Run remote powershell as administrator

Before I dive into the question, I have found several other questions that seem similar to mine, but they have not been able to solve my problem. Here are links to them:

Remotely run a script invoking "Run As Administrator"

https://stackoverflow.com/questions/10724591/how-to-remote-execute-an-elevated-remote-script-in-powershell

Now onto the question: I need to run a Windows Update script on a remote machine via Powershell. If I remote into the machine via mstsc, run Powershell as administrator and run the Windows Update script, it works fine. If I remote into the machine via mstsc, run Powershell WITHOUT choosing the run as administrator, and run the script, I will get a bunch of errors along this line: "Exception calling "Download" with "0" argument(s): "Exception from HRESULT: 0x80240044""

This only happens if I run it WITHOUT admin privileges.

The script I am running is this: http://www.ehow.com/how_8724332_use-powershell-run-windows-updates.html

Now, when I remote into the machine using Enter-PSSession and try to run the script I get errors, but they are a little bit different. They are along this line: "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))""

I am open to suggestions as to what could be causing this problem, but I think I have it figured out. I believe that the Powershell session needs to be run with elevated privileges. I know how to do this while remoting in via mstsc, but I have been unable to find a way to do this via Enter-PSSession. I have Googled and Googled, but have not found anything. If anyone could help shed some light on this, that would be greatly appreciated.


Solution 1:

When you execute commands remotely they are run with administrative privileges because only administrators are permitted to remotely execute commands in powershell. The error, "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"" is not a native powershell error, it indicates that this line is failing: $UpdatesDownloader = $UpdateSession.CreateUpdateDownloader(), this line is trying to create the updatedownloader object using the $UpdateSession = New-Object -ComObject Microsoft.Update.Session object.

Without knowing WHERE the downloader tries to reach out to, I can only assume the mothership, it may indicate that credentials you have while remotely connected to a server could be the subject of a proxy. This is a common security practice, users remotely connected to machines cannot download items directly from the internet (no matter how trusted the source).

Hope this helps, Chris

Solution 2:

Regarding Windows Updates on remote servers, I was able to get it working by setting up a JEA endpoint on the remote server to run as a local virtual account.

From https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/session-configurations:

Local Virtual Account

If the roles supported by this JEA endpoint are all used to manage the local machine, and a local administrator account is sufficient to run the commands succesfully, you should configure JEA to use a local virtual account. Virtual accounts are temporary accounts that are unique to a specific user and only last for the duration of their PowerShell session. On a member server or workstation, virtual accounts belong to the local computer's Administrators group, and have access to most system resources. On an Active Directory Domain Controller, virtual accounts belong to the domain's Domain Admins group.

Quickfix¹:

(1.) Create a new unrestricted (and persistent!) session configuration on ComputerB (remote server):

New-PSSessionConfigurationFile -RunAsVirtualAccount -Path .\VirtualAccount.pssc
# Note this will restart the WinRM service:
Register-PSSessionConfiguration -Name 'VirtualAccount' [-ShowSecurityDescriptorUI] -Path .\VirtualAccount.pssc -Force
# Check the Permission property:
Get-PSSessionConfiguration -Name 'VirtualAccount'
# Those users will have full unrestricted access to the system!

(2.) From ComputerA (local client) connect to our unrestricted session configuration on ComputerB:

New-PSSession -ComputerName 'ComputerB' -ConfigurationName 'VirtualAccount' | Enter-PSSession
[ComputerB]: new-object -com "Microsoft.Update.Downloader" # Yay!

¹ copied from https://stackoverflow.com/a/60046097/1322112