Azure
Set-AzVMRunCommand not working well when using -RunAsUser -RunAsPassword
Description
I have a Windows 11 VM on Azure with a built-in account for administering the computer. If I use that account when calling Set-AzVMRunCommand I can't run my powershell script correctly. For example I cannot use Invoke-WebRequest, as I get the following error:
PS>TerminatingError(Invoke-WebRequest): "Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. Contact Microsoft Customer Support Services."
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
I am using it like this:
Set-AzVMRunCommand -RunCommandName "MyCmd2" -SourceScript "Start-Transcript -Path .\log.txt; Write-Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge/archive/main.zip' -OutFile .\zipFile.zip" -ResourceGroupName $resourcegroup -VMName $vmname -Location $location -RunAsUser $username -RunAsPassword $adminpassword -NoWait
I have used Start-Transcript and I am attaching the logs. You will notice that when I use RunAsUser the HostApplication is not calling the powershell.exe ??
log-notworking.txt
This is when I use RunAsUser and RunAsPassword:
**********************
Windows PowerShell transcript start
Start time: 20231123131227
Username: myVM\azureuser
RunAs User: myVM\azureuser
Configuration Name:
Machine: myVM (Microsoft Windows NT 10.0.22631.0)
Host Application: -ExecutionPolicy Unrestricted -File C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1 2>C:\Windows\TEMP\Script_MyCmd2_1.ps1_stderr.txt 1>C:\Windows\TEMP\Script_MyCmd2_1.ps1_stdout.txt
Process ID: 3128
PSVersion: 5.1.22621.2506
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.2506
BuildVersion: 10.0.22621.2506
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is .\log.txt
Test
PS>TerminatingError(Invoke-WebRequest): "Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. Contact Microsoft Customer Support Services."
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS>$global:?
True
log-working.txt
This is without using it:
**********************
Windows PowerShell transcript start
Start time: 20231123131342
Username: WORKGROUP\SYSTEM
RunAs User: WORKGROUP\SYSTEM
Configuration Name:
Machine: myVM (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Windows\system32\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -File C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_2.ps1
Process ID: 9848
PSVersion: 5.1.22621.2506
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.2506
BuildVersion: 10.0.22621.2506
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is .\log.txt
Test
PS>$global:?
True
**********************
Windows PowerShell transcript end
End time: 20231123131350
**********************
Why the Host Application is called in a different way?? Probably the issue is there.
We miss "C:\Windows\system32\windowspowershell\v1.0\powershell.exe" when adding RunAsUser and RunAsPassword
PS: When I RDP to the machine and run the same script using the Username: myVM\azureuser it works!
Issue script & Debug output
n/a
Environment data
This is on Azure Cloud Shell using Powershell on the Azure Portal:
Name Value
---- -----
PSVersion 7.3.9
PSEdition Core
GitCommitId 7.3.9
OS Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Module versions
This is on Azure Cloud Shell using Powershell on the Azure Portal:
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.13.2 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 7.0.0 Az.Compute {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnattendContent, Add-AzVMDataDisk…}
Script 7.0.0 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting, Add-AzApplicat…
Script 6.12.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}
Script 6.0.0 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle…}
Script 1.1.2 Az.Tools.Predictor {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictorSurvey, Send-AzPredictorRating}
Script 0.0.0.10 AzureAD.Standard.Preview {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredOwner, Add-AzureADDeviceRegisteredUser, Add-AzureADDirectoryRoleMember…}
Script 0.9.3 AzurePSDrive
Error output
PS>TerminatingError(Invoke-WebRequest): "Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer. Contact Microsoft Customer Support Services."
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Invoke-WebRequest : Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
Contact Microsoft Customer Support Services.
At C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandHandlerWindows\2.0.8\Downloads\Script_MyCmd2_1.ps1:1 char:52
+ ... -Host Test; Invoke-WebRequest -Uri 'https://github.com/Azure/AKS-Edge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ReadError: (:) [Invoke-WebRequest], HostException
+ FullyQualifiedErrorId : ReadConsoleOutput,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
@GabstaMSFT , do we have an ETA on when the fix will be available? Also, could you please let me know if there's a workaround? Thanks!
@asergaz / @bhsubra
We are tracking a bug for this on our end Bug 24542208: RC2W RunAs - Invoke-WebRequest in script fails with Win32 internal error "Access is denied" 0x5 occurred while reading the console output buffer.
We will look into this.
Meanwhile, please check if the RunAsUser created on VM has necessary permissions to execute those commands for ex. After RDP logging as RunAsUser on VM, Is the RunAsUser able to execute the command such as Invoke-WebRequest from within the Azure VM on Powershell ?
@asergaz have you been able to check that the VM has the permissions needed as mentioned above?
@asergaz checking to see if you have been able to check permissions as mentioned above?
@GabstaMSFT sorry I don't have the time now to test this but I remember that I had the correct permissions at the time I tested it. Did you ever tried to reproduce this? I think the steps are super clear. Thanks
You can also get valid commandIds using below Powershell cmdlet: Get-AzVmRunCommandDocument -Location centraluseuap
https://learn.microsoft.com/en-us/powershell/module/az.compute/get-azvmruncommanddocument?view=azps-12.3.0