[wpkg-users] Trouble enabling PowerShell Remoting from WPKG

Paul Griffith paulg at cse.yorku.ca
Tue May 27 14:33:36 CEST 2014


Hi Keith,

Issue finally resolved,  updating to Windows Management Framework 4.0 
solved my problem, according to the documentation I have seen, Windows 
Management Framework 3.0 should also solve the problem. It was the 
"-SkipNetworkProfileCheck" that really solved the problem, this option 
was added in WMF 3.0

Thank you for all your help!

To the list, sorry for all the top posting.

---- enable PS-Remoting -----
<?xml version="1.0" encoding="UTF-8"?>

<packages:packages
         xmlns:packages="http://www.wpkg.org/packages" 
xmlns:wpkg="http://www.wpkg.org/wpkg" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.wpkg.org/packages 
../../xsd/packages.xsd" >
     <package id="ps-remoting"
             name="Enable Powershell Remoting"
             revision="%PKG_VERSION%rc1"
             reboot="false"
             priority="10">

         <variable name="PKG_VERSION"     value="1" />
         <variable name="PKG_NAME"        value="ps-remoting" />
         <variable name="PKG_SOURCE" value="%SOFTWARE%\"/>
         <variable name="PKG_DESTINATION" value="%ProgramFiles%\"      
architecture="x86"/>
         <variable name="PKG_DESTINATION" value="%ProgramFiles(x86)%\" 
architecture="x64"/>

         <include package-id="ps-remoting-firewall"/>

         <check type="execute" path='powershell -NonInteractive -Command 
"if (Invoke-Command localhost {1}) {exit 0} else {exit 1}"' 
condition="exitcodeequalto" value="0"/>
         <install cmd='"%comspec%" /c powershell -ExecutionPolicy 
Unrestricted -NonInteractive -Command "Enable-PSRemoting 
-SkipNetworkProfileCheck -Force"'/>
         <install cmd='"%comspec%" /c powershell -ExecutionPolicy 
Unrestricted -NonInteractive -Command "Set-Item 
WSMan:\localhost\Client\TrustedHosts -Value * -Force"'/>

         <upgrade include="install" />
         <remove cmd='%comspec% /c "powershell -NonInteractive -Command 
Disable-PSRemoting -Force"'/>

     </package>
</packages:packages>


------ install Windows Management Framework 4.0 -----
<?xml version="1.0" encoding="UTF-8"?>

<packages:packages
         xmlns:packages="http://www.wpkg.org/packages" 
xmlns:wpkg="http://www.wpkg.org/wpkg" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.wpkg.org/packages 
../../xsd/packages.xsd" >

     <package id="wmf4"
             name="Windows Management Framework 4.0"
             revision="%PKG_VERSION%rc1"
             priority="20000">

         <variable name="PKG_VERSION"        value="6.3.9600" />
         <variable name="PKG_NAME"           value="wmf4" />
         <variable name="PKG_SOURCE" 
value="%SOFTWARE%\wmf\Windows6.1-KB2819745-x64-MultiPkg.msu"/>
         <variable name="PKG_DESTINATION" value="%ProgramFiles%\"      
architecture="x86"/>
         <variable name="PKG_DESTINATION" value="%ProgramFiles(x86)%\" 
architecture="x64"/>
         <variable name="PKG_INSTALL_SWITCH" value="/quiet /norestart"/>
         <variable name="PKG_REMOVE_SWITCH"  value=""/>

         <check type="file" condition="versiongreaterorequal" 
path="%WinDir%\system32\WindowsPowerShell\v1.0\powershell.exe" 
value="%PKG_VERSION%" />
         <install cmd='wusa "%PKG_SOURCE%" %PKG_INSTALL_SWITCH%' >
                         <exit code="0"  />
                         <exit code="3010" reboot="delayed" />
         </install>

