Using ConfigMgmt to add WindowsCapability

dan-iverson · September 13, 2021, 11:19pm

I am trying to use an ansible-playbook to install ServerCore.AppCampatiblity

- name: Add FOD
    ansible.windows.win_shell: |
       Import-Module -Name DISM -SkipEditionCheck
       Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0

    amazon-ebs: TASK [Add FOD (Features on Demand)] ********************************************
    amazon-ebs: fatal: [default]: FAILED! => {"changed": true, "cmd": "Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0", 
"delta": "0:00:18.641505", "end": "2021-09-13 10:24:37.593684", "msg": 
"non-zero return code", "rc": 1, "start": "2021-09-13 10:24:18.952178", "stderr":
 "Add-WindowsCapability : Access is denied.\r\nAt line:1 char:65\r\n+ ... ing $false; 
Add-WindowsCapability -Online -Name ServerCore.AppCompati ...\r\n+       
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    
+ CategoryInfo          : NotSpecified: (:) [Add-WindowsCapability], COMException\r\n
    + FullyQualifiedErrorId : 
Microsoft.Dism.Commands.AddWindowsCapabilityCommand", "stderr_lines": ["Add-
WindowsCapability : Access is denied.", "At line:1 char:65", "+ ... ing $false; Add-WindowsCapability -Online -Name ServerCore.AppCompati ...", "+     
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~", " 
   + CategoryInfo          : NotSpecified: (:) [Add-WindowsCapability], COMException", "   
 + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand"], "stdout": "", "stdout_lines": []}

I thought if I could find how Windowscapability is configured with DSC, I could get past this issue.

kvprasoon · September 14, 2021, 6:39am

Since the error message says Access Denied, can you try with ansible become with a higher privileged user ?

dan-iverson · September 14, 2021, 2:14pm

Do you know if DSC can be used to install WindowsCapablity features? Is there a resource for this? It seems to me if I can get this to work with DSC, I can get it to deploy. This playbook runs 15 other configurations fine, including add Window Features.

Olaf · September 14, 2021, 2:25pm

I may have misunderstood your need but shouldn’t Add-WindowsCapability be enough for this purpose?

dan-iverson · September 14, 2021, 2:26pm

That is what I ran above, and it did not work.

Olaf · September 14, 2021, 2:42pm

Ooops … I missed that … sorry. But why does it have to be used with DSC. Can’t you run it just by itself? … with sufficient rights to the target system of course …

dan-iverson · September 14, 2021, 2:45pm

All of the other PowerShell cmdlets run fine. It preforms over 15 other configurations fine. I did find this article saying they were having issue running the remote. https://www.reddit.com/r/PowerShell/comments/bjxzf2/addwindowscapability_on_a_remote_computer/

I thought Ansible run as admin as default, that is the account that it connects with.

krzydoug · September 14, 2021, 2:49pm

It appears the resource you’re looking for is part of the ComputerManagementDsc module.

https://www.powershellgallery.com/packages/ComputerManagementDsc/8.0.0/Content/DSCResources\DSC_WindowsCapability\DSC_WindowsCapability.psm1

github.com/dsccommunity/ComputerManagementDsc

WindowsCapability and WindowsCapabilitySet: New Resource(s) Proposal

opened 01:52PM - 11 Aug 19 UTC

closed 06:32AM - 02 Oct 19 UTC

aydeisen

help wanted resource proposal

### Description A DSC Module around the WindowsCapability cmdlets to manage the… enabled and disabled capabilities. It should work similarly to the WindowsOptionalFeature and WindowsOptionalFeatureSet DSC Resources ### Proposed properties Name (Key) LogLevel LogPath NoWindowsUpdateCheck (mapped to the `LimitAccess` parameter) DependsOn Ensure ### Special considerations or limitations Originally filed by @mgreenegit in PowerShell/PSDscResources#168. The discussion in that issue was to include it into ComputerManagementDsc When executing `Get-WindowsCapability`, the convention for the name is that it ends with three tildes followed by the version number. It would be great if the DSC Resource only required the name, and not the tildes and version number (or, at the very least, make the tildes and everything to the right of them optional)

Olaf · September 14, 2021, 2:50pm

It was just an idea because the error message states “Access is denied”. Unfortunately I don’t have any experience with Ansible. Sorry.

dan-iverson · September 16, 2021, 4:06pm

Here is the correct answer that runs properly.

### Barried somewhere in here are all the pieces of this with no example or clear explanation:
#  https://docs.ansible.com/ansible/2.5/user_guide/become.html#become-and-windows

Ansible.cfg
[all:vars]
ansible_connection=winrm
ansible_user=administrator
ansible_password=@Pa55w0rd
ansible_become_password=@Pa55w0rd
AWansible_port=5986
ansible_winrm_scheme=https
POWERSHELL_VERSION=5.1


Playbook.yml
---
- hosts: all
  gather_facts: no
  become_method: runas
  tasks:

  - name: Create directory structure
    win_file:
      path: C:\vsts\IA
      state: directory

  - name: Add FOD
    ansible.windows.win_shell: |
      Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0
    become: yes
    become_user: administrator

  - name: Test FOD
    ansible.windows.win_shell: |
      $WinCapObj = Get-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~0.0.1.0
      Write-Output -InputObject "Current State of FOD:: $($WinCapObj.State)"

  - name: Reboot if required
    ansible.windows.win_reboot:

Topic		Replies	Views
Ansible, AWS, and DSC DSC	3	661	January 30, 2021
Setup Frustation DSC	3	174	February 16, 2016
MVA DSC Module 2, Day 1 Set-DSCLocalConfigurationManager failing? DSC	10	216	May 20, 2016
Invalid Parameter when trying to enhance a DSC resource DSC	3	480	November 26, 2020
Service Manager DSC - Package command line arguments not working DSC	1	208	September 29, 2014

Using ConfigMgmt to add WindowsCapability

Related Topics