Powershell 5.1 CMDLET Not Working

Hey All,

I am having an issue where I am using a BigFix Task to push out a Powershell file to a system and then run it. Normally this works just fine but with this PS1 file I am using CMDLET that is new to PS 5.1 (All machines that are relevant have Windows Management Framework(WMF) 5.1 installed, which includes Powershell 5.1)

The issue that I am having is that if I remote into a device and run the PS1 file everything works as expected but when I deploy and run the PS1 using BigFix I get errors saything that the CMDLET or module could not be imported. While I should not have to import anything as this is an included CMDLET for PS 5.1 I have also tried this and it still can not import, this time saying that the CMDLET or Module does not exist.

The only thing that I could come up with is that maybe BigFix is somehow executing the script on the Server side first? Our BF Server does not have PS 5.1 but that just seems way to outside the box. I did also notice this was happening shortly after we moved to 9.5.3 but I had not used anything in PS 5.1 prior to the update to have a validation if this could have been an issue.

Any thoughts on this would be great.

Thanks,
KW

We might need a little more detail to troubleshoot, but the first things that come to mind for me are whether you have an accidental relevance substitution, such as your script containing { or } that aren’t escaped and get interpreted by the Action Script instead of passed on to powershell, or maybe a problem with wow64 redirection.

The BES client runs in 32-bit mode and thus would by default kick off the 32-bit powershell.exe You can avoid this by putting
action uses wow64 redirection false
in your actionscript anywhere before you start the powershell command.

Sorry for the long response time. I had some other issues that took precedence but I have some more information now.

As for the above suggestions running as x86/x64 should not impact the use case here and I have already ensured that I escaped the { for relevance I believe. Here is the code that I am running:

//Create powershell file
delete __createfile
createfile until ENDOFFILE
#Start a Transcript of all Output
$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
Start-Transcript -path C:\BigFix\AdminAccounts\output.txt -append

#Import the LocalAccounts module
#Import-Module -name C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.psd1 -verbose

#Begin removal of Admins other than SSE
$users = Get-WmiObject win32_groupuser | Where-Object {{ $_.GroupComponent -match ‘administrators’ } | ForEach-Object {{[wmi]$_.PartComponent }
$IgnoreList = "ADMIN"

#Write-host $users.name


:OuterLoop
foreach ($user in $users) {{
    foreach ($account in $IgnoreList) {{
        if ($user.name -like "$account") {{
            continue OuterLoop
        }
    }

    Remove-LocalUser -Name $user.Name
    }
Stop-Transcript
ENDOFFILE

//move the created file
copy __createfile c:\BigFix\AdminAccounts\removeAdmins.ps1
delete __createfile

//Call script to delete the accounts
waithidden powershell.exe -executionpolicy unrestricted -file "c:\BigFix\AdminAccounts\removeAdmins.ps1"

Above I have the Import Module commented out as I get similar errors when trying it that way.

Here is the transcript that is generated when bigfix runs this task.

**********************
Windows PowerShell transcript start
Start time: 20170502145656
Username: REDACTED\SYSTEM
RunAs User: REDACTED\SYSTEM
Machine: QA-REDACTED (Microsoft Windows NT 6.1.7601 Service Pack 1)
Host Application: powershell.exe -executionpolicy unrestricted -file c:\BigFix\AdminAccounts\removeAdmins.ps1
Process ID: 5552
PSVersion: 5.1.14409.1005
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14409.1005
BuildVersion: 10.0.14409.1005
CLRVersion: 4.0.30319.34209
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\BigFix\AdminAccounts\output.txt
Remove-LocalUser : The term 'Remove-LocalUser' is not recognized as the name of a cmdlet, function, script file, or 
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try 
again.
At C:\BigFix\AdminAccounts\removeAdmins.ps1:25 char:5
+     Remove-LocalUser -Name $user.Name
+     ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Remove-LocalUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Remove-LocalUser : The term 'Remove-LocalUser' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try
again.
At C:\BigFix\AdminAccounts\removeAdmins.ps1:25 char:5
+     Remove-LocalUser -Name $user.Name
+     ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Remove-LocalUser:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

**********************
Windows PowerShell transcript end
End time: 20170502145656
**********************

Any thoughts would be greatly appreciated.

If anyone wants be to try any changes I can and will post up the logs. Need to get this figured out ASAP.

To reiterate again, this powershell file runs just fine if I remote into the machine and execute it directly. I know the create file is also working fine as I can simply execute the created file from big fix in CMD using the same cmd I did in wait hidden - powershell.exe -executionpolicy unrestricted -file “c:\BigFix\AdminAccounts\removeAdmins.ps1”

Thanks

You really need to try Jason’s suggestion. It might not solve the problem, but it definitely makes a difference:

This goes near the top of the actionscript. If Remove-LocalUser is 64bit only on 64bit platforms, then it is likely required.

This is also unlikely to make a difference, but worth a try:

waithidden cmd /C powershell.exe -executionpolicy unrestricted -file "c:\BigFix\AdminAccounts\removeAdmins.ps1"

Invoking CMD and then having it invoke PowerShell sometimes makes a difference. Not usually with PowerShell in particular, but definitely with other things.

There is a wizard in BigFix Labs for managing local users on windows that could be used to do something similar.

Related:

• Remove-LocalUser (Microsoft.PowerShell.LocalAccounts) - PowerShell | Microsoft Learn
• https://bigfix.me/fixlet/details/5020

This indeed fixed the issue!

Thanks for the help on this everyone.