         <upgrade include="install" />
         </package>
</packages:packages>


On 14-05-26 12:11 AM, Paul Griffith wrote:
>
> Hi Keith,
>
>
> I will upgrade to PowerShell 4.0 and try again. I will post my results.
>
> =====
>   -SkipNetworkProfileCheck
>
>
> Enables remoting on client versions of Windows when the computer is on 
> a public network. This parameter enables a firewall rule for public 
> networks that allows remote access only from computers in the same 
> local subnet.
>
> This parameter has no effect on server versions of Windows, which, by 
> default, have a local subnet firewall rule for public networks. If the 
> local subnet firewall rule is disabled on a server version of Windows, 
> Enable-PSRemoting re-enables it, regardless of the value of this 
> parameter.
>
> To remove the local subnet restriction and enable remote access from 
> all locations on public networks, use the Set-NetFirewallRule cmdlet 
> in the NetSecurity module. For more information, see Notes and Examples.
>
> This parameter is introduced in Windows PowerShell 3.0.
> =====
>
> http://technet.microsoft.com/en-us/library/hh849694(v=wps.620).aspx
>
>
>
> Thank You,
> Paul
>
> Quoting Keith Jones <K.E.Jones at brighton.ac.uk>:
>
>> Hi,
>>
>>   Well researched! Osama does appear to entirely correct. I've been 
>> trying to emulate SYSTEM running the commands using psexec and every 
>> time it gets access denied making the modifications. I've tried 
>> giving it interactive flags and forcing it to use the elevated token 
>> but it just fails. I guess powershell's settings don't actually have 
>> any ACL's allowing SYSTEM access. The security philosophy is probably 
>> right but I'd put it up there right alongside UAC on the annoyance 
>> scales :-(
>>
>>   As I'm currently using a "public" wifi connection, I've run into 
>> the effects of the Enable-PS-Remoting failing on that front too 
>> tonight. Apparently powershell 3.0+ have a version of 
>> Enable-PS-Remoting that is a bit more relaxed and doesn't complain. 
>> I'm just about to upgrade and try it :-)
>>
>> Keith
>>
>> -----Original Message-----
>> From: Paul Griffith [mailto:paulg at cse.yorku.ca]
>> Sent: 24 May 2014 01:25
>> To: Keith Jones
>> Cc: wpkg-users at lists.wpkg.org
>> Subject: Re: [wpkg-users] Trouble enabling PowerShell Remoting from WPKG
>>
>>
>> I found something, but I will have to look into on Monday. It looks 
>> like I may have to add "SYSTEM" to Administrator group and look into 
>> my network connection settings.
>>
>>
>> http://blogs.msdn.com/b/powershell/archive/2009/04/30/enable-psremoting.aspx 
>>
>>
>> -----snip----
>> Problem was that my domain a/c was not an administrator on the box.
>> Even if I launch PowerShell elevated (and give local administrator
>> creds) it was not working. I tried logging in as local admin but 
>> Enable-PS Remoting still failed.
>>
>> Solution: I had to add my domain a/c to administrators group and 
>> Enable-PsSession worked after that.
>>
>>   If you are not an administrator, Enable-PsSession will fail even if 
>> you launch elevated. This is true for some other remoting 
>> configuration cmdlets as well e.g.
>>
>>   Set-PSSessionConfiguration Microsoft.Powershell 
>> -ShowSecurityDescriptorUI
>>
>> Another important thing to know is ? ?You must run PowerShell 
>> elevated if you?re connecting to the same box (localhost)?.
>>
>> Osama Sajid
>> --snip----
>>
>> and this:
>>
>> http://powershell.com/cs/forums/t/8167.aspx
>>
>> -----snip----
>> In the future use Enable-PSRemoting cmdlet to enable remoting. You 
>> will get "better" error message than "Access denied" if one of the 
>> network connection types on the machine is set to Public:
>>
>>
>> WinRM firewall exception will not work since one of the network 
>> connection types on this machine is set to Public. Change the network 
>> connection type to either Domain or Private and try again
>> ---snip------
>>
>> I have to make sure that the network connection type is set correctly.
