Add-WindowsCapability and ubuntu2004.exe(the WSL installer) fails to work under WinRM

Kitch Law 96 Reputation points
2021-08-08T16:09:48.96+00:00

I'm trying to write some PowerShell scripts to automate server maintenance routines, through the Attune app(https://www.servertribe.com/comunity-edition/), which utilizes the WinRM protocol.
I found out that both Add-WindowsCapability and ubuntu2004.exe can be run successfully from a local or RDP session of the target Windows machine, but running them from Attune / EnterPSSession remote session through WinRM failed with the following errors:

Add-WindowsCapability with "Access is denied."

ubuntu2004.exe with "Program 'ubuntu2004.exe' failed to run: A specified logon session does not exist. It may already have been terminated."

Our team has discussions about these issues here, but no results. They impose an obstacle to implement a fully unattended solution, please anyone can help us, thanks!

121443-%E5%9B%BE%E7%89%87.png

121415-%E5%9B%BE%E7%89%87.png

121386-%E5%9B%BE%E7%89%87.png

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,637 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,463 questions
0 comments No comments
{count} votes

Accepted answer
  1. Kitch Law 96 Reputation points
    2021-08-29T14:56:39.86+00:00

    Great thanks to RichMatheisen-8856's detailed analysis and suggestions, we've found a workaround with Windows task scheduler, Add-WindowsCapability and ubuntu2004.exe all worked this way. Here's what we did(all steps are run through WinRM / Servertribe's Attune, aka remotely unattended management):

    1. Clear "Users must enter a user name and password to use this computer" and reboot the computer, to make sure a session is logged on at the console, which is required for scheduled tasks with "Run only when user is logged on" option set(which is itself required to run Add-WindowsCapability successfully) $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
      $DefaultUsername = "{win10cred1.user}"
      $DefaultPassword = "{win10cred1.password}"
      Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String
      Set-ItemProperty $RegPath "DefaultUsername" -Value "$DefaultUsername" -type String
      Set-ItemProperty $RegPath "DefaultPassword" -Value "$DefaultPassword" -type String
    2. Create a onetime scheduled task, please see detailed script within the blueprint here . The key to the success of this task is "Run only when user is logged on" and "Run with highest privileges" options. # Run the task 15 seconds after task creation
      $ts = New-TimeSpan -Seconds 15
      $Trigger = New-ScheduledTaskTrigger -Once -At ((Get-date) + $ts) # Run only when user is logged on / Run with highest privileges
      $principal = New-ScheduledTaskPrincipal -UserId "{win10cred1.user}" -RunLevel Highest
      $Action= New-ScheduledTaskAction -Execute "powershell.exe" -Argument "Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0"
      $setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
      Register-ScheduledTask -TaskName "Add-WindowsCapability OpenSSH.Server" -Trigger $Trigger -Principal $principal -Action $Action -Settings $setting -Force

    The result is that, when scheduled time's up, a window will appear in the console session running the specified command, avoid getting errors compared to run the command directly from WinRM.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Rich Matheisen 45,906 Reputation points
    2021-08-08T18:43:07.6+00:00

    What credentials are you using in the Enter-PSSession? IIRC, using the admin credentials on the remote machine should elevate the session.


  2. Rich Matheisen 45,906 Reputation points
    2021-08-09T14:11:19.097+00:00

    For the "specified logon session does not exist. It may already have been terminated" problem, is the "ubuntu2004.exe" file in a directory that's in your PATH environment variable? If not, provide the full file path and not just the exe name.