Skip to content

Unable to open to PowerShell.7 session configuration without Admin #18741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
5 tasks done
ibebbs opened this issue Dec 7, 2022 · 10 comments
Open
5 tasks done

Unable to open to PowerShell.7 session configuration without Admin #18741

ibebbs opened this issue Dec 7, 2022 · 10 comments
Labels
Needs-Triage The issue is new and needs to be triaged by a work group. WG-Remoting PSRP issues with any transport layer WG-Security security related areas such as JEA

Comments

@ibebbs
Copy link

ibebbs commented Dec 7, 2022

Prerequisites

Steps to reproduce

  1. In a fresh Windows 10 Hyper-V VM create a user and add to the Administrators group
  2. While logged into the VM as this user:
    1. Install Powershell 7.3.0 (e.g. winget install --id Microsoft.Powershell --source winget)
    2. Start an elevated Powershell 7 session and run Enable-PSRemoting to create PSSession Configurations (i.e. "PowerShell.7")
  3. From the Hyper-V host (Windows 11 in this instance) confirm you're able to execute commands using the 'PowerShell.7' configuration: Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }
    • Expected Behavior
  4. In the VM, remove the user from the Administrators group and add them to the Remote Management Users group.
  5. From the Hyper-V, confirm you're still able to execute commands using the 'PowerShell.7' configuration: Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }
    • Actual Behavior
  6. In the VM, add the user and/or Users group to the PowerShell.7 Session Configuration by invoking: Set-PSSessionConfiguration -Name PowerShell.7 -ShowSecurityDescriptorUI
  7. From the Hyper-V, confirm you're still able to execute commands using the 'PowerShell.7' configuration: Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }
    • Actual Behavior

Expected behavior

PS> Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }

Name                           Value
----                           -----
WSManStackVersion              3.0
OS                             Microsoft Windows 10.0.19044
PSVersion                      7.3.0
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
GitCommitId                    7.3.0
Platform                       Win32NT
PSEdition                      Core

Actual behavior

PS> Invoke-Command -VMName $vmName -Credential $creds -ConfigurationName PowerShell.7 -ScriptBlock { $PSVersionTable }
OpenError: Cannot create or open the configuration session PowerShell.7.

