This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 76%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
About_Remote_Troubleshooting, invoke-command, WinRM and many recommended documentation pages have been queried, and I have also searched stackoverflow and found no solution.
You can use Get-WindowsCapability to query normally, use Remove-WindowsCapability to uninstall normally, but use Add-WindowsCapability to add an error (prompt to deny access).
Using admin and domain admin accounts has the same result, looks like a permissions issue, but don't know where to set it.
I tried to use the command to write the .ps1 file (only add one line: Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0") and point to it to run, or use the dism command directly to report the same error, you can Seeing that the command start does start, it's just interrupted.
I tried to copy the .ps1 to the remote machine again, and it was normal to open it in the powershell window of the remote machine, but it started to report the same error when I opened it through invoke-command.
The command I entered:
21 Invoke-Command -Session $s -ScriptBlock {Get-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
22 Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
23 Invoke-Command -Session $s -ScriptBlock {DISM /online /add-Capability /CapabilityName:SNMP.Client~~~~0.0.1.0}
24 Invoke-Command -Session $s -FilePath C:\Users\Vincent\Desktop\无标题1.ps1
25 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}
26 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}
The errors found in the log file of dism are as follows, but the specific meaning and how to solve them are not clear.
2022-03-19 21:26:30, Warning DISM DISM Provider Store: PID=4912 TID=4944 Failed to load the provider: DISM DISM Package Manager: PID=3436 TID=10268 Error in operation: (null) (CBS HRESULT=0x80070005) - CCbsConUIHandler::Error
2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x80070005)
2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed processing package changes with session options - CDISMPackageManager::ProcessChangesWithOptions(hr:0x80070005)
2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 Failed to install capability. - CAddCapabilityCommandObject::InternalExecute(hr:0x80070005)
2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 InternalExecute failed - CBaseCommandObject::Execute(hr:0x80070005)
2022-03-19 21:26:34, Error DISM API: PID=4912 TID=11148 CAddCapabilityCommandObject internal execution failed - DismAddCapabilityInternal(hr:0x80070005)
Whether invoke-command does not support adding functions, how does Windows remote management add functions to remote computers?
From what I have found... The issue appears to be with WindowsUpdate. The SNMP.Client is a "feature on demand", that is not preloaded in the OS.
Windows needs to use WindowsUpdate to download the install files. I found this in a log file when I tested.
CBS FC: Calling Download on WUClient Acquirer
CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP
CBS FC: FCAcquirerWUClient: WULib Mode Complete: [0]
CBS Failed to set scan current product version only [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS DWLD:Failed to do Windows update search [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS FC: FCAcquirerWUClient: WindowsUpdateDownloadFromUUP returns. [0x80070005]
CBS FC: CFCAcquirerWUClient::Download(134): Result = 0x80070005
CBS FC: CFCAcquirerWrapper::Execute(160): Result = 0x80070005
CBS Exec: Failed to download FOD from WU, retry once. [HRESULT = 0x80070005 - E_ACCESSDENIED]
CBS FC: Calling Download on WUClient Acquirer
CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP
I couldn't find any way to grant access.
More info...
Those sites suggest using a scheduled task or PSExec to do the install.
An alternative is to use the Volume Licensing ISO to pull off the cab files. This site offers a way to do that if you don't have the ISO.
I've solved this problem with scheduled tasks, but not until I saw this post:
enable-powershell-second-hop-functionality-with-credssp
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
The error code 0x80070005 says you don't have permission (i.e. Access Denied).
The DISM log file is here if you want to see if there's anything more: C:\Windows\Logs\DISM\dism.log
Can't reply here, please see the answer I posted, which is actually a reply to you
May I ask where to set permissions, delete and install permissions should be the same, I am already using an administrator account. Why using "Remove-WindowsCapability" works fine. But using "Add-WindowsCapability" doesn't have permission.
Can you tell me how to implement the installation to add windows capability?
