Applicability
This article applies to users running PowerShell Universal 3.x and 4.x who are attempting to run scripts are alternate users. The issue presents itself as an error while attempting to run scripts that states: Error running script. A Required Privilege Is Not Held by the Client.
Root Cause
As of 3.9.9 and 4.0.3, PowerShell Universal is incorrectly requesting the SeTcbPrivilege (Act as part of the operating system). This privilege is a very permissive and is not recommended by Microsoft to grant to accounts of this type. This may affect other down-level versions.
Diagnostics
You can identify if this issue is occurring by enabling the Audit Non Sensitive Privilege Use and Audit Sensitive Privilege Use Advanced Audit Policies in the Local Security Policy on the PowerShell Universal service.
Each option should log failure to grant privileges.
Once this has been enabled, you can filter for event ID 4673 for privilege grant failures. You can also search for SeTcbPrivilege to see if PowerShell Universal is requesting the undesired privilege.
Workaround
The current work around is to grant this privilege to the service account running PowerShell Universal. Future versions of PowerShell Universal will not require this privilege.
Another work around is to invoke privileged commands using Invoke-Command and a credential from within the scripts running in PowerShell Universal.
Related Articles
"Did not receive port from client process." when running jobs
Version: Any Problem: When executing jobs, jobs can fail without starting the PowerShell script. Within the PowerShell Universal logs, you will see an error that states: Did not receive port from client process. Root Cause: When running in ...
KB - 1008 Tax/VAT Exempt at checkout
Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...
KB0033 - How to use Connect-PSUServer
Purpose The purpose of this article is to explain how to use the PowerShell cmdlet Connect-PSUServer to connect to your PowerShell Universal instance. Background Connect-PSUServer is part of the PowerShell Universal PowerShell module available on the ...
KB0002 - Security features of PowerShell Universal
In terms of security features, PowerShell Universal currently provides: HTTPS for over the wire encryption Authentication providers such as SAML2, OpenID Connect, Windows (NTLM\Kerberos), WS-Federation, client certificate, and basic auth Role-based ...
KB0081 - unknown certificate lookup failure during git sync
Scope Users attempting to configure git sync against a self-hosted git repository such as GitLab. Problem The git client cannot perform a clone, pull or push. With the error unknown certificate lookup failure: 16777280. Root Cause The certificate ...