PSWindowsUpdate inconsistent connections

[Mike Leone]

This is driving me batty. I have a script that uses the PSWindowsUpdate module. It queries a list of remote hosts. If I run it from 1 VM, it runs fine - connects to all hosts, life is good, I get my answers.

If I log in with the same account to a different VM, run the exact same script .. I get lots of "Can't connect" errors.

And I don't know why. If it works from 1 host,that means that the remote hosts are listening, and allowing PSRemoting. I don't have any firewall rules that only allow remoting from certain hosts, so why doesn't it just connect from *any* host??

Where do I go, to narrow down why? I know it's not a firewall rule on the VM I am running the script on, because it *does* work, but only to *some* hosts. I can connect just fine. Yet if I try to use it to query another remote host, it fails. Even if that remote host can be queried from another VM.

I'm trying to write a script for my help desk staff to run, to query when windows updates were last applied, so they can see if there are any remote hosts they have to check on.

Thoughts, anyone? I'm pretty sure it isn't permissions, as I am using the same account from both VMs,. And I don't think it's firewall, since it works from 1 host, and not another, yet there are no specific firewall rules to disallow connections on any host.

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Mike Leone]

Forgot to include the actual error. I am doing a 

TRY {
$LastWUAppliedDate = (Get-WUHistory -ComputerName $ServerName -Last 1 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue).Date

And the Catch is showing this:

 $ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName

 Error= A positional parameter cannot be found that accepts argument '$null'.

Yet that same command works fine for some hosts, and not others. 

[Mike Leone]

OK. More digging, I am getting a permission denied:

PS P:\software\PHA Scripts> Get-WUHistory -ComputerName ADMNFTP001 -Last 1
WARNING: To perform some operations you must run an elevated Windows PowerShell console.
Get-WUHistory : ADMNFTP001: Unknown failure.
At line:1 char:1
+ Get-WUHistory -ComputerName ADMNFTP001 -Last 1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Get-WUHistory], Exception
    + FullyQualifiedErrorId : Unknown,PSWindowsUpdate.GetWUHistory

Yet if I access a different host, I don't:

PS P:\software\PHA Scripts> Get-WUHistory -ComputerName CSRVFIL001 -Last 1
WARNING: To perform some operations you must run an elevated Windows PowerShell console.

ComputerName Operationname  Result     Date                Title
------------ -------------  ------     ----                -----
CSRVFIL001   Installation   Succeeded  1/31/2021 9:17:2... 2020-12 Cumulative Update for Windows Server 2019 for x64...

Using the same username, which is a local admin, both here and on the target host. What is THAT about???

[Michael B. Smith]

UAC is my SWAG.

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BhOOwjn06omHtj2CwYWLnhmZoYmRrRV0eR3ma_%2B%3DQqS_g%40mail.gmail.com.

[Mike Leone]

On Tue, Feb 23, 2021 at 5:30 PM Michael B. Smith <mic...@smithcons.com> wrote:

UAC is my SWAG.

Yes, but why? the account has the right permissions (local admin)  onn both remote hosts, and the local hosts. So why is UAc working against me on 1 remote host, and not on the other?

And why doesn't it happen when I run the same script, with the same account, from a different VM? That's what I don't get. I'm trying to narrow it down, but I haven't ascertained the commonalities (yet).

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/1e889b2d70d04f4ea149bc31103dc97d%40smithcons.com.

[Michael B. Smith]

UAC is a per-system configuration unless is overridden by GPO.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BgJRcSyZeu5DvUvsVPC7uH2SeWNNruoUOgjpJEzJayvsA%40mail.gmail.com.

[Mike Leone]

This is odd. From 1 VM:

PS O:\software\PHA Scripts> Get-WUHistory -ComputerName ADMNFTP001 -Last 1

WARNING: To perform some operations you must run an elevated Windows PowerShell console.

ComputerName Operationname  Result     Date                Title

------------ -------------  ------     ----                -----

ADMNFTP001   Installation   Succeeded  1/31/2021 9:08:2... 2020-12 Security Only Quality Update for Windows Server 2012 R2 for x64-based Systems (KB4592495)

From a 2nd VM, logged in as the exact same user:

[Mike Leone]

On Fri, Feb 26, 2021, 7:54 AM Michael B. Smith <mic...@smithcons.com> wrote:

UAC is a per-system configuration unless is overridden by GPO.

Ok, you're trying to point me to a hint, but I guess I'm too stupid to get it. :-)

I haven't touched UAC on the local machine or the remote machine. Haven't changed GPOs, either.

Here's another strange part. When I first emailed, I was able to query a remote host with no problem. Now, it fails, with that permissions issue.

Yet I haven't changed the user running the script, or the permissions or UAC on the local or remote host, not the GPO, etc. Literally I did nothing, I ran the script at the end of one workday, and it worked. Next morning, it didn't work. I was still signed in, and changed nothing on the remote hosts overnight, etc.

I'm confused. It just worked one day, and now didn't work. :-) Yet it still works to query some other remote hosts, and fails on others.

Since it won't query for last applied update, the best I can do is ask when last reboot happened, via WMI. Not ideal, but since many/most updates want a reboot, it's the closest approximation I can do. To determine when updates were applied/reboot happened.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/bfe50eb3e7e0429f89455a8e9b7c788a%40smithcons.com.

[Kurt Buff, GSEC/GCIH/PCIP]

Inconsistent application of GPOs?

> To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BgJRcSyZeu5DvUvsVPC7uH2SeWNNruoUOgjpJEzJayvsA%40mail.gmail.com.