In the process of learning powershell for WinRM, I found that when I entered a scriptblock in the invoke-command command to add functions (Add-WindowsCapability), it kept reporting an error!

Question

question

Vin-8219 asked Mar 20, '22 Vin-8219 commented Mar 31, '22

In the process of learning powershell for WinRM, I found that when I entered a scriptblock in the invoke-command command to add functions (Add-WindowsCapability), it kept reporting an error!

About_Remote_Troubleshooting, invoke-command, WinRM and many recommended documentation pages have been queried, and I have also searched stackoverflow and found no solution.

You can use Get-WindowsCapability to query normally, use Remove-WindowsCapability to uninstall normally, but use Add-WindowsCapability to add an error (prompt to deny access).

Using admin and domain admin accounts has the same result, looks like a permissions issue, but don't know where to set it.

I tried to use the command to write the .ps1 file (only add one line: Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0") and point to it to run, or use the dism command directly to report the same error, you can Seeing that the command start does start, it's just interrupted.

I tried to copy the .ps1 to the remote machine again, and it was normal to open it in the powershell window of the remote machine, but it started to report the same error when I opened it through invoke-command.

The command I entered:
21 Invoke-Command -Session $s -ScriptBlock {Get-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
22 Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
23 Invoke-Command -Session $s -ScriptBlock {DISM /online /add-Capability /CapabilityName:SNMP.Client~~~~0.0.1.0}
24 Invoke-Command -Session $s -FilePath C:\Users\Vincent\Desktop\无标题1.ps1
25 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}
26 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}

The errors found in the log file of dism are as follows, but the specific meaning and how to solve them are not clear.

2022-03-19 21:26:30, Warning DISM DISM Provider Store: PID=4912 TID=4944 Failed to load the provider: DISM DISM Package Manager: PID=3436 TID=10268 Error in operation: (null) (CBS HRESULT=0x80070005) - CCbsConUIHandler::Error

2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x80070005)

2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed processing package changes with session options - CDISMPackageManager::ProcessChangesWithOptions(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 Failed to install capability. - CAddCapabilityCommandObject::InternalExecute(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 InternalExecute failed - CBaseCommandObject::Execute(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=11148 CAddCapabilityCommandObject internal execution failed - DismAddCapabilityInternal(hr:0x80070005)

Whether invoke-command does not support adding functions, how does Windows remote management add functions to remote computers?

windows-server-powershell

image.png (57.1 KiB)

image.png (64.3 KiB)

image.png (16.4 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-21T20:41:20.417Z

MotoX80 answered Mar 21, '22 Vin-8219 commented Mar 31, '22

From what I have found... The issue appears to be with WindowsUpdate. The SNMP.Client is a "feature on demand", that is not preloaded in the OS.

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11

Windows needs to use WindowsUpdate to download the install files. I found this in a log file when I tested.

CBS FC: Calling Download on WUClient Acquirer
CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP
CBS FC: FCAcquirerWUClient: WULib Mode Complete: [0]
CBS Failed to set scan current product version only [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS DWLD:Failed to do Windows update search [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS FC: FCAcquirerWUClient: WindowsUpdateDownloadFromUUP returns. [0x80070005]
CBS FC: CFCAcquirerWUClient::Download(134): Result = 0x80070005
CBS FC: CFCAcquirerWrapper::Execute(160): Result = 0x80070005
CBS Exec: Failed to download FOD from WU, retry once. [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS FC: Calling Download on WUClient Acquirer
CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP

I couldn't find any way to grant access.

More info...

https://stackoverflow.com/questions/46476147/access-denied-while-running-windows-update-using-powershells-invoke-command

https://stackoverflow.com/questions/7078958/powershell-remote-microsoft-update-session-access-denied-0x80070005

Those sites suggest using a scheduled task or PSExec to do the install.

An alternative is to use the Volume Licensing ISO to pull off the cab files. This site offers a way to do that if you don't have the ISO.

https://www.nico-maas.de/?p=2287

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Vin-8219 · Mar 31 at 02:51 AM

I've solved this problem with scheduled tasks, but not until I saw this post:
enable-powershell-second-hop-functionality-with-credssp

0 ·

Answer 2 · 2022-03-20T15:15:03.137Z

RichMatheisen-8856 answered Mar 20, '22 Vin-8219 published Mar 21, '22

The error code 0x80070005 says you don't have permission (i.e. Access Denied).

The DISM log file is here if you want to see if there's anything more: C:\Windows\Logs\DISM\dism.log

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Vin-8219 · Mar 20 at 04:34 PM

Can't reply here, please see the answer I posted, which is actually a reply to you

0 ·

RichMatheisen-8856 Vin-8219 · Mar 20 at 06:48 PM

That's funny! You DID reply! I have NO IDEA as to where you posted your answer!

