Powershell command via knife winrm


#1

Hello all,

I’m running into a situation where running chef-client via knife winrm fails while running it locally on the machine passes.
After isolating the problem I figured out a specific powershell command that returns different results when running locally on the machine vs. running via knife winrm.

Goal:
I’m trying to disable the windows update feature on the client.
(Note: The first powershell command is to get the correspond object. I didn’t write the whole script here)

Here are commands & results I see:


  • Via knife winrm: (No results at all)
    C:\Users\Administrator\MyProjects\chef-repo>knife winrm 143.185.1.1 -m -x ‘user’ -P ‘password’ ’ powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -InputFormat
    None (New-Object -ComObject “Microsoft.Update.AutoUpdate”).Settings ’

C:\Users\Administrator\MyProjects\chef-repo>

  • Locally on the machine:
    c:\temp>powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -InputFormat None (New-Object -ComObject “Microsoft.Update.AutoUpdate”).Settings

NotificationLevel : 1
ReadOnly : True
Required : False
ScheduledInstallationDay : 0
ScheduledInstallationTime : 3
IncludeRecommendedUpdates : False
NonAdministratorsElevated : True
FeaturedUpdatesEnabled : False

Another version (without the .Settings in the end)

  • Via knife winrm: (You can see that Settings & ServiceEnabled are empty)
    C:\Users\Administrator\MyProjects\chef-repo>knife winrm 143.185.1.1 -m -x ‘user’ -P ‘password’ 'powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -InputFormat None (New-Object -ComObject “Microsoft.Update.AutoUpdate”) '
    143.185.1.1
    143.185.1.1 Settings ServiceEnabled Results
    143.185.1.1
    143.185.1.1 -------- -------------- -------
    143.185.1.1 System.__ComObject
    143.185.1.1
    143.185.1.1

C:\Users\Administrator\MyProjects\chef-repo>

  • Locally on the machine:
    c:\temp>powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -InputFormat None (New-Object -ComObject “Microsoft.Update.AutoUpdate”)

Settings ServiceEnabled Results


System.__ComObject True System.__ComObject

Any suggestions?

Thanks,
Raanan.


Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


#2

Unfortunately, while you can retrieve windows update settings via the COM
API over winrm, you cannot manipulate those settings in a "non-interactive"
logon context (which is what winrm is considered). It’s a legacy security
setting since before winrm was a thing.

Workarounds include setting up a scheduled task to run the command or
directly manipulating the registry. I don’t have the keys off-hand.

A better way would be to use the wsus-client cookbook. (
https://supermarket.getchef.com/cookbooks/wsus-client)

Steve

Steven Murawski
Community Manager @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com
On Nov 27, 2014 3:47 AM, “Avargil, Raanan” raanan.avargil@intel.com wrote:

Hello all,

I’m running into a situation where running chef-client via knife winrm
fails while running it locally on the machine passes.

After isolating the problem I figured out a specific powershell command
that returns different results when running locally on the machine vs.
running via knife winrm.

Goal:

I’m trying to disable the windows update feature on the client.

(Note: The first powershell command is to get the correspond object. I
didn’t write the whole script here)

Here are commands & results I see:


  • Via knife winrm: (No results at all)

C:\Users\Administrator\MyProjects\chef-repo>knife winrm 143.185.1.1 -m -x
‘user’ -P ‘password’ ’ powershell.exe -NoLogo -NonInteractive -NoProfile
-ExecutionPolicy RemoteSigned -InputFormat

None (New-Object -ComObject “Microsoft.Update.AutoUpdate”).Settings

C:\Users\Administrator\MyProjects\chef-repo>


  • Locally on the machine:

c:\temp>powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy
RemoteSigned -InputFormat None (New-Object -ComObject
"Microsoft.Update.AutoUpdate").Settings

NotificationLevel : 1

ReadOnly : True

Required : False

ScheduledInstallationDay : 0

ScheduledInstallationTime : 3

IncludeRecommendedUpdates : False

NonAdministratorsElevated : True

FeaturedUpdatesEnabled : False


Another version (without the .Settings in the end)


  • Via knife winrm: (You can see that Settings & ServiceEnabled are
    empty)

C:\Users\Administrator\MyProjects\chef-repo>knife winrm 143.185.1.1 -m -x
’user’ -P ‘password’ ‘powershell.exe -NoLogo -NonInteractive -NoProfile
-ExecutionPolicy RemoteSigned -InputFormat None *(New-Object -ComObject
"Microsoft.Update.AutoUpdate") *’

143.185.1.1

143.185.1.1 Settings ServiceEnabled Results

143.185.1.1

143.185.1.1 -------- -------------- -------

143.185.1.1
System.__ComObject

143.185.1.1

143.185.1.1

C:\Users\Administrator\MyProjects\chef-repo>


  • Locally on the machine:

c:\temp>powershell.exe -NoLogo -NonInteractive -NoProfile -ExecutionPolicy
RemoteSigned -InputFormat None (New-Object -ComObject
"Microsoft.Update.AutoUpdate")

Settings ServiceEnabled Results


System.__ComObject True System.__ComObject


Any suggestions?

Thanks,

Raanan.


Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.