Error details

PS> Get-Error
Exception             :
    Type                      : System.Management.Automation.RemoteException
    SerializedRemoteException : System.Management.Automation.PSInvalidOperationException: Cannot create or open the
configuration session PowerShell.7. ---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to
remote server localhost failed with the following error message : <f:WSManFault
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
Machine="localhost"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information,
see the about_Remote_Troubleshooting Help topic.
                                at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
                                at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult
asyncResult)
                                at System.Management.Automation.RemoteRunspace.Open()
                                at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                --- End of inner exception stack trace ---
                                at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreatedForTypeTable(Object sender, RunspaceCreatedEventArgs
args)
                                at System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreated(Object sender,
RunspaceCreatedEventArgs args)
                                at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler,
Object sender, T eventArgs)
                                at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler,
Object sender, T eventArgs)
                                at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.CreateRunspace()
                                at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.OpenHelper()
    ErrorRecord               :
        Exception             :
            Type                      : System.Management.Automation.RemoteException
            SerializedRemoteException : System.Management.Automation.PSInvalidOperationException: Cannot create or open the
configuration session PowerShell.7. ---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to
remote server localhost failed with the following error message : <f:WSManFault
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
Machine="localhost"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information,
see the about_Remote_Troubleshooting Help topic.
                                        at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
                                        at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
                                        at System.Management.Automation.RemoteRunspace.Open()
                                        at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                        --- End of inner exception stack trace ---
                                        at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                        at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreatedForTypeTable(Object sender, RunspaceCreatedEventArgs
args)
                                        at System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreated(Object
sender, RunspaceCreatedEventArgs args)
                                        at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1
eventHandler, Object sender, T eventArgs)
                                        at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1
eventHandler, Object sender, T eventArgs)
                                        at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.CreateRunspace()
                                        at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.OpenHelper()
            ErrorRecord               :
                Exception             :
                    Type                      : System.Management.Automation.RemoteException
                    SerializedRemoteException : System.Management.Automation.PSInvalidOperationException: Cannot create or open
the configuration session PowerShell.7. ---> System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to
remote server localhost failed with the following error message : <f:WSManFault
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
Machine="localhost"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information,
see the about_Remote_Troubleshooting Help topic.
                                                at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
                                                at System.Management.Automation.RemoteRunspace.Open()
                                                at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                                --- End of inner exception stack trace ---
                                                at System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String
configurationName, PSHost host)
                                                at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreatedForTypeTable(Object sender, RunspaceCreatedEventArgs
args)
                                                at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreated(Object sender, RunspaceCreatedEventArgs args)
                                                at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1
eventHandler, Object sender, T eventArgs)
                                                at System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1
eventHandler, Object sender, T eventArgs)
                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.CreateRunspace()
                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.OpenHelper()
                    ErrorRecord               :
                        Exception             :
                            Type                      : System.Management.Automation.RemoteException
                            SerializedRemoteException : System.Management.Automation.PSInvalidOperationException: Cannot create
or open the configuration session PowerShell.7. ---> System.Management.Automation.Remoting.PSRemotingTransportException:
Connecting to remote server localhost failed with the following error message : <f:WSManFault
xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
Machine="localhost"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information,
see the about_Remote_Troubleshooting Help topic.
                                                        at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
                                                        at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
                                                        at System.Management.Automation.RemoteRunspace.Open()
                                                        at
System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String configurationName, PSHost host)
                                                        --- End of inner exception stack trace ---
                                                        at
System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String configurationName, PSHost host)
                                                        at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreatedForTypeTable(Object sender, RunspaceCreatedEventArgs
args)
                                                        at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreated(Object sender, RunspaceCreatedEventArgs args)
                                                        at
System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler, Object sender, T eventArgs)
                                                        at
System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler, Object sender, T eventArgs)
                                                        at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.CreateRunspace()
                                                        at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.OpenHelper()
                            ErrorRecord               :
                                Exception             :
                                    Type                      : System.Management.Automation.RemoteException
                                    SerializedRemoteException : System.Management.Automation.PSInvalidOperationException:
Cannot create or open the configuration session PowerShell.7. --->
System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server localhost failed with the
following error message : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2689860592"
Machine="localhost"><f:Message><f:ProviderFault provider="PowerShell.7"
path="C:\Windows\system32\PowerShell\7.3.0\pwrshplugin.dll"></f:ProviderFault></f:Message></f:WSManFault> For more information,
see the about_Remote_Troubleshooting Help topic.
                                                                at
System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
                                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
                                                                at System.Management.Automation.RemoteRunspace.Open()
                                                                at
System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String configurationName, PSHost host)
                                                                --- End of inner exception stack trace ---
                                                                at
System.Management.Automation.HostUtilities.CreateConfiguredRunspace(String configurationName, PSHost host)
                                                                at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreatedForTypeTable(Object sender, RunspaceCreatedEventArgs
args)
                                                                at
System.Management.Automation.ServerRunspacePoolDriver.HandleRunspaceCreated(Object sender, RunspaceCreatedEventArgs args)
                                                                at
System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler, Object sender, T eventArgs)
                                                                at
System.Management.Automation.ExtensionMethods.SafeInvoke[T](EventHandler`1 eventHandler, Object sender, T eventArgs)
                                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.CreateRunspace()
                                                                at
System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.OpenHelper()
                                    ErrorRecord               : …
                                    Message                   : Cannot create or open the configuration session PowerShell.7.
                                    HResult                   : -2146233087
                                CategoryInfo          : InvalidOperation: (:) [], PSInvalidOperationException
                                FullyQualifiedErrorId : InvalidOperation
                            Message                   : Cannot create or open the configuration session PowerShell.7.
                            HResult                   : -2146233087
                        CategoryInfo          : InvalidOperation: (:) [], PSInvalidOperationException
                        FullyQualifiedErrorId : InvalidOperation
                    Message                   : Cannot create or open the configuration session PowerShell.7.
                    HResult                   : -2146233087
                CategoryInfo          : InvalidOperation: (:) [], PSInvalidOperationException
                FullyQualifiedErrorId : InvalidOperation
            Message                   : Cannot create or open the configuration session PowerShell.7.
            HResult                   : -2146233087
        CategoryInfo          : InvalidOperation: (:) [], PSInvalidOperationException
        FullyQualifiedErrorId : InvalidOperation
    Message                   : Cannot create or open the configuration session PowerShell.7.
    HResult                   : -2146233087
TargetObject          : Win10Test
CategoryInfo          : OpenError: (Win10Test:String) [], RemoteException
FullyQualifiedErrorId : PSSessionStateBroken

Environment data

PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.0
PSEdition                      Core
GitCommitId                    7.3.0
OS                             Microsoft Windows 10.0.22000
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

No response
@ibebbs ibebbs added the Needs-Triage The issue is new and needs to be triaged by a work group. label Dec 7, 2022
@ibebbs ibebbs changed the title Unable to open to Powershell.7 configuration without Admin Unable to open to Powershell.7 session configuration without Admin Dec 7, 2022
@ibebbs ibebbs changed the title Unable to open to Powershell.7 session configuration without Admin Unable to open to PowerShell.7 session configuration without Admin Dec 7, 2022
@ibebbs
Copy link
Author

ibebbs commented Dec 9, 2022

FWIW, I have posted a question on StackOverflow about this (and recently added a bounty).

@kilasuit kilasuit added the WG-Remoting PSRP issues with any transport layer label Dec 13, 2022
@OneScripter
Copy link
Contributor

OneScripter commented Dec 15, 2022
edited
Loading

I have a similar issue where some commands run fine but some cmdlets won't work, like Get-ADUser, which throws the following error: Could not load file or assembly 'Microsoft.Bcl.AsyncInterfaces, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. The system cannot find the file specified. (The RSAT AD features are installed and the same cmdlet works fine in a normal console. Also the creds I'm using are in the local Administrators and Remote Management Users groups)

Running PowerShell 7.3.0 configuration. Is @SteveL-MSFT aware of this?

