search

WinRb / WinRM

Ruby library for Windows Remote Management
Apache License 2.0
412 stars 117 forks source link

[2.1.2] Fails on Windows Vagrant Guest with Powershell Permissions #255

Closed lmayorga1980 closed 4 months ago

lmayorga1980 commented 7 years ago

vagrant: 1.9.2 that ships with winrm 2.1.2

I was testing the new vagrant version 1.9.2 but I am having some issue with the newer winrm gem deployed with the new vagrant.

The following code works well on vagrant 1.8.x and 1.9.x before 1.9.2 that I believe ships with winrm 1.8.1

 exec { 'ExecutionPolicy-64bit':
        command   => 'Powershell.exe Set-ExecutionPolicy RemoteSigned',
        logoutput => true,
        unless    => 'Powershell.exe Get-ExecutionPolicy | C:\Windows\System32\findstr.exe RemoteSigned'
      } 
Set-ExecutionPolicy : Windows PowerShell updated your execution policy 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: successfully, but the setting is overridden by a policy defined at a more 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: specific scope.  Due to the override, your shell will retain its current 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: effective execution policy of Bypass. Type "Get-ExecutionPolicy -List" to view 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: your execution policy settings. For more information please see "Get-Help 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: Set-ExecutionPolicy".
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: At line:1 char:1
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: + Set-ExecutionPolicy RemoteSigned
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns:     + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], Sec 
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns:    urityException
==> admin_win2012r2: Notice: /Stage[main]/Admin/Exec[ExecutionPolicy-64bit]/returns:     + Fully
mwrock commented 7 years ago

We recently started to set the execution policy to bypass for elevated powershell commands. The default policy on windows 2008R2 is Restricted which prevents users from running any scripts (local or remote). Windows 2012R2 changed that to RemoteSigned.

For automation scenarios we find bypass provides a better experience across the board by not blocking any scripts at all. That said, there is also a good argument to change this to RemoteSigned.

At any rate, you may be able to now omit this command all together. However, if you are trying to change the machine wide default policy you can set a scope to LocalMachine and wrap the command in a try to avoid the error about the local scope.

pcai commented 4 months ago

please reopen with more info if you still need help.