mgajda83
Access Denied Running over SSH
When running
Install-WindowsUpdate -MicrosoftUpdate
over SSH I get access denied even though it's an elevated shell with admin access.
Erorr is: Install-WindowsUpdate : Access is denied (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
the same thing and it became after KB5065789 (win11) here is the video - https://youtu.be/xy11NWbnqrA Before this update KB5065789 everything was working fine.
I can repro as well on Win 11 for just querying for updates. Get-WindowsUpdate -IgnoreReboot used to work when run from admin via SSH on Windows 10, but not on Windows 11. Not sure about the KB.
Try Invoke-WUJob -RunNow -Confirm:$false -Verbose -Script 'Import-Module PSWindowsUpdate; Install-WindowsUpdate -MicrosoftUpdate' to run it as a scheduled task under the ssh user. Getting logs is annoying though.
I can verify this issue on Windows Server 2025, too. While executing the cmdlet Get-WUHistory I receive the following error message:
Get-WUHistory : Zugriff verweigert (Ausnahme von HRESULT: 0x80070005
(E_ACCESSDENIED))
In Zeile:1 Zeichen:1
+ Get-WUHistory
+ ~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-WUHistory], UnauthorizedA
ccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,PSWindowsUpda
te.GetWUHistory
This happens only if I'm connected via openSSH. It seems like that some previous Windows Update is responsible for this behaviour - any ideas how to fix this?
At least in my case this won‘t help since I want to get all previous installed updates and not install new ones.
Invoke-WUJob appears to just be a convenience wrapper for schtasks. You can change the script that runs https://github.com/mgajda83/PSWindowsUpdate/blob/db46f4eae6ad9001f8f41c2434eeb7d7215d3d52/PSWindowsUpdate/PSWindowsUpdate.xml#L2064
You could probably also use schtasks directly. My understanding of what Invoke-WUJob does is:
-
schtasks /createto create a task that will run as the current user (or maybe system, I dunno) with the given script -
schtasks /runto immediately trigger it
Caller is responsible for checking the log file to understand output.
Tis a silly workaround, if Windows wants to lock it down, dunno why they leave this gaping loophole. There may be some other techniques worth trying, like psexec https://stackoverflow.com/questions/59880794/starting-gui-programs-via-openssh-on-windows.
@WestonThayer yeah, you're right. You can use something like
Invoke-WUJob -TaskName "Check WU History" -RunNow -Script "Get-WUHistory -MaxDate ((Get-Date).AddDays(-100)) | Export-CSV C:\Temp\wuhistory.csv"
export the logs into a csv file on your system and check the generated file afterwards but this is kind of a hurry and more prone to errors.
From my perspective it would be great to get an idea, why Get-WUHistory won't work anymore in the first place. Maybe this is an error and we can fix it without the workaround mentioned above.
Somebody else noticing the change to underlying APIs https://www.reddit.com/r/PowerShell/comments/1of2flt/recent_windows_11_24h2_cu_windows_update_api_no/
https://learn.microsoft.com/en-us/windows/win32/wua_sdk/using-wua-from-a-remote-computer is the closest thing I could find on docs from Microsoft. No explanation is given as to why certain APIs are unavailable to remote connections (FYI both ssh and WinRM/PS-Session start a "network login" session). That doc does suggest that update searching should be allowed from remote computers, so maybe Windows shipped a bug that they should fix 🤷🏻
The main workarounds are scheduled tasks and psexec.
This issue has been around now for the past few CUs impacting W11 and Server 2025 (Not checked 2022). This months CU (Released today) has also failed to resolve the issue.
Any API querying done remotely regardless if SSH or PSRemote fails with 0x80070005 (UnauthorizedAccessException).
This issue only occurs on W2k25, W2k22 and older seems not to be affected (yet)