Quick tip: Renew a certificate used by WSUS

I failed to update the certificate of a WSUS sever before it expired 😦
Here’s what error message I got when I tried to use the cmdlet: Get-WsusServer : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Here’s what I did to replace my expired certificate by a valid one:


# Create a self signed certificate
$SelfSignedHT = @{
 DnsName = "$($env:COMPUTERNAME).myfqdn".ToLower()
 CertStoreLocation = "Cert:\LocalMachine\My"
}
New-SelfSignedCertificate @SelfSignedHT

# Retrieve it from its store
$cert = Get-ChildItem -Path Cert:\LocalMachine\My -SSLServerAuthentication | 
Where { $_.NotAfter -gt (Get-Date) }

# Export the public key
Export-Certificate -Cert $cert -Type CERT -FilePath "~/documents/cert.$($cert.Thumbprint).cer"

# Import the public key in the Root CA store
Import-Certificate -FilePath "~/documents/cert.$($cert.Thumbprint).cer" -CertStoreLocation Cert:\LocalMachine\Root

# View what certificate is being used (will show you the previous thumbprint)
(Get-WebBinding  -Protocol https).certificateHash

# Update it
(Get-WebBinding  -Protocol https).AddSslCertificate(
"$($cert.Thumbprint)","My"
)

# Check that the new cert is being used
(Get-WebBinding  -Protocol https).certificateHash

I was able to use the Get-WsusServer immediately after switching to the valid new certificate in the same console where it previously failed 😀

Next step: distribute the exported public key to client computers using a GPO

Advertisements

Remoting and registry

  • Issue

I’ve recently encountered a weird issue while using Windows PowerShell Remoting.

Using a the following

New-PSSession -ComputerName RemoteServer

failed with the following message:
New-PSSession : Requested registry access is not allowed.
+ FullyQualifiedErrorId : PSSessionOpenFailed

and

icm -ComputerName RemoteServer -Authentication Kerberos { 1 }

failed with the following message:
Requested registry access is not allowed.
+ FullyQualifiedErrorId : PSSessionStateBroken

Sorry, what’s the link between Remoting and the registry?

  • Solution

Well, it appears that I cannot open a logon session on the remote server as well.
Remoting isn’t the culprit. Neither is the version of PowerShell nor the version of the operating system as I suspected initially.
I could also use remoting properly when I provided other credentials in the same shell where it previously failed.

It appears that the User profile service tells us what’s missing:

Windows cannot load classes registry file.
DETAIL – The system cannot find the file specified.

Yes, I can see that there’s no AppData\Local\Microsoft\Windows\UsrClass.dat in the profile.

I deleted the “corrupted” profile and the issue went away 🙂

  • How to better detect this issue?

On the client (source shell), WSMAN has some difficulties to delete the shell (that never opened, I presume)

On the server (target server),

You can use the following code to detect it on the remote server.

Get-WinEvent -FilterHashtable @{ 
    LogName = "Windows PowerShell" ;
    Level = 2 ;
    Id = 103 
}

Windows PowerShell remoting rocks when the registry doesn’t fail 😉 Have fun 😎

PSReadline 2.0 not working on Windows 10 1809

  • Context:

I’m running a Windows 10 1809 at home and encountered something weird about PSReadline.
You know PSReadline is the module from Jason Shirk that enables great command line editing in the PowerShell console host.
It maintains an history of commands accross consoles and the ability to search the history (it works using CTRL+R, the same way a Bash shell works), and much more!

  • Issue:

As you can see below in the picture. I’m running a En-US input language with a french keybord layout.
The module version 2.0 that shipped in Windows is loaded but the history isn’t maintained. That’s why I cannot search the history and invoke the following method although the class exists:

[Microsoft.PowerShell.PSConsoleReadLine]::GetHistoryItems()

NB: This method only exist in version 2.0. It does not exist in version 1.2 that shipped in Windows 10 1803.
It throws the following error:
“The type initializer for ‘Microsoft.PowerShell.PSConsoleReadLine’ threw an exception.”

  • Solution:

I had a look at the issues on GitHub and I’m not the first one who noticed this issue.

Because Jason wrote the following https://github.com/lzybkr/PSReadLine/pull/831 , I went this route:

If you’d rather not use PsGet, you can just download the file PSReadLine.zip and extract the contents into your C:\Users\[User]\Documents\WindowsPowerShell\modules\PSReadLine folder. (You may have to create these directories if they don’t exist.)

I also needed to modify the Execution policy:

Note that if you’ve an Application Control solution, nothing is signed digitally:

  • Caveat

The above solution works in a admin console, the command history is maintained and is searchable 🙂
But it still doesn’t work with a filtered admin token in a non-admin console 😦