>> Quoting Keith Jones <K.E.Jones at brighton.ac.uk>:
>>
>>
>>
>>> Okay.
>>>
>>>  I can't see much wrong there either :-(
>>>
>>>  It's now almost 1:00am here so I'd best run away but I'll work on
>>> this tomorrow morning.
>>>
>>> Keith
>>>
>>>
>>> -----Original Message-----
>>> From: wpkg-users-bounces at lists.wpkg.org
>>> [mailto:wpkg-users-bounces at lists.wpkg.org] On Behalf Of Keith Jones
>>> Sent: 23 May 2014 23:24
>>> To: Paul Griffith
>>> Cc: wpkg-users at lists.wpkg.org
>>> Subject: Re: [wpkg-users] Trouble enabling PowerShell Remoting from
>>> WPKG
>>>
>>> Cool.
>>>
>>>  Everything you've done so far looks right to me too. I'm just going
>>> to have a quick look at the powershell code. Brb
>>>
>>> Keith
>>>
>>> -----Original Message-----
>>> From: Paul Griffith [mailto:paulg at cse.yorku.ca]
>>> Sent: 23 May 2014 22:59
>>> To: Keith Jones
>>> Cc: wpkg-users at lists.wpkg.org
>>> Subject: Re: [wpkg-users] Trouble enabling PowerShell Remoting from
>>> WPKG
>>>
>>> Hi Keith,
>>>
>>>     WPKG runs under the SYSTEM account, from the WPKG service.
>>>
>>> Paul
>>>
>>> Quoting Keith Jones <K.E.Jones at brighton.ac.uk>:
>>>
>>>> Hi Paul.
>>>>
>>>>  WPKG only has the privs that the account it runs from/under has.
>>>> How/when are you running it?
>>>>
>>>> Keith
>>>>
>>>> -----Original Message-----
>>>> From: wpkg-users-bounces at lists.wpkg.org
>>>> [mailto:wpkg-users-bounces at lists.wpkg.org] On Behalf Of Paul Griffith
>>>> Sent: 23 May 2014 19:54
>>>> To: wpkg-users at lists.wpkg.org
>>>> Subject: [wpkg-users] Trouble enabling PowerShell Remoting from WPKG
>>>>
>>>> Greetings,
>>>>
>>>>     I have been running into a brick wall trying to turn on
>>>> PowerShell Remoting via WPKG, all attempts have failed. If I run the
>>>> wpkg package from a admin prompt, it works. When I try the same thing
>>>> from the WPKG it fails. Is there anything special I have to do to
>>>> enable PowerShell Remoting from the system account ?
>>>>
>>>>
>>>> In the Eventlog I see the error message "Connecting to the remote
>>>> server failed with the following message: Access is denied"
>>>>
>>>> Any pointers? Do need to do something with the System account ?
>>>>
>>>> Here is my package file, I adapted from Dafydd Jones.
>>>>
>>>>
>>>> ----snip----
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>
>>>> <packages:packages
>>>>          xmlns:packages="http://www.wpkg.org/packages"
>>>> xmlns:wpkg="http://www.wpkg.org/wpkg"
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>          xsi:schemaLocation="http://www.wpkg.org/packages
>>>> ../../xsd/packages.xsd" >
>>>>      <package id="ps-remoting"
>>>>              name="Enable Powershell Remoting"
>>>>              revision="%PKG_VERSION%rc1"
>>>>              reboot="false"
>>>>              priority="10">
>>>>
>>>>          <variable name="PKG_VERSION"     value="1" />
>>>>          <variable name="PKG_NAME" value="ps-remoting" />
>>>>          <variable name="PKG_SOURCE" value="%SOFTWARE%\"/>
>>>>          <variable name="PKG_DESTINATION" value="%ProgramFiles%\"
>>>> architecture="x86"/>
>>>>          <variable name="PKG_DESTINATION" value="%ProgramFiles(x86)%\"
>>>> architecture="x64"/>
>>>>
>>>>          <check type="execute" path='powershell -NonInteractive
>>>> -Command "if (Invoke-Command localhost {1}) {exit 0} else {exit 1}"'
>>>> condition="exitcodeequalto" value="0"/>
>>>>
>>>>          <install cmd='powershell -ExecutionPolicy Unrestricted
>>>> -NonInteractive -Command "Enable-PSRemoting -Force" '/>
>>>>          <install cmd='powershell -ExecutionPolicy Unrestricted
>>>> -NonInteractive -Command "Set-Item
>>>> WSMan:\localhost\Client\TrustedHosts
>>>> -Value * -Force" '/>
>>>>
>>>>
>>>>          <upgrade include="install" />
>>>>
>>>>         <remove cmd='powershell -ExecutionPolicy Unrestricted
>>>> -NonInteractive -Command "Disable-PSRemoting -Force" '/>
>>>>
>>>>      </package>
>>>> </packages:packages>
>>>> ----snip----
>>>>
>>>> Thank You
>>>> Paul



More information about the wpkg-users mailing list