powershellwindows-update

PSWindowsUpdate gets Acces Denied on Remote Machienes while Domain Admin


I want to deploy Updates to Windows Servers in Our Domain. To achieve this i want to use the Module "PSWindowsUpdate" Here is the Official Release. I use this Module in combination with PSSessions and import it locally on all Servers outside of the default Module Path.

It should accept the updates and install them without rebooting. This Script is run using an Domain Administrator

After it Accepts the Updates it should start downloading where this happens: The Error of the Job

I started getting this error after the 2018 July Security Patch installed.

As I can't share all of the code because of Company reasons, here is the part that matters:

function invokeUpdate{
param(
    $session
)
if($Script:My.Reboot.isChecked){
    $job = Invoke-Command -Session $session -ScriptBlock {Import-Module "C:\Scripts\updateModule\$($Using:My.ModuleVersion)\PSWindowsUpdate"; get-windowsupdate -install -AcceptAll} -AsJob
}else {
    $job = Invoke-Command -Session $session -ScriptBlock {Import-Module "C:\Scripts\updateModule\$($Using:My.ModuleVersion)\PSWindowsUpdate"; get-windowsupdate -install -ignoreReboot -AcceptAll} -AsJob
    }
return $job
}

function initSession{
param(
    $serverHostname
)
$ses = New-PSSession -Computername $serverHostname
if(!(Invoke-Command -Session $ses -ScriptBlock {Test-Path "C:\Scripts\updateModule\" })){
    Copy-Item "$modpath\$($Script:My.ModuleVersion)" -Destination "C:\Scripts\updateModule\$($Script:My.ModuleVersion)" -ToSession $ses -Recurse
}
Invoke-Command -Session $ses -ScriptBlock {
    if((Get-ChildItem -Path "C:\Scripts\updateModule\").count -gt 1){
        Get-ChildItem | Where-Object Name -NotLike "$($Using:My.ModuleVersion)" | Remove-Item -Recurse -Force
    }
}
return $ses
}

$sessions =  [System.Collections.ArrayList]@()
$Script:My.ModuleVersion = "2.1.1.2"
foreach  ( $server in $Script:My.ServerActive.Items){
    $sessions.Add(  (initSession -serverHostname $server) )
}
foreach ($ses in $sessions){
   invokeUpdate -session $ses
}

$Script:My.ServerActive.Items : contains a list of server fqdns

Any Ideas or Solutions would save me, thanks!

Nik

Edit 1:

Here is the Error Message:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) + CategoryInfo : NotSpecified: (:) [Get-WindowsUpdate], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpdate.GetWindowsUpdate + PSComputerName : fs02.azubi.netz

This will break my Sessions, but the output is $true ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")

Invoke-Command : Cannot bind parameter 'Session'. Cannot convert value "True" to type "System.Management.Automation.Runspaces.PSSession". ...


Solution

  • To Fix This Problem I had to change the way of Copying to the other System and the Actual call of get-windowsupdate.

    The Mooudle has to be in $env:PSModPath, so to fix it you have to copy into one of those folders.

    Copy-Item "$modpath\$($Script:My.ModuleVersion)\" -Destination "$psmod\PSWindowsUpdate\$($Script:My.ModuleVersion)" -ToSession $ses -Recurse -ErrorAction Stop 
    

    the Update doesnt need to run Over Invoke Command.

    Get-WindowsUpdate -AcceptAll -Install  -IgnoreReboot -ComputerName $session.ComputerName
    

    Hope this will Help if you get a similar Problem!