PS C:\Windows\system32> $s = New-PSSession -ComputerName DESKTOP-O8UJ8CS -Credential DESKTOP-O8UJ8CS\administrator
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
PSComputerName : DESKTOP-O8UJ8CS
RunspaceId : d942963d-973d-4c2b-80cb-57c9e67fb1f9
Path :
Online : True
WinPath :
SysDrivePath :
RestartNeeded : True
LogPath : C:\Windows\Logs\DISM\dism.log
ScratchDirectory :
LogLevel : WarningsInfo
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
拒绝访问。
+ CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand
+ PSComputerName : DESKTOP-O8UJ8CS
DISM log::184886-dismby-add-windowscapability.log184943-dismby-remoe-windowscapability.log
May I ask where to set permissions, delete and install permissions should be the same, I am already using an administrator account. Why using "Remove-WindowsCapability" works fine. But using "Add-WindowsCapability" doesn't have permission.
Can you tell me how to implement the installation to add windows capability?
PS C:\Windows\system32> $s = New-PSSession -ComputerName DESKTOP-O8UJ8CS -Credential DESKTOP-O8UJ8CS\administrator
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
PSComputerName : DESKTOP-O8UJ8CS
RunspaceId : d942963d-973d-4c2b-80cb-57c9e67fb1f9
Path :
Online : True
WinPath :
SysDrivePath :
RestartNeeded : True
LogPath : C:\Windows\Logs\DISM\dism.log
ScratchDirectory :
LogLevel : WarningsInfo
PS C:\Windows\system32> Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
拒绝访问。
+ CategoryInfo : NotSpecified: (:) [Add-WindowsCapability], COMException
+ FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand
+ PSComputerName : DESKTOP-O8UJ8CS
DISM log::184886-dismby-add-windowscapability.log184943-dismby-remoe-windowscapability.log
That's funny! You DID reply! I have NO IDEA as to where you posted your answer!
You aren't the only one that's encountered this problem:
add-windowscapability-and-ubuntu2004exethe-wsl-ins.html
21
Is there any chance that you're running into the "second-hop" problem? I see you're running using a CIM session but I can't tell if you're using a different credential.
I proposed using a scheduled task in an earlier answer to another problem (seemingly the same as yours) that seems to solve the problem, or at least provide a way to accomplish the task: Create the scheduled task to run on-demand and then run it. You can remove the task after completing the addition of the Windows capability.
Thanks, it does look like the same problem.
I have used local admin credentials and domain admin credentials, both have the same result.
I've thought about using a scheduled task before, but I'm not sure if it will work and I don't think it's a good solution. But now it looks like this is the only way.
I suspect that the problem has to do with the need to run Add-WindowsCapability with elevated permission, not just using a local administrator. Because you're running the script remotely there's no way to reply to the UAC prompt.
I believe that UAC does not apply in an Invoke-Command because there is no way to reply to the prompt.
This should report on elevation.
function Test-IsAdmin {
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}
if (Test-IsAdmin) {
""
"You are running with Administrator access."
""
} else {
""
"You do not have admin access."
""
}
Try psexec. You can run a process as SYSTEM.
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
It shouldn't be this problem, I have disabled UAC by modifying the registry, which can be found in the "about_Remote_Troubleshooting" document.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-7.2#how-to-enable-remoting-for-administrators-in-other-domains
Running the "Get-WindowsCapability" command before modifying the registry prompts for permission. After modifying the registry, only the "Add-WindowsCapability" command reports an error.
It does run as administrator on the remote machine.
PS C:\Users\zhengzb> C:\Users\zhengzb\Desktop\test.ps1
You do not have admin access.
PS C:\Users\zhengzb> Invoke-Command -ComputerName WIN10-RDP-10153 -FilePath C:\Users\zhengzb\Desktop\test.ps1
You are running with Administrator access.
If you RDP to the machine, can you install it from there? (Locally)
Can you install a different package, like maybe OpenSSH.Client~~~~0.0.1.0
Connecting to the remote machine via RDP can be successfully installed, but it is not what I want, because I have a lot of machines that need to be set up.
Installing other packages through invoke-command also reported the same error
Have you tried adding the "-Online" switch to the Add-WindowsCapability cmdlet? Without that switch the cmdlet will try using Windows Update client to download the package (or a GPO-supplied location).
Sorry, I don't quite understand what you mean.
I always use the "-online" parameter on the command line, do you mean to remove the "-online" parameter?
I think that he means the -LimitAccess switch. I tried that and got a "The source files could not be found" error.