Install-DbaInstance and Update-DbaInstance now work from an unelevated PowerShell session

[andreasjordan]

One of the nice features of Install-DbaInstance and Update-DbaInstance is, that it can automatically configure CredSSP, which is the default authentication protocol if you use the credential parameter. Why use CredSSP? Because best practice is to store the installation media and the patches on a network share - so you need to pass the credentials to the target to avoid the double-hop issue.

But configuring CredSSP - and even reading the CredSSP configuration - needs an elevated PowerShell session. And because I like to follow the "principle of least privilege", I want to run as many PowerShell sessions as possible without elevated privileges.

The second reason is that I want to separate the security related configuration from running a dbatools command. Enabling the CredSSP server role on all the targets is done via group policies, enabling the client role on the jump box is only one command per target.

So starting with version 1.1.62 you have multiple options:

• The "good old easy" way: Run the commands from an elevated PowerShell, provide a suitable credential and the magic still happens.
• The "configured ahead" way: If your CredSSP configuration is already set up, you can now run the commands from an unelevated PowerShell session, provide a suitable credential and CredSSP will be used without notice.
• The "local media" way: If you have the installation media or the patches locally on the target, you can use the credential together with -Authentication Default to bypass CredSSP. This also works from an unelevated PowerShell.
• The fallback way: This way is only a fallback and not recommended, but it still works for environments where CredSSP can not be used. When the CredSSP session can not be opened, the user is asked if the command should use the fallback. Then it uses Register-PSSessionConfiguration to temporarily create a session configuration on the target with the given credential.This also works from an unelevated PowerShell.

The bottom line: You only need an elevated PowerShell session if CredSSP needs to be configured by the command.

[salvbing]

How do you specify Authentication Default?
My Update-DbaInstance hangs with CredSSP. and when I take it out, Update-DbaInstance doesnt RESTART I get an error:
PS C:\Windows\system32> TerminatingError(Restart-Computer): "The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The computer TargetServer.mydomain.mycom is skipped. Fail to retrieve its LastBootUpTime via the WMI service with the following error message: The WinRM client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change the client configuration and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/.domain.com."
WARNING: [14:56:01][Invoke-DbaAdvancedUpdate] Failed to restart computer TargetServer.mydomain.mycom | The computer TargetServer.mydomain.mycom is skipped. Fail to retrieve its LastBootUpTime via the WMI service with the following error message: The WinRM client cannot process the request. CredSSP authentication is currently disabled in the client configuration. Change the client configuration and try the request again. CredSSP authentication must also be enabled in the server configuration. Also, Group Policy must be edited to allow credential delegation to the target computer. Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials. Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/.domain.com.
ComputerName : TargetServer.mydomain.mycom
MajorVersion : 2019
TargetLevel : RTMCU15
KB : 5008996
Successful : True
Restarted : False
InstanceName :
Installer : \sharedmount.mydomain.mcom\Shared2\AutoPatch\SQLServer2019-KB5008996-CU15-x64.exe
Notes : {Restart is required for computer TargetServer.mydomain.mycom to finish the installation of SQL2019RTMCU15}