Help! Powershell vs Orchestrator vs Software Updates Issue

Question

Please help if you can. I have spent the last 6 hours searching the web for an answer to my issue.

I am trying to force the install of missing software updates scriptomatically. I have been working from: https://gallery.technet.microsoft.com/Install-All-Missing-8ffbd525#content

The content in that blog is sound. And I can get the script working just fine in powershell ON the actual SCOR server that this is being run from, but when I try to execute same from within a .NET Powersell function inside Orchestrator, I get the following: Cannot convert value "\STGASSCSM002\root\CCM\ClientSDK:CCM_SoftwareUpdate.UpdateID="Site_D4ECC049-B722-455A-BC39-ADEC4C2D507D/SUM_4006f198-f0ed-47b5-accc-284bdf382724"" to type "System.Management.ManagementObject". Error: "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"

My entire script in SCOR is as follows. Note that there are numerous pass-through variables being used on the databus and those will show up as hased info below:

$resultstatus = ""

$servers = "`d.T.~Ed/{9C32D0A5-8035-4CA9-9F6A-5BC10C52ECE5}.{B9113756-F8B1-4CD1-A236-1678F8C2B6D3}`d.T.~Ed/"

$username = "redacted"

$password = ConvertTo-SecureString "redacted" -asplaintext -force

$cred = new-object System.Management.Automation.PSCredential -argumentlist $username, $password

foreach ($server in $servers){

# This is a simple get of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK 

$MissingUpdates = Get-WmiObject -ComputerName $server -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK -credential $cred

This is a simpple get of all instances of CCM_SoftwareUpdate from root\CCM\ClientSDK

The following is done to do 2 things: Get the missing updates (ComplianceState=0) 

and take the PowerShell object and turn it into an array of WMI objects

$MissingUpdatesReformatted = @($MissingUpdates | ForEach-Object {if($_.ComplianceState -eq 0){[WMI]$_.__PATH }})

#$server + $MissingUpdates

The following is the invoke of the CCM_SoftwareUpdatesManager.InstallUpdates with our found updates

NOTE: the command in the ArgumentList is intentional, as it flattens the Object into a System.Array for us

The WMI method requires it in this format.

$InstallReturn = Invoke-WmiMethod  -ComputerName $server -Class CCM_SoftwareUpdatesManager -Name InstallUpdates -ArgumentList (,$MissingUpdates) -Namespace root\ccm\clientsdk -credential $cred

}

It seems pretty clear to me that the code is reaching out and touching WMI on the line that starts with "MissingUpdatesReformatted" but I have added the $cred string to just about every position possible in that line of code and it fails with a different error on every one.

The account being used is basically a god account for the enterprise so it's highly unlikely that it wouldn't have the correct perms, which is also bolstered by the fact that the code works just fine when run outside a runbook (as plain powershell from the ISE).

Please post this where it needs to go if I have dropped it in the wrong place. I WILL be posting this on the blog that has the original code as well. I apologize but I need this answered ASAP and have run out of places to look. The blog is stale with no activity in several years to please forgive me for cross-posting,  but finding an answer is more important than waiting to see 'if' I get a reply on the original blog. Thanks in advance to all who reply!

Answer 1

Hi,

Your question is outside the scope of this Community..

Kindly repost in the TechNet Forums:

https://social.technet.microsoft.com/Forums/en-US/home

Or MSDN Forums:

https://social.msdn.microsoft.com/Forums/en-US/home

Cheers.