In the process of learning powershell for WinRM, I found that when I entered a scriptblock in the invoke-command command to add functions (Add-WindowsCapability), it kept reporting an error!

Vin 21 Reputation points
2022-03-20T05:01:25.547+00:00

About_Remote_Troubleshooting, invoke-command, WinRM and many recommended documentation pages have been queried, and I have also searched stackoverflow and found no solution.

You can use Get-WindowsCapability to query normally, use Remove-WindowsCapability to uninstall normally, but use Add-WindowsCapability to add an error (prompt to deny access).

Using admin and domain admin accounts has the same result, looks like a permissions issue, but don't know where to set it.

184873-image.png

I tried to use the command to write the .ps1 file (only add one line: Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0") and point to it to run, or use the dism command directly to report the same error, you can Seeing that the command start does start, it's just interrupted.

184881-image.png

I tried to copy the .ps1 to the remote machine again, and it was normal to open it in the powershell window of the remote machine, but it started to report the same error when I opened it through invoke-command.

184882-image.png

The command I entered:
21 Invoke-Command -Session $s -ScriptBlock {Get-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
22 Invoke-Command -Session $s -ScriptBlock {Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0"}
23 Invoke-Command -Session $s -ScriptBlock {DISM /online /add-Capability /CapabilityName:SNMP.Client~~~~0.0.1.0}
24 Invoke-Command -Session $s -FilePath C:\Users\Vincent\Desktop\无标题1.ps1
25 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}
26 Invoke-Command -Session $s -ScriptBlock {C:\Users\Administrator\Desktop\无标题1.ps1}

The errors found in the log file of dism are as follows, but the specific meaning and how to solve them are not clear.

2022-03-19 21:26:30, Warning DISM DISM Provider Store: PID=4912 TID=4944 Failed to load the provider: DISM DISM Package Manager: PID=3436 TID=10268 Error in operation: (null) (CBS HRESULT=0x80070005) - CCbsConUIHandler::Error

2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x80070005)

2022-03-19 21:26:34, Error DISM DISM Package Manager: PID=3436 TID=432 Failed processing package changes with session options - CDISMPackageManager::ProcessChangesWithOptions(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 Failed to install capability. - CAddCapabilityCommandObject::InternalExecute(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=4944 InternalExecute failed - CBaseCommandObject::Execute(hr:0x80070005)

2022-03-19 21:26:34, Error DISM API: PID=4912 TID=11148 CAddCapabilityCommandObject internal execution failed - DismAddCapabilityInternal(hr:0x80070005)

Whether invoke-command does not support adding functions, how does Windows remote management add functions to remote computers?

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,405 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 32,246 Reputation points
    2022-03-21T20:41:20.417+00:00

    From what I have found... The issue appears to be with WindowsUpdate. The SNMP.Client is a "feature on demand", that is not preloaded in the OS.

    https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11

    Windows needs to use WindowsUpdate to download the install files. I found this in a log file when I tested.

    CBS FC: Calling Download on WUClient Acquirer
    CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP
    CBS FC: FCAcquirerWUClient: WULib Mode Complete: [0]
    CBS Failed to set scan current product version only [HRESULT = 0x80070005 - E_ACCESSDENIED]
    CBS DWLD:Failed to do Windows update search [HRESULT = 0x80070005 - E_ACCESSDENIED]
    CBS FC: FCAcquirerWUClient: WindowsUpdateDownloadFromUUP returns. [0x80070005]
    CBS FC: CFCAcquirerWUClient::Download(134): Result = 0x80070005
    CBS FC: CFCAcquirerWrapper::Execute(160): Result = 0x80070005
    CBS Exec: Failed to download FOD from WU, retry once. [HRESULT = 0x80070005 - E_ACCESSDENIED]
    CBS FC: Calling Download on WUClient Acquirer
    CBS FC: FCAcquirerWUClient: Calling WindowsUpdateDownloadFromUUP

    I couldn't find any way to grant access.

    More info...

    https://stackoverflow.com/questions/46476147/access-denied-while-running-windows-update-using-powershells-invoke-command

    https://stackoverflow.com/questions/7078958/powershell-remote-microsoft-update-session-access-denied-0x80070005

    Those sites suggest using a scheduled task or PSExec to do the install.

    An alternative is to use the Volume Licensing ISO to pull off the cab files. This site offers a way to do that if you don't have the ISO.

    https://www.nico-maas.de/?p=2287


3 additional answers

Sort by: Most helpful
  1. Rich Matheisen 45,111 Reputation points
    2022-03-20T15:15:03.137+00:00

    The error code 0x80070005 says you don't have permission (i.e. Access Denied).

    The DISM log file is here if you want to see if there's anything more: C:\Windows\Logs\DISM\dism.log


  2. Rich Matheisen 45,111 Reputation points
    2022-03-20T18:47:30.563+00:00

    You aren't the only one that's encountered this problem:
    add-windowscapability-and-ubuntu2004exethe-wsl-ins.html
    21

    Is there any chance that you're running into the "second-hop" problem? I see you're running using a CIM session but I can't tell if you're using a different credential.

    I proposed using a scheduled task in an earlier answer to another problem (seemingly the same as yours) that seems to solve the problem, or at least provide a way to accomplish the task: Create the scheduled task to run on-demand and then run it. You can remove the task after completing the addition of the Windows capability.


  3. Rich Matheisen 45,111 Reputation points
    2022-03-21T14:31:08.177+00:00

    Have you tried adding the "-Online" switch to the Add-WindowsCapability cmdlet? Without that switch the cmdlet will try using Windows Update client to download the package (or a GPO-supplied location).