@ibebbs
Copy link
Author

ibebbs commented Dec 15, 2022

Turns out I needed to add write permissions to C:\Windows\system32\PowerShell\7.3.0 on the guest OS and this is actually a duplicate of this issue.

Would be great to give the "Remote Management Group" write permissions on this folder as part of Enable-PSRemoting.

@ibebbs ibebbs closed this as completed Dec 15, 2022
@ghost ghost removed the Needs-Triage The issue is new and needs to be triaged by a work group. label Dec 15, 2022
@OneScripter
Copy link
Contributor

I gave Modify permissions to the "Remote Management Users" group on that folder and still get my error. In my case the user the session is running as is also a member of the Administrators group.

@SteveL-MSFT SteveL-MSFT reopened this Dec 16, 2022
@SteveL-MSFT
Copy link
Member

Re-opening. Adding Remote Management Users group may make sense, but that group shouldn't have write permission. Need to understand exactly what the issue is. Expectation is that admins or memebers of Remote Management Users group should be able to use the PowerShell.7 session.

@SteveL-MSFT SteveL-MSFT added the Needs-Triage The issue is new and needs to be triaged by a work group. label Dec 16, 2022
@Dangerboi
Copy link

Dangerboi commented Jan 16, 2023
edited
Loading

I have a similar issue where some commands run fine but some cmdlets won't work, like Get-ADUser, which throws the following error: Could not load file or assembly 'Microsoft.Bcl.AsyncInterfaces, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. The system cannot find the file specified. (The RSAT AD features are installed and the same cmdlet works fine in a normal console. Also the creds I'm using are in the local Administrators and Remote Management Users groups)

Running PowerShell 7.3.0 configuration. Is @SteveL-MSFT aware of this?

Did you manage to resolve this issue @OneScripter? Experiencing the same exact problem.

@OneScripter
Copy link
Contributor

I ended up downgrading everything to 7.2.8 for now. Hoping this gets fixed soon though.

@OneScripter
Copy link
Contributor

OneScripter commented Jan 19, 2023
edited
Loading

Turns out that reverting to 7.2.8 fixed the cmdlet launch issues, but I was still getting OpenError: [localhost] Connecting to remote server localhost failed with the following error message... errors when try to execute scripts with an account that was not a local Administrator. It seemed to work, but that was only when not specifying a configuration because it defaults PowerShell 5.1, which doesn't have this problem.

Adding Modify permissions per @ibebbs comment resolved it and now I can launch any PowerShell 7 version. Any idea why it would need Modify versus just Read on that folder?

All that said, I eagerly await a fix from @SteveL-MSFT and team as this is a huge issue for some of us.

@microsoft-github-policy-service microsoft-github-policy-service bot added Resolution-No Activity Issue has had no activity for 6 months or more labels Nov 15, 2023
@sim590
Copy link

sim590 commented Dec 4, 2023

In our company, we rely on the workaround suggested, i.e. to use a version <=7.2.8. But we'd like to remove that constraint soon. Can you please reopen this ticket as it is still not fixed if I understand correctly? If it is fixed, please can you comment about version number that did fix the issue. Thanks.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the Resolution-No Activity Issue has had no activity for 6 months or more label Dec 4, 2023
@jhoneill
Copy link

jhoneill commented Jan 16, 2025
edited
Loading

Curious why this was tagged no action, by the bot, closed, then untagged but not reopened

As of 7.4.6 this problem remains : the config.txt needs write access, but there is no synchronization between the permissions on the configuration and the permissions on the file.

> Get-PSSessionConfiguration -Name PowerShell.7 | % Permission
NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

>  get-acl "C:\Windows\System32\PowerShell\7.4.6\RemotePowerShellConfig.txt" | % access | ft

           FileSystemRights AccessControlType IdentityReference                                         IsInherited InheritanceFlags PropagationFlags
           ---------------- ----------------- -----------------                                         ----------- ---------------- ----------------
                FullControl             Allow NT AUTHORITY\SYSTEM                                              True             None             None
                FullControl             Allow BUILTIN\Administrators                                           True             None             None
ReadAndExecute, Synchronize             Allow BUILTIN\Users                                                    True             None             None
ReadAndExecute, Synchronize             Allow APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES           True             None             None
ReadAndExecute, Synchronize             Allow APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES        True             None             None

So for the default connection everything works if I add interactive and Remote management users with full control to the file, or if logon as admin but not (for example) with -EnableNetworkAccess from a non-elevated session

@jhoneill jhoneill mentioned this issue Jan 17, 2025
Open
@theJasonHelmick theJasonHelmick added the WG-Security security related areas such as JEA label Jan 21, 2025
@Tadas Tadas mentioned this issue Apr 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs-Triage The issue is new and needs to be triaged by a work group. WG-Remoting PSRP issues with any transport layer WG-Security security related areas such as JEA
Projects
PowerShell Team Reviews/Investigations
Status: Issue Todo
Milestone
No milestone
Development

No branches or pull requests
8 participants
@ibebbs @sim590 @kilasuit @OneScripter @SteveL-MSFT @theJasonHelmick @jhoneill @Dangerboi