Forum Discussion

Dave_Lee's avatar
Dave_Lee
Icon for Advisor rankAdvisor
3 months ago

PowerShell module auto-load

Hi all

I'm struggling with something so thought I'd see if anyone else has experienced this...

We have a customer running Azure Local which is essentially a Windows Server cluster running Hyper-V and Storage Spaces Direct.  We've configured a least priv user for monitoring, this is working fine for WMI queries but none of the PowerShell based modules are working.

I've done a load of troubleshooting and found that WinRM will allow connections, but we can't even run basic cmdlets like Write-Host because it doesn't find the commands.

It works fine though if we explicitly load the required modules (e.g. Import-Module Microsoft.PowerShell.Utility).  We can test and this works fine

 



This proves that the modules we need are there and that there is nothing preventing us from using them (there is no "Just Enough Admin" setup to block it for example).  I suppose I could work through all the modules in the platform, identify all the module dependencies and write in code to check and load them, but that would be quite an undertaking and I really can't justify running custom versions of all the LM modules to workaround an issue on a single customer environment.

Has anyone run into this before and have a solution?

A few things I've ruled out:

  • The modules exist on the system (we're just trying to use built-in/standard modules at the moment)
  • The environment vars have the right Modules path set (and we can import modules manually, so that is working)
  • Ruled out execution policy (if we manually import a module, it works fine)
  • Ruled out a Constrained Session.... at least, I believe so because $execution.context.sessionstate states LanguageMode=FullLanguage
  • Rules out Just Enough Administration being in place... again, I believe so because $PSSenderInfo states ConfigurationName=Microsoft.PowerShell (I believe this would be different if we were operating under a different JEA enforced profile configuration).  Also, there's nothing stopping us from manually importing and using modules.

It looks to me like it's just module auto-load that is disabled but, as I understand it, this has to be explicitly disable and the customer hasn't done so.  I understand from the customer that it works fine with an admin account, perhaps there is some hardening that Microsoft applies automatically as it's a customised Azure Local specific version of Windows Server.

I did try and explicitly enable auto-load by creating a profile file for my non-admin user and setting the value $PSModuleAutoloadingPreference='All' but that seemed to have no effect.  I'm not convinced it's even looking for a profile file to be honest.  When I use WinRM to run "$PROFILE | Select-Object *" then nothing is returned.

The customer has opened a ticket with Microsoft about this, although is getting fairly vague suggestions around JEA (which I don't believe is in place) and that Azure Local may have some hardening.  So I thought I'd put it to the community :)  I'll also raise it with LM support.

Dave

No RepliesBe the first to reply