Add-WindowsCapability and ubuntu2004.exe(the WSL installer) fails to work under WinRM

Question

Add-WindowsCapability and ubuntu2004.exe(the WSL installer) fails to work under WinRM

Kitch Law 96

I'm trying to write some PowerShell scripts to automate server maintenance routines, through the Attune app(https://www.servertribe.com/comunity-edition/), which utilizes the WinRM protocol.
I found out that both Add-WindowsCapability and ubuntu2004.exe can be run successfully from a local or RDP session of the target Windows machine, but running them from Attune / EnterPSSession remote session through WinRM failed with the following errors:

Add-WindowsCapability with "Access is denied."

ubuntu2004.exe with "Program 'ubuntu2004.exe' failed to run: A specified logon session does not exist. It may already have been terminated."

Our team has discussions about these issues here, but no results. They impose an obstacle to implement a fully unattended solution, please anyone can help us, thanks!

121443-%E5%9B%BE%E7%89%87.png

121415-%E5%9B%BE%E7%89%87.png

121386-%E5%9B%BE%E7%89%87.png

Accepted answer

2 additional answers

Your answer

Answer 1

Great thanks to RichMatheisen-8856's detailed analysis and suggestions, we've found a workaround with Windows task scheduler, Add-WindowsCapability and ubuntu2004.exe all worked this way. Here's what we did(all steps are run through WinRM / Servertribe's Attune, aka remotely unattended management):

Clear "Users must enter a user name and password to use this computer" and reboot the computer, to make sure a session is logged on at the console, which is required for scheduled tasks with "Run only when user is logged on" option set(which is itself required to run Add-WindowsCapability successfully) $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$DefaultUsername = "{win10cred1.user}"
$DefaultPassword = "{win10cred1.password}"
Set-ItemProperty $RegPath "AutoAdminLogon" -Value "1" -type String
Set-ItemProperty $RegPath "DefaultUsername" -Value "$DefaultUsername" -type String
Set-ItemProperty $RegPath "DefaultPassword" -Value "$DefaultPassword" -type String
Create a onetime scheduled task, please see detailed script within the blueprint here . The key to the success of this task is "Run only when user is logged on" and "Run with highest privileges" options. # Run the task 15 seconds after task creation
$ts = New-TimeSpan -Seconds 15
$Trigger = New-ScheduledTaskTrigger -Once -At ((Get-date) + $ts) # Run only when user is logged on / Run with highest privileges
$principal = New-ScheduledTaskPrincipal -UserId "{win10cred1.user}" -RunLevel Highest
$Action= New-ScheduledTaskAction -Execute "powershell.exe" -Argument "Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0"
$setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Add-WindowsCapability OpenSSH.Server" -Trigger $Trigger -Principal $principal -Action $Action -Settings $setting -Force

The result is that, when scheduled time's up, a window will appear in the console session running the specified command, avoid getting errors compared to run the command directly from WinRM.

Answer 2

Rich Matheisen 47,901

What credentials are you using in the Enter-PSSession? IIRC, using the admin credentials on the remote machine should elevate the session.

Kitch Law 96 Reputation points

2021-08-08T18:49:18.137+00:00

The credential I'm using is a user in the Administrators group(non AD environment).
Rich Matheisen 47,901 Reputation points

2021-08-08T19:08:18.65+00:00

Try it with the local administrator account/password. The SID for that account might work. The "-500" RID should get a lot of a whole bunch of permissions/privileges.
Kitch Law 96 Reputation points

2021-08-08T22:00:47.427+00:00

We tried local Administrator for Windows Server 2019 with the Add-WindowsCapability CmdLet, which came out to be the same "Access is denied." error.

After all, a local or RDP session can work(on Win10 using the aforementioned Administrators grouped user, and on 2019 the Administrator user), but switching to remote PowerShell session or the Attune app with the same account, the errors occurred. So I don't think the specific user SID has something to do with the problem.
Rich Matheisen 47,901 Reputation points

2021-08-09T14:30:41.44+00:00

I wonder if you're running into the "second hop" problem? You provide credentials to create the PSSession, but the Add-WindowsCapability cmdlet is trying to use a WSUS server to get the data? The credentials you use to create the PSSession cannot be used on a 3rd machine.

This (2074) suggests that changing a local policy (local because you don't run a domain-joined machine) to avoid the WSUS server might work for you.

Another way of doing this would be to create a scheduled task on the target machine that runs Add-WindowsCapability immediately, waits for, say, 15 seconds, and then removes the scheduled task. You'll need an account that works when running the task.

