Issues with patching servers remotely using winrm and Microsoft.Update.Session

windows-server-2008 windows-update powershell windows-server-2003 winrm

I have a network with windows 2003, 2008 and 2008r2 servers. I have a powershell script that I wrote to patch a local machine using the "Microsoft.Update" com objects. (Similar to Windows Update PowerShell Remoting.) My script works wonderfully locally but I'd like to use it's functions remotely as I have a fair number of servers to manage. In that case it falls down (similarly to that other post, which wasn't solved).

I was however able to narrow the failure down to two methods on a particular class.

(New-Object -ComObject "Microsoft.Update.Session").CreateUpdateDownloader()
(New-Object -ComObject "Microsoft.Update.Session").CreateUpdateInstaller()

If you run these in a powershell locally as an admin, you'll have no issues. If you try to use invoke-command (or enter-session, or winrs) you'll get the following error. (This is testing with localhost, but any host will do. I've also tried with different authentication methods such as credssp and kerberos.);

PS C:\> Invoke-Command -ComputerName localhost -ScriptBlock { (New-Object -ComObject "microsoft.update.session").createUpdateDownloader()}
Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005
 (E_ACCESSDENIED))"
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ComMethodTargetInvocation

I've seen this mentioned on blogs as a bug, but with no backup to that claim. Two workarounds exist and both don't make me happy.

  • Use psexec to run commands as the system user. PSExec is what I'm trying not to use as it has proven unreliable. I'd also like a pure powershell solution.
  • Create a scheduled task and tell that to run your script as the system user. (via this post) This is not only messy but then I wont have the update results. I'll have to log to a file or update a database or something.

I'm open to other ways to run updates on a host remotely as this seems to be an issue a lot of people are hitting.

I found some docs that explains the message but not the reason or workaround.

Return Value Returns S_OK if successful. Otherwise, returns a COM or Windows error code.

This method can also return the following error codes.
Return code   Description
E_INVALIDARGA parameter value is invalid. 
E_ACCESSDENIED    This method cannot be called from a remote computer.

How does it know I'm on a remote computer?


You just cannot do it mate, be cause MS doesn't allow you to do it via WUApi.

Details can be found here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387288(v=vs.85).aspx

You can try to use Scheduled task to get this done.

Related

curl: (35) SSL connect error
How to setup an Intranet site and a FREE alternative to Sharepoint
Find (and kill) old processes
Best practices for choosing fs block size on ext3/4?
Temporary failure in name resolution
Jenkins: Trying to add a dumb slave but the option is missing, any idea how to add it?
CentOS How Much SWAP for 16GB of RAM?
Install .iso file on a remote server without DVD drive access
How to configure PHP-FPM over NGINX to write in per-virtualhost log files
Is there a way to force windows to cache a file in RAM
Add samesite to cookies using Nginx as reverse proxy
differences of SSL certificates?