Skip to content

need workaround - Add-WindowsCapability can't run successfully from Attune through WinRM

When Add-WindowsCapability with an uninstalled capability, the cmdlet will fail with an 'Access is denied' error. After researching on this issue

  • Add-WindowsCapability works on a local PowerShell session that is run as Admin/Elevated Privileges

  • Get-WindowsCapability also needs Admin/Elevated Privileges when run on a local PowerShell session, which also works from Attune, so Attune should have the same privileges as 'a local PowerShell session that is run as Admin/Elevated Privileges'

  • @Ogie15 tried Invoke-Command CMDLET and Start-Process but no luck.

seems that it's some intrinsic bug/setting with WinRM, yet can't find a workaround.

Some references:

Run Add-WindowsCapability directly in a Remote PowerShell through WinRM fails. https://www.reddit.com/r/PowerShell/comments/bjxzf2/addwindowscapability_on_a_remote_computer/

some workaround: Remote 'Add-WindowsCapability' WORKS with SaltStack! https://www.reddit.com/r/saltstack/comments/bmzbz9/remote_addwindowscapability_works_with_saltstack/?utm_source=share

some info about the LocalAccountTokenFilterPolicy registry entry, which is set when executing Enable-PSRemoting https://www.adamcouch.co.uk/localaccounttokenfilterpolicy-accessing-the-c-with-a-local-account/