Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
May 29, 2022

Run Windows Updates with Powershell Remotely

Hi,

I'm kind of new to Powershell, and trying to automate some stuff.
I found one nice Powershell module named PSWindowsUpdate to manage Windows Updates. I need to create some automated updating for my servers, which are around 50.

Everything runs fine locally, but I started to search on how to write a script to do it remotely, but from what I've read that has a lot of issues, due to permissions related to remote updating.

I create a remote session with "Enter-PSSession -ComputerName <servername>. But when I run the command "Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install" I get this error:

"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"

I've been reading and understand that the problem is related to a permissions issue on powershell and remote updating.

I've read some topics about it, and in some there a solution presented, which is JEA. So I've followed this code to run on the server side:
"

New-PSSessionConfigurationFile -RunAsVirtualAccount -Path .\VirtualAccount.pssc
# Note this will restart the WinRM service:
Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurityDescriptorUI] -Path .\VirtualAccount.pssc -Force
# Check the Permission property:
Get-PSSessionConfiguration -Name 'VirtualAccount'
# Those users will have full unrestricted access to the system!

But I got this error:
"Register-PSSessionConfiguration : A positional parameter cannot be found that accepts argument '[-ShowSecurityDescriptorUI]'.
At line:1 char:1
+ Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurity ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Register-PSSessionConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RegisterPSSessionConfigurationCommand"

 

So, my question is if everyone knows why do I get this error while registering the PSSessionConfiguration and also, if someone has any different solution for the topic.

Thanks

 

  • Thanks for the tip.
    I would like to avoid WSUS, as it also has some challenges, and at the same time I would learn more on Powershell.

    Meanwhile I was already able to use a command to update remotely, now I need to deal with errors and logging, which is not so good at the moment.

    Set-Item WSMan:\localhost\Client\TrustedHosts –Value * -Force
    $Script = {Get-WindowsUpdate -KBArticleID KB4535680 -AcceptAll -Install -Verbose | Out-File C:\Temp\PSWindowsUpdate.log}
    Invoke-WUjob -ComputerName <computername> -Script $Script -Confirm:$false -RunNow
  • Install-WindowsUpdate has a parameter Computername, so you could use it like that :

    Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install -ComputerName server.domain.name
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Thanks for the reply. Apparently that's not possible due to some limitation described in some forums:
      "When you are in a remote PowerShell session your logon session on this remote computer is flagged as a "network" logon (Logon Type: 3). For some obscure (security? sell SCCM?) reason, part of the Windows Update Agent COM APIs are restricted to only be usable by locally logged on Administrators.
      https://docs.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer"

      So each time I run that command, always got this error:
      "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
      + CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
      + FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"

      That's the reason why I need some alternative.
      • Alan2022's avatar
        Alan2022
        Iron Contributor
        Hi dmarquesgn

        I think the best approach in here is using WSUS in your Company.
        So no need for PowerShell to do that.

Resources