Run remote powershell as administrator

14

Before I dive into the question, I have found several other questions that seem similar to mine, but they have not been able to solve my problem. Here are links to them:

Remotely run a script invoking "Run As Administrator"

https://stackoverflow.com/questions/10724591/how-to-remote-execute-an-elevated-remote-script-in-powershell

Now onto the question: I need to run a Windows Update script on a remote machine via Powershell. If I remote into the machine via mstsc, run Powershell as administrator and run the Windows Update script, it works fine. If I remote into the machine via mstsc, run Powershell WITHOUT choosing the run as administrator, and run the script, I will get a bunch of errors along this line: "Exception calling "Download" with "0" argument(s): "Exception from HRESULT: 0x80240044""

This only happens if I run it WITHOUT admin privileges.

The script I am running is this: http://www.ehow.com/how_8724332_use-powershell-run-windows-updates.html

Now, when I remote into the machine using Enter-PSSession and try to run the script I get errors, but they are a little bit different. They are along this line: "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))""

I am open to suggestions as to what could be causing this problem, but I think I have it figured out. I believe that the Powershell session needs to be run with elevated privileges. I know how to do this while remoting in via mstsc, but I have been unable to find a way to do this via Enter-PSSession. I have Googled and Googled, but have not found anything. If anyone could help shed some light on this, that would be greatly appreciated.

powershell
remote
asked on Server Fault Jan 30, 2013 by Jon • edited May 23, 2017 by Community

4 Answers

3

When you execute commands remotely they are run with administrative privileges because only administrators are permitted to remotely execute commands in powershell. The error, "Exception calling "CreateUpdateDownloader" with "0" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"" is not a native powershell error, it indicates that this line is failing: $UpdatesDownloader = $UpdateSession.CreateUpdateDownloader(), this line is trying to create the updatedownloader object using the $UpdateSession = New-Object -ComObject Microsoft.Update.Session object.

Without knowing WHERE the downloader tries to reach out to, I can only assume the mothership, it may indicate that credentials you have while remotely connected to a server could be the subject of a proxy. This is a common security practice, users remotely connected to machines cannot download items directly from the internet (no matter how trusted the source).

Hope this helps, Chris

answered on Server Fault Jan 31, 2013 by Christopher Douglas
3

http://msdn.microsoft.com/en-us/library/windows/desktop/aa387288(v=vs.85).aspx

It doesn't allow you to call it remotely.

That's the reason. You may can do it via Scheduled task.

answered on Server Fault Oct 21, 2013 by River • edited Oct 21, 2013 by Falcon Momot
2

To run remote powershell commands you HAVE to run as administrator on the machine from which you launch the commands, at least in the out of the box configuration. This is a documented limitation of PowerShell remoting, though it is possible to relax the defaults if you are determined, but that will involve making changes to the PowerShell configuration.

For the remote execution are you passing in credentials using the -credentials parameter? e.g.

Enter-PSSession -Credential(Get-Credential) -ComputerName <remotehost>
answered on Server Fault Jan 30, 2013 by Stephen Connolly
1

Regarding Windows Updates on remote servers, I was able to get it working by setting up a JEA endpoint on the remote server to run as a local virtual account.

From https://docs.microsoft.com/en-us/powershell/jea/session-configurations:

Local Virtual Account

If the roles supported by this JEA endpoint are all used to manage the local machine, and a local administrator account is sufficient to run the commands succesfully, you should configure JEA to use a local virtual account. Virtual accounts are temporary accounts that are unique to a specific user and only last for the duration of their PowerShell session. On a member server or workstation, virtual accounts belong to the local computer's Administrators group, and have access to most system resources. On an Active Directory Domain Controller, virtual accounts belong to the domain's Domain Admins group.

answered on Server Fault Jul 9, 2018 by jsmitty

User contributions licensed under CC BY-SA 3.0