search

ansible-collections / ansible.windows

Windows core collection for Ansible
https://galaxy.ansible.com/ansible/windows
GNU General Public License v3.0
254 stars 171 forks source link

Add required setting to run win_updates using ssm instead of ssh #521

Open adsanz-atalanta opened 1 year ago

adsanz-atalanta commented 1 year ago
SUMMARY

I'm trying to use the win_updates module with ssm connection plugin, it was working but out of the wild it started showing this error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at <ScriptBlock>, <No file>: line 753
fatal: [i-xxxxxxxxxxx]: FAILED! => {"changed": false, "failed_update_count": 0, "filtered_updates": {}, "found_update_count": 0, "installed_update_count": 0, "msg": "Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed due to the following error: 800703fa Illegal operation attempted on a registry key that has been marked for deletion. (Exception from HRESULT: 0x800703FA). - Unknown WUA HRESULT 2147943418 (UNKNOWN 800703FA)", "reboot_required": false, "rebooted": false, "updates": {}}

After quite some time trying to look up the problem, I run across this https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/800703fa-illegal-operation-error which basically shows how to enable the setting that makes this module work on hosts that run via SSM instead of SSH. Linking this documentation under the module page might save some headaches.

ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.12.10]
  config file = None
  configured module search path = ['/home/xxxxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/xxxxxx/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/xxxxxx/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/xxxxx/.local/bin/ansible
  python version = 3.10.6 (main, May 29 2023, 11:10:38) [GCC 11.3.0]
  jinja version = 3.1.2
  libyaml = True
jborean93 commented 1 year ago

What setting in particular here needs to be set? I'm unsure what exactly we need to be documented.

adsanz-atalanta commented 1 year ago

That if you are using the win_updates module with SSM connection (AWS with Windows hosts) you should follow this https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/800703fa-illegal-operation-error#method-2 if you encounter this Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed due to the following error: 800703fa Illegal operation attempted on a registry key that has been marked for deletion. (Exception from HRESULT: 0x800703FA). - Unknown WUA HRESULT 2147943418 (UNKNOWN 800703FA)

Honestly, I would like to give answers to why this error happens but I cannot give an accurate response, I just can say that this error happened to me only when the setting "Do not forcefully unload the user registry at user logoff" was disabled, tested multiple times on different windows hosts

offlineadmin commented 1 year ago

We are getting this as well. Trying various things but haven't figured out what's up. Setting that group policy is not recommended as it can mess up roaming profiles. I am going to try to turn on all the PowerShell debugging to see what is happening.

offlineadmin commented 1 year ago

The error in AWX is as such: "exception": "New-Object : Retrieving the COM class factory for component with CLSID {00000000-0000-0000-0000-000000000000} failed \r\ndue to the following error: 800703fa Illegal operation attempted on a registry key that has been marked for deletion. \r\n(Exception from HRESULT: 0x800703FA).\r\nAt line:753 char:24\r\n+ ... Required = (New-Object -ComObject Microsoft.Update.SystemInfo).Reboot ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ResourceUnavailable: (:) [New-Object], COMException\r\n + FullyQualifiedErrorId : NoCOMClassIdentified,Microsoft.PowerShell.Commands.NewObjectCommand\r\n \r\n\r\n\r\nat <ScriptBlock>, <No file>: line 753"

I ran the offending command in AWS Session Manager:

PS C:\Windows\system32> (New-Object -ComObject Microsoft.Update.SystemInfo).RebootRequired New-Object : Creating an instance of the COM component with CLSID {C01B9BA0-BEA7-41BA-B604-D0A36F469133} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). At line:1 char:2