KB0038 - Privilege is not help by client

KB0038 - Privilege is not help by client

Applicability

This article applies to users running PowerShell Universal 3.x and 4.x who are attempting to run scripts are alternate users. The issue presents itself as an error while attempting to run scripts that states: Error running script.  A Required Privilege Is Not Held by the Client. 

Root Cause

As of 3.9.9 and 4.0.3, PowerShell Universal is incorrectly requesting the SeTcbPrivilege (Act as part of the operating system). This privilege is a very permissive and is not recommended by Microsoft to grant to accounts of this type. This may affect other down-level versions. 

This error can also present itself if privileges defined by our documentation are not granted

Diagnostics

You can identify if this issue is occurring by enabling the Audit Non Sensitive Privilege Use and Audit Sensitive Privilege Use Advanced Audit Policies in the Local Security Policy on the PowerShell Universal service. 
 

Each option should log failure to grant privileges. 

Once this has been enabled, you can filter for event ID 4673 for privilege grant failures. You can also search for SeTcbPrivilege to see if PowerShell Universal is requesting the undesired privilege. 

Workaround

The current work around is to grant this privilege to the service account running PowerShell Universal. Future versions of PowerShell Universal will not require this privilege. 
Another work around is to invoke privileged commands using Invoke-Command and a credential from within the scripts running in PowerShell Universal. 
    • Related Articles

    • "Did not receive port from client process." when running jobs

      Version: Any Problem: When executing jobs, jobs can fail without starting the PowerShell script. Within the PowerShell Universal logs, you will see an error that states: Did not receive port from client process. Root Cause: When running in ...
    • KB - 1008 Tax/VAT Exempt at checkout

      Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...
    • KB0033 - How to use Connect-PSUServer

      Purpose The purpose of this article is to explain how to use the PowerShell cmdlet Connect-PSUServer to connect to your PowerShell Universal instance. Background Connect-PSUServer is part of the PowerShell Universal PowerShell module available on the ...
    • KB0002 - Security features of PowerShell Universal

      In terms of security features, PowerShell Universal currently provides: HTTPS for over the wire encryption Authentication providers such as SAML2, OpenID Connect, Windows (NTLM\Kerberos), WS-Federation, client certificate, and basic auth Role-based ...
    • KB0003 - Slow Endpoints and TLS Settings

      Be advised that if the TLS settings on a Windows Server are modified, this can result in a severe performance degradation Symptom #1 In the Event Viewer (System Log) there are errors with source Schannel indicating that a "fatal error that occurred ...