0 ·

Vin-8219 · Mar 20 at 04:35 PM

May I ask where to set permissions, delete and install permissions should be the same, I am already using an administrator account. Why using "Remove-WindowsCapability" works fine. But using "Add-WindowsCapability" doesn't have permission.
Can you tell me how to implement the installation to add windows capability?

PS C:\Windows\system32> $s = New-PSSession -ComputerName DESKTOP-O8UJ8CS -Credential DESKTOP-O8UJ8CS\administrator
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}

 PSComputerName   : DESKTOP-O8UJ8CS
 RunspaceId       : d942963d-973d-4c2b-80cb-57c9e67fb1f9
 Path             :
 Online           : True
 WinPath          :
 SysDrivePath     :
 RestartNeeded    : True
 LogPath          : C:\Windows\Logs\DISM\dism.log
 ScratchDirectory :
 LogLevel         : WarningsInfo
    
    
    
 PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}

拒绝访问。
+ CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand
+ PSComputerName : DESKTOP-O8UJ8CS

DISM log::184886-dismby-add-windowscapability.log 184943-dismby-remoe-windowscapability.log

0 ·

Vin-8219 · Mar 20 at 05:19 PM

May I ask where to set permissions, delete and install permissions should be the same, I am already using an administrator account. Why using "Remove-WindowsCapability" works fine. But using "Add-WindowsCapability" doesn't have permission.
Can you tell me how to implement the installation to add windows capability?

PS C:\Windows\system32> $s = New-PSSession -ComputerName DESKTOP-O8UJ8CS -Credential DESKTOP-O8UJ8CS\administrator
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}

PSComputerName : DESKTOP-O8UJ8CS
RunspaceId : d942963d-973d-4c2b-80cb-57c9e67fb1f9
Path :
Online : True
WinPath :
SysDrivePath :
RestartNeeded : True
LogPath : C:\Windows\Logs\DISM\dism.log
ScratchDirectory :
LogLevel : WarningsInfo

PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
拒绝访问。
+ CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand
+ PSComputerName : DESKTOP-O8UJ8CS

DISM log::184886-dismby-add-windowscapability.log 184943-dismby-remoe-windowscapability.log

0 ·

Answer 3 · 2022-03-20T18:47:30.563Z

RichMatheisen-8856 answered Mar 20, '22 Vin-8219 commented Mar 21, '22

You aren't the only one that's encountered this problem:
add-windowscapability-and-ubuntu2004exethe-wsl-ins.html
21

Is there any chance that you're running into the "second-hop" problem? I see you're running using a CIM session but I can't tell if you're using a different credential.

I proposed using a scheduled task in an earlier answer to another problem (seemingly the same as yours) that seems to solve the problem, or at least provide a way to accomplish the task: Create the scheduled task to run on-demand and then run it. You can remove the task after completing the addition of the Windows capability.

· 7

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Vin-8219 · Mar 21 at 01:43 AM

Thanks, it does look like the same problem.

I have used local admin credentials and domain admin credentials, both have the same result.

I've thought about using a scheduled task before, but I'm not sure if it will work and I don't think it's a good solution. But now it looks like this is the only way.

0 ·

RichMatheisen-8856 Vin-8219 · Mar 21 at 01:54 AM

I suspect that the problem has to do with the need to run Add-WindowsCapability with elevated permission, not just using a local administrator. Because you're running the script remotely there's no way to reply to the UAC prompt.

0 ·

MotoX80 RichMatheisen-8856 · Mar 21 at 02:06 AM

I believe that UAC does not apply in an Invoke-Command because there is no way to reply to the prompt.

This should report on elevation.

 function Test-IsAdmin {
     ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
 }
    
 if (Test-IsAdmin) {
     ""
     "You are running with Administrator access."
     ""
 } else {
     ""
     "You do not have admin access."
     ""
 }

Try psexec. You can run a process as SYSTEM.

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

0 ·

Show more comments

Vin-8219 RichMatheisen-8856 · Mar 21 at 02:06 AM

It shouldn't be this problem, I have disabled UAC by modifying the registry, which can be found in the "about_Remote_Troubleshooting" document.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-7.2#how-to-enable-remoting-for-administrators-in-other-domains

Running the "Get-WindowsCapability" command before modifying the registry prompts for permission. After modifying the registry, only the "Add-WindowsCapability" command reports an error.

0 ·

Answer 4 · 2022-03-21T14:31:08.177Z

RichMatheisen-8856 answered Mar 21, '22 MotoX80 commented Mar 21, '22

Have you tried adding the "-Online" switch to the Add-WindowsCapability cmdlet? Without that switch the cmdlet will try using Windows Update client to download the package (or a GPO-supplied location).

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Vin-8219 · Mar 21 at 02:57 PM

Sorry, I don't quite understand what you mean.
I always use the "-online" parameter on the command line, do you mean to remove the "-online" parameter?

0 ·

MotoX80 Vin-8219 · Mar 21 at 08:39 PM

I think that he means the -LimitAccess switch. I tried that and got a "The source files could not be found" error.

0 ·

question