Forum Discussion
Run Windows Updates with Powershell Remotely
Hi,
I'm kind of new to Powershell, and trying to automate some stuff.
I found one nice Powershell module named PSWindowsUpdate to manage Windows Updates. I need to create some automated updating for my servers, which are around 50.
Everything runs fine locally, but I started to search on how to write a script to do it remotely, but from what I've read that has a lot of issues, due to permissions related to remote updating.
I create a remote session with "Enter-PSSession -ComputerName <servername>. But when I run the command "Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install" I get this error:
"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"
I've been reading and understand that the problem is related to a permissions issue on powershell and remote updating.
I've read some topics about it, and in some there a solution presented, which is JEA. So I've followed this code to run on the server side:
"
New-PSSessionConfigurationFile -RunAsVirtualAccount -Path .\VirtualAccount.pssc # Note this will restart the WinRM service: Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurityDescriptorUI] -Path .\VirtualAccount.pssc -Force # Check the Permission property: Get-PSSessionConfiguration -Name 'VirtualAccount' # Those users will have full unrestricted access to the system!
But I got this error:
"Register-PSSessionConfiguration : A positional parameter cannot be found that accepts argument '[-ShowSecurityDescriptorUI]'.
At line:1 char:1
+ Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurity ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Register-PSSessionConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RegisterPSSessionConfigurationCommand"
So, my question is if everyone knows why do I get this error while registering the PSSessionConfiguration and also, if someone has any different solution for the topic.
Thanks
- Thanks for the tip.
I would like to avoid WSUS, as it also has some challenges, and at the same time I would learn more on Powershell.
Meanwhile I was already able to use a command to update remotely, now I need to deal with errors and logging, which is not so good at the moment.
Set-Item WSMan:\localhost\Client\TrustedHosts –Value * -Force
$Script = {Get-WindowsUpdate -KBArticleID KB4535680 -AcceptAll -Install -Verbose | Out-File C:\Temp\PSWindowsUpdate.log}
Invoke-WUjob -ComputerName <computername> -Script $Script -Confirm:$false -RunNow
- Install-WindowsUpdate has a parameter Computername, so you could use it like that :
Install-WindowsUpdate -KBArticleID <kbID> -AcceptAll -Install -ComputerName server.domain.name- dmarquesgnIron ContributorThanks for the reply. Apparently that's not possible due to some limitation described in some forums:
"When you are in a remote PowerShell session your logon session on this remote computer is flagged as a "network" logon (Logon Type: 3). For some obscure (security? sell SCCM?) reason, part of the Windows Update Agent COM APIs are restricted to only be usable by locally logged on Administrators.
https://docs.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer"
So each time I run that command, always got this error:
"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate"
That's the reason why I need some alternative.- Alan2022Iron ContributorHi dmarquesgn
I think the best approach in here is using WSUS in your Company.
So no need for PowerShell to do that.