DISM / SQL2012 unable to access Windows Update when ran by chef-client


Hello All,

Here is my Question go through it and give me a solution!

My question is this: is there a permissions issue of some kind when running chef through WinRM that doesnt allow programs to go out to the internet?

I’m trying to use Chef 11.4.4 on Server 2012 Std to deploy SQL 2012 Std. I’ve run into two problems and I believe they’re related:

windows_feature “NetFx3” do
action :install
This fails as DISM is supposed to go to microsoft update and download the .Net 3.5.1 files. It works fine if I run DISM /online /enable-feature /featurename:NetFx3 /norestart manually through RDP - which is basically what the windows_feature runs.

If I run DISM /online /enable-feature /featurename:NetFx3 /norestart /LimitAccess /Source:d:\sources\sxs through a recipe (with the DVD in), it works. Effectively, this bypasses the need to go online to download the files.

The second problem is SQL Server 2012 setup tries to go online looking for updates during install. If I add the /UpdateEnabled=false switch to the install command, it proceeds. I’m using

windows_package “Microsoft Dynamic Server 2012 (64-bit)” do
source “\\\admin\Installs\SQL\SQL2012Std\setup.exe”
timeout 3600 # 60min to just install sql will be fine. Default of 10min can be a bit short
action :install
installer_type :custom
options “/ConfigurationFile=”#{node[‘mssql’][‘installIni’]}" /SAPWD="#{node[‘mssql’][‘sapw’]}""
In the installIni file, I have a setting of UpdateSource=MU.

I’m running chef via knife winrm ‘chef-client -c c:/chef/client.rb’ -m -x nfox if that makes a difference. I do not have this problem when I run chef-client from an administrator:cmd window.

Help me out!



It sounds to me that you are encountering the double-hop issue whereby you are trying to pass your credentials from a remote session (WinRM) to a remote resource (proxy server?), which is not allowed by default. I presume the issue is that there is a proxy between you and the internet that needs to be authenticated to and it’s this authentication that’s failing via double hop. This would also explain why installing with local resources works fine.

If using DSC, you could pass a credential object to the PSDscRunAsCredential property which should work if in fact this is your issue.


You cannot patch a box over winrm, you have to run patching as a local user. If you have Chef-client running as a scheduled task try executing the scheduled task remotely, since the task runs as a local user it should work.