OpenSSH: install via scheduled task

aramprice · aramprice · commit c0adea2db6bc · 2025-07-31T08:35:00.000-07:00
It appears that Windows blocks the use of `Add-WindowsCapability` when connected to a machine via WinRM[1]. This commit updates the installation of OpenSSH components to use a scheduled task to side-step this issue. [1] https://attuneops.io/attune-hub/install-openssh-server-on-windows-via-add-windowscapability/#link4
diff --git a/modules/BOSH.SSH/BOSH.SSH.Tests.ps1 b/modules/BOSH.SSH/BOSH.SSH.Tests.ps1
@@ -61,50 +61,58 @@ Describe "BOSH.SSH" {
             Mock Set-Service { } -ModuleName BOSH.SSH
             Mock Edit-DefaultOpenSSHConfig { } -ModuleName BOSH.SSH
 
-            Mock -ModuleName BOSH.SSH -CommandName Get-WindowsCapability { }
+            Mock -ModuleName BOSH.SSH -CommandName shouldInstallSshComponents { $False }
         }
 
-        Context "when 'Get-OSVersion' returns 'windows2019'" {
+        Context "When SSH components should be installed" {
             BeforeEach {
-                Mock -ModuleName BOSH.SSH -CommandName Get-OSVersion { "windows2019" }
+                Mock -ModuleName BOSH.SSH -CommandName shouldInstallSshComponents { $True }
+
+                Mock -ModuleName BOSH.SSH -CommandName Get-WindowsCapability { }
+
+                Mock -ModuleName BOSH.SSH -CommandName Start-Sleep { } -Verifiable
+                Mock -ModuleName BOSH.SSH -CommandName Register-ScheduledTask { } -Verifiable
             }
 
             Context "When OpenSSH components are installed" {
                 BeforeEach {
+                    $openSshClientPackageSpecifier = "OpenSSH.Client~~~~0.0.1.0"
                     Mock -ModuleName BOSH.SSH -CommandName Get-WindowsCapability {
                         [PSCustomObject]@{
                             State = "NotPresent"
-                            Name = "$Name"
+                            Name = $openSshClientPackageSpecifier
                         }
-                    }
+                    } -ParameterFilter { $Name -eq "OpenSSH.Client*" }
 
-                    Mock -ModuleName BOSH.SSH -CommandName Add-WindowsCapability { } -Verifiable
+                    $openSshServerPackageSpecifier = "OpenSSH.Server~~~~0.0.1.0"
+                    Mock -ModuleName BOSH.SSH -CommandName Get-WindowsCapability {
+                        [PSCustomObject]@{
+                            State = "NotPresent"
+                            Name = $openSshServerPackageSpecifier
+                        }
+                    } -ParameterFilter { $Name -eq "OpenSSH.Server*" }
                 }
 
                 It "attempts to install the packages" {
                     Install-SSHD
 
-                    Should -Invoke -ModuleName BOSH.SSH -CommandName Add-WindowsCapability -Times 1 -ParameterFilter {
-                        $Name -like "OpenSSH.Client*"
+                    Should -Invoke -ModuleName BOSH.SSH -CommandName Start-Sleep -Times 2 -ParameterFilter { $Seconds -eq 120 }
+
+                    Should -Invoke -ModuleName BOSH.SSH -CommandName Register-ScheduledTask -Times 1 -ParameterFilter {
+                        $TaskName -like "Run: 'Add-WindowsCapability -Online -Name $openSshClientPackageSpecifier'"
                     }
-                    Should -Invoke -ModuleName BOSH.SSH -CommandName Add-WindowsCapability -Times 1 -ParameterFilter {
-                        $Name -like "OpenSSH.Server*"
+
+                    Should -Invoke -ModuleName BOSH.SSH -CommandName Register-ScheduledTask -Times 1 -ParameterFilter {
+                        $TaskName -like "Run: 'Add-WindowsCapability -Online -Name $openSshServerPackageSpecifier'"
                     }
                 }
             }
 
             Context "When OpenSSH components are NOT installed" {
-                BeforeEach {
-                    Mock -ModuleName BOSH.SSH -CommandName Get-WindowsCapability {
-                        [PSCustomObject]@{ State = "NOT-NotPresent" }
-                    }
-                    Mock -ModuleName BOSH.SSH -CommandName Add-WindowsCapability { } -Verifiable
-                }
-
                 It "does not attempt to install the packages" {
                     Install-SSHD
 
-                    Should -Not -Invoke -ModuleName BOSH.SSH -CommandName Add-WindowsCapability
+                    Should -Not -Invoke -ModuleName BOSH.SSH -CommandName Register-ScheduledTask
                 }
             }
         }
diff --git a/modules/BOSH.SSH/BOSH.SSH.psm1 b/modules/BOSH.SSH/BOSH.SSH.psm1
@@ -1,15 +1,36 @@
 ﻿function Install-SSHD
 {
-    if (Get-OSVersion == "windows2019") {
+    if (shouldInstallSshComponents)
+    {
         # Microsoft privided OpenSSH must be installed on Windows 2019
         # => https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell&pivots=windows-server-2019
+
+        # Using `Add-WindowsCapability` via WinRM is blocked, as a workaround we create a task to run the install for us ¯\_(ツ)_/¯
+        # => https://attuneops.io/attune-hub/install-openssh-server-on-windows-via-add-windowscapability/
+        #    => https://gitlab.com/attuneops/attune/-/issues/21
+
         $sshPackages = @("OpenSSH.Client", "OpenSSH.Server")
+
         foreach ($sshPackage in $sshPackages) {
-            try {
-                $moduleName = (Get-WindowsCapability -Online -Name "$sshPackage*" | ForEach-Object Name)
-                Add-WindowsCapability -Online -Name $moduleName
-            } catch {
-                Write-Output "Error installing $moduleName : $_"
+            $packageResult = Get-WindowsCapability -Online -Name "$sshPackage*"
+
+            $packageState = ($packageResult | ForEach-Object State)
+            if ($packageState -eq "NotPresent") {
+                $packageSpecifier = ($packageResult | ForEach-Object Name)
+
+                $runIn15Seconds = New-ScheduledTaskTrigger -Once -At ((Get-date) + (New-TimeSpan -Seconds 15))
+                $runAsCurrentUserHighestPrivileges = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
+                $taskCommand = "-Command `"Add-WindowsCapability -Online -Name $packageSpecifier`""
+
+                Register-ScheduledTask `
+                    -TaskName "InstallSSHComponents" `
+                    -Description "Run: '$taskCommand'" `
+                    -Trigger $runIn15Seconds `
+                    -Principal $runAsCurrentUserHighestPrivileges `
+                    -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument $taskCommand) `
+                    -Force
+
+                Start-Sleep -Seconds 120 # wait for install to trigger
             }
         }
     }
@@ -20,6 +41,10 @@
     Set-Service -Name ssh-agent -StartupType Disabled
 }
 
+function shouldInstallSshComponents {
+    Get-OSVersion == "windows2019"
+}
+
 function Enable-SSHD
 {
     # Remove existing OpenSSH firewall rule and recreate with '-Profile Any' option
