TIP 1516 (PowerShell DSC): Access Denied in Workgroup Environment

The Desired State Configuration, DSC (as well as CIM cmdlets) feature introduced in PowerShell 4.0, relies on properly configured and functional WinRM listeners. By virtue of creating a WinRM listener, PS remoting* is enabled automatically (this is the case since Windows Server 2012 out-of-the-box). DSC does not depend on the latter nor need to run off from machines joined to an Active Directory environment to operate.

In a Workgroup environment, you may encounter challenges pushing out the resulting MOF to the desired nodes via Start-DSCConfiguration despite running with elevated administrative privileges:

VERBOSE: Perform operation ‘Invoke CimMethod’ with following parameters, ”methodName’ = SendConfigurationApply, ‘className’ = MSFT_DSCLocalConfigurationManager,’namespaceName’ =
The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.
+ CategoryInfo : NotEnabled: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : HRESULT 0x803380e4
+ PSComputerName : SERVER01

You verified that …

… WSMan:\localhost\Client\TrustedHosts on your server has been correctly configured to work against the target machines (receiving DSC). You even restarted the machines for good measure with no avail.

To resolve this, ensure that the correct credentials are used by including the -Credential parameter against the Start-DSCConfiguration cmdlet targeting standalone, non-domain joined machines.

* running a WinRM service

#ITPro #PowerShell #DSC

Follow me for all the buzz -> @_leedesmond (Twitter)!

Leave a Reply