FWIW, you're not the only one that has this problem. There a loads of "Add-WindowsCabability access denied" results from a web search.
Kitch Law 96 Reputation points

2021-08-15T07:47:34.363+00:00

Thanks for the detailed reply.
Yes, maybe it's something "second hop" problem, and in C:\Windows\Logs\CBS\CBS.log I saw some clue about WSUS.

2021-08-15 15:02:07, Info CBS Failed to get uup features from WU, sessionData: {"ModuleID":"FOD","Features":[{"name":"OpenSSH.Server~~1.0"}]} [HRESULT = 0x80070005 - E_ACCESSDENIED]
123240-cbs.log

But "gpedit.msc (Group Policy) -> Computer Configuration -> Admin. Templates -> Windows Components -> Windows Update -> Specify intranet Microsoft update service location -> Disabled" doesn't help in my case(I surely have restarted the compter)
And the Windows 10 Pro OS is at Version 1909 Build 18363.535, which is much newer than the ones mentioned in 2074, so I don't think I need to install the KB updates(actually both KB4470788 and KB4470502 are not applicable).

I know that there were others complaining about this problem, our team already has a workaround, which downloads the OpenSSH installer and installs it manually. But it's best to know why we can't use Add-WindowsCapability with WinRM, and if we can solve the problem, the better.
Rich Matheisen 47,901 Reputation points

2021-08-15T18:53:33.127+00:00

If you run Get-WindowsCapability -name openssh* -online from the PSSession do you get a message stating the the command must be run from an elevated session? [I just picked OpenSSH* as an example, not because it's a problem]
Kitch Law 96 Reputation points

2021-08-15T21:50:26.107+00:00

Yes, running locally requires elevation. In WinRM Get-WindowsCapability can run normally, so I guess WinRM sessions get elevated rights intrinsically.
Kitch Law 96 Reputation points

2021-08-29T15:04:50.653+00:00

Hi, Rich. The problem is solved with task scheduler, I wrote an answer with that. As I'm new to this Q&A forum, I didn't know that it can only have one accepted answer, so do you mind that I accept my own answer? Or otherwise, I can put the answer here as a reply to yours, and accept this one, please tell me the usual way in this community, thanks.
Rich Matheisen 47,901 Reputation points

2021-08-29T21:14:24.013+00:00

If it solves the problem it deserves to be marked as an answer. :-)

Answer 3

Rich Matheisen 47,901

For the "specified logon session does not exist. It may already have been terminated" problem, is the "ubuntu2004.exe" file in a directory that's in your PATH environment variable? If not, provide the full file path and not just the exe name.

Kitch Law 96 Reputation points

2021-08-15T04:38:31.57+00:00

Hi, Rich. Sorry for the late reply.
I've checked that "ubuntu2004.exe" is in the PATH, both running "ubuntu2004.exe" or with the full path specified, all produced the same "specified logon session does not exist".

I also noticed that the actual executable which is in the PATH that I'm calling, the file size is 0 byte, is something named 'app execution alias'. Other similar aliases also have "A specified logon session does not exist" error from remote session(for example python3.exe).
The reparse points are under "C:\Program Files\WindowsApps\". After granting access to this folder(recursively set acl to subitems), calling python3.exe directly from here(in remote pssession), the Microsoft Store window appears in the local GUI session, just like running the app execution alias in a local pssession.
So, in conclusion, WinRM currently don't support running 'app execution alias'.

(left one is a local session)
Kitch Law 96 Reputation points

2021-08-15T04:39:15.233+00:00

But another problem arises, running ubuntu2004.exe under "C:\Program Files\WindowsApps\" remotely, doesn't appear to have any output, rather than giving an interactive shell, when running ubuntu2004.exe(either with alias or with real exe) locally will do. It's similar to the difference of running wsl.exe remotely compared to locally.
Also, the first-time invocation of "ubuntu2004.exe install --root" after installing WSL, fails remotely.

So I think that there're some issues of WSL with WinRM,
Rich Matheisen 47,901 Reputation points

2021-08-15T18:33:12.16+00:00

I think (after reading this: 513) that the problem may lie with the way Windows Store apps are packaged. The comment by "ghost" on July 13th has a lot to say and provides references to other reported problems.
Kitch Law 96 Reputation points

2021-08-15T22:16:04.467+00:00

Thanks, your referenced comment tells me a lot.
Hope problems like this can be solved by the MS development team soon, so we can do script automation more easily like in Linux.
Currently, I'd consider your suggestion of 'create a scheduled task on the target machine'.

Share via

Add-WindowsCapability and ubuntu2004.exe(the WSL installer) fails to work under WinRM

2 additional answers

Your answer