Azure Image builder fails while performing CIS Hardening script with cleanup failing Error uploading file to $env:TEMP\winrmcp-xxxxx

Question

Azure Image builder fails while performing CIS Hardening script with cleanup failing Error uploading file to $env:TEMP\winrmcp-xxxxx

p9139010 opened this issue 2 years ago · 2 comments

Environment: Azure Image builder
Packer Version: [INFO] Packer version: 1.8.1 [go1.17.8 linux amd64]

while executing the CIS hardening fails with below error.

[9def6e3b-8c07-49b5-95f9-6dd79e4e7b68] PACKER ERR 2022/12/22 12:19:45 packer-provisioner-powershell plugin: failed to upload the remote cleanup script: "clean up script "c:/Windows/Temp/packer-cleanup-63a44abb-d76b-86d9-71a9-7005cab80e63.ps1" failed to upload: Error uploading file to $env:TEMP\winrmcp-cbccd5ef-5991-4bf6-7c70-4d4761743931.tmp: Couldn't create shell: http response error: 401 - invalid content type"
[9def6e3b-8c07-49b5-95f9-6dd79e4e7b68] PACKER OUT azure-arm: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_USERS.DEFAULT\Control Panel\International\User Profile
[9def6e3b-8c07-49b5-95f9-6dd79e4e7b68] PACKER ERR 2022/12/22 12:19:45 packer-provisioner-powershell plugin: Retryable error: clean up script "c:/Windows/Temp/packer-cleanup-63a44abb-d76b-86d9-71a9-7005cab80e63.ps1" failed to upload: Error uploading file to $env:TEMP\winrmcp-cbccd5ef-5991-4bf6-7c70-4d4761743931.tmp: Couldn't create shell: http response error: 401 - invalid content type

====
Image Template reference:

Customize section:

        {
            "inline": [
                "Expand-Archive -Path c:\\scripts\\Hardeningfolder.zip -DestinationPath c:\\scripts"
            ],
            "name": "cisHardening script running-1",
            "runAsSystem": false,
            "runElevated": true,
            "type": "PowerShell"
        },
        {
            "inline": [
                "C:\\scripts\\Run-HardeningSteps.ps1 -config cis1-2019 -rootPath $env:SystemRoot -userDrive C -caption Companyauthorised"
            ],
            "name": "cisHardening script running-2",
            "runAsSystem": false,
            "runElevated": true,
            "type": "PowerShell"
        },

=====

Please suggest if we have to add any more switch or parameter to resolve winrm communication.

Answer 1 · 2023-03-03T08:54:16.000Z

+1 @p9139010 did you find a solution to your problem?

Answer 2 · 2023-03-03T09:12:03.000Z

Yes @samaea. There were 3 things on hardening has to be corrected.

1. Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy from 0 to 1 2. Registry Key - SOFTWARE\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs from 1 to 0 3. Powershell customization should run as elevated to True 4. But it shouldn't be run as system - since packer user account isn't SYSTEM. Run as System to False 5. Check the system locale to be native as much as possible. we had to change System Locale from EN-GB to EN-US