {
       Write-Host -ForegroundColor Green "-- Good! Internal PHA PSRepository already installed and configured"
       Get-PSRepository
}

Write-Host -fore Green "Checking if PSWindowsUpdate Module is installed ..." -NoNewLine
if ((Get-Module | Where { $_ -match "PSWindowsUpdate" }) -eq $null) {
        Write-Host -fore Green "-- Installing PSWindowsUpdate Module"
        Install-Module -Name "$ModuleName" -Repository "$LocalRepoName" -Scope CurrentUser
} ELSE {
       Write-Host "|---- Good! Internal Repository already configured"
}

Enable-PSRemoting -Force
Enable-WURemoting -Verbose

 

And yet, even doing the above, I still sometimes get this:

> Get-WUHistory -ComputerName DC2TTL001 -verbose

WARNING: To perform some operations you must run an elevated Windows PowerShell console.

VERBOSE: Performing the operation "(4/1/2022 10:38:45 AM) Get Windows Update History" on target "DC2TTL001".
Get-WUHistory : DC2TTL001: Unknown failure.
At line:1 char:1
+ Get-WUHistory -ComputerName DC2TTL001 -verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Get-WUHistory], Exception
    + FullyQualifiedErrorId : Unknown,PSWindowsUpdate.GetWUHistory

At least it's not saying Denied anymore, I suppose that's something ... LOL

[Markus Klocker]

I don't know if ever happened to you but here is what I have observed with PSWindowsUpdate 2.1.1.2:
remoting to a machine running 20H2 onwards and then executing Get-WUHistory gets the PS session comletely stuck.
Not even an error. Can't get out with CTRL+C and never comes back.

    Markus

[Mike Leone]

On Mon, Apr 4, 2022 at 1:49 AM Markus Klocker <markus....@univie.ac.at> wrote:

I don't know if ever happened to you but here is what I have observed with PSWindowsUpdate 2.1.1.2:
remoting to a machine running 20H2 onwards and then executing Get-WUHistory gets the PS session comletely stuck.
Not even an error. Can't get out with CTRL+C and never comes back.

No, I haven't seen that. But the only thing I use the module for is to get the WUHistory, and even then, I do it remotely, I don't remote to the machine itself, I just query from a script host.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/0906623f-c69d-60bd-d89a-fe03f1b03b39%40univie.ac.at.