Run remote powershell as administrator

Question

Before I dive into the question, I have found several other questions that seem similar to mine, but they have not been able to solve my problem. Here are links to them:

Remotely run a script invoking "Run As Administrator"

https://stackoverflow.com/questions/10724591/how-to-remote-execute-an-elevated-remote-script-in-powershell

Now onto the question: I need to run a Windows Update script on a remote machine via Powershell. If I remote into the machine via mstsc, run Powershell as administrator and run the Windows Update script, it works fine. If I remote into the machine via mstsc, run Powershell WITHOUT choosing the run as administrator, and run the script, I will get a bunch of errors along this line: "Exception calling "Download" with "0" argument(s): "Exception from HRESULT: 0x80240044""

This only happens if I run it WITHOUT admin privileges.

The script I am running is this: http://www.ehow.com/how_8724332_use-powershell-run-windows-updates.html

Now, when I remote into the machine using Enter-PSSession and try to run the script I get errors, but they are a little bit different. They are along this line: "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))""

I am open to suggestions as to what could be causing this problem, but I think I have it figured out. I believe that the Powershell session needs to be run with elevated privileges. I know how to do this while remoting in via mstsc, but I have been unable to find a way to do this via Enter-PSSession. I have Googled and Googled, but have not found anything. If anyone could help shed some light on this, that would be greatly appreciated.

Answer 1

When you execute commands remotely they are run with administrative privileges because only administrators are permitted to remotely execute commands in powershell. The error, "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"" is not a native powershell error, it indicates that this line is failing: $UpdatesDownloader = $UpdateSession.CreateUpdateDownloader(), this line is trying to create the updatedownloader object using the $UpdateSession = New-Object -ComObject Microsoft.Update.Session object.

Without knowing WHERE the downloader tries to reach out to, I can only assume the mothership, it may indicate that credentials you have while remotely connected to a server could be the subject of a proxy. This is a common security practice, users remotely connected to machines cannot download items directly from the internet (no matter how trusted the source).

Hope this helps, Chris

Answer 2

Regarding Windows Updates on remote servers, I was able to get it working by setting up a JEA endpoint on the remote server to run as a local virtual account.

From https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/session-configurations:

Local Virtual Account

If the roles supported by this JEA endpoint are all used to manage the local machine, and a local administrator account is sufficient to run the commands succesfully, you should configure JEA to use a local virtual account. Virtual accounts are temporary accounts that are unique to a specific user and only last for the duration of their PowerShell session. On a member server or workstation, virtual accounts belong to the local computer's Administrators group, and have access to most system resources. On an Active Directory Domain Controller, virtual accounts belong to the domain's Domain Admins group.

Quickfix¹:

(1.) Create a new unrestricted (and persistent!) session configuration on ComputerB (remote server):

New-PSSessionConfigurationFile -RunAsVirtualAccount -Path .\VirtualAccount.pssc
# Note this will restart the WinRM service:
Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurityDescriptorUI] -Path .\VirtualAccount.pssc -Force
# Check the Permission property:
Get-PSSessionConfiguration -Name 'VirtualAccount'
# Those users will have full unrestricted access to the system!

(2.) From ComputerA (local client) connect to our unrestricted session configuration on ComputerB:

New-PSSession -ComputerName 'ComputerB' -ConfigurationName 'VirtualAccount' | Enter-PSSession
[ComputerB]: new-object -com "Microsoft.Update.Downloader" # Yay!

¹ copied from https://stackoverflow.com/a/60046097/1322112

Answer 3

To run remote powershell commands you HAVE to run as administrator on the machine from which you launch the commands, at least in the out of the box configuration. This is a documented limitation of PowerShell remoting, though it is possible to relax the defaults if you are determined, but that will involve making changes to the PowerShell configuration.

For the remote execution are you passing in credentials using the -credentials parameter? e.g.

Enter-PSSession -Credential(Get-Credential) -ComputerName <remotehost>

Answer 4

http://msdn.microsoft.com/en-us/library/windows/desktop/aa387288(v=vs.85).aspx

It doesn't allow you to call it remotely.

That's the reason. You may can do it via Scheduled task.

Answer 5

Reliable fix for this is to make a scheduled task on target servers which will run powershell.exe with arguments like this:

-ExecutionPolicy ByPass -Command "c:\scripts\myscript.ps1" param1 param2

set the task to "run with highest privileges" and as SYSTEM if you don't require script to access network. If yes you will probably have to use some special service account. Then run the task remotely on multiple hosts like this for example

foreach($srv in $servers){
        $res=schtasks /s $srv /tn "taskname" /run 2>&1
        if($res -like "*SUCCESS*"){  
            write-host "task started" -ForegroundColor cyan
        }
}

You can create the scheduled task once, then export it as XML file and mass deploy it to many servers using command like this

schtasks /s $hostname /create /tn mytaskname /ru system /f /xml c:\temp\mytask-schtask.xml