为什么AWS-ConfigureWindowsUpdate SSM运行命令失败？

Question

Enabling or Disabling Windows Updates with SSM Run Command
AWS-ConfigureWindowsUpdate

When running the command, it downloads a PowerShell script to my EC2 at "C:\\ProgramData\\Amazon\\Ec2Config\\Downloads\\aws_psModule\\" with a random name

When the PowerShell script executes, it downloads "Amazon.ConfigureWindowsUpdate-1.2.zip" to "%Temp%" and then unzips it to "%WinDir%\\System32\\WindowsPowerShell\\v1.0\\Modules"

The script looks to be failing at Line 32 with the .CopyHere function where it is unzipping
Pastebin of Powershell Script: 1b3hh3oy.k51.ps1

(New-Object -Com Shell.Application).namespace($powerShellModuleLocation).CopyHere((New-Object -Com Shell.Application).namespace($tempLocation).Items(), 16)

Output:

Obtaining instance region from instance metadata.
Downloading ConfigureWindowsUpdate PowerShell module from S3.
Verifying SHA 256 of the ConfigureWindowsUpdate PowerShell module zip file.
ExtractingConfigureWindowsUpdate zip file contents to the Windows PowerShell module folder.
--------------ERROR-------------- C:\\ProgramData\\Amazon\\Ec2Config\\Downloads\\aws_psModule\\1b3hh3oy.k51.ps1 :
Exception thrown while downloading ConfigureWindowsUpdate PowerShell module with message: Exception has been thrown by the target of an invocation.
At line:1 char:1 + . 'C:\\ProgramData\\Amazon\\Ec2Config\\Downloads\\aws_psModule\\1b3hh3oy.k51.ps1' ; ex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,1b3hh3oy.k51.ps1

Other Details:
- I have micro EC2 of Windows Server Core 2012 R2 running
- I have successfully used AWS-RunPowerShellScript command a few times from AWS Console
- I ran AWS-ConfigureWindowsUpdate through the AWS Console and it fails
- I remote connected to server and ran the powershell script with administrator privileges and get same error

Answer 1

You are correct, the exception is occurring on the call out to the Shell namespace for extracting the cmdlet payload. The COM namespace for Shell access is not included in the Core release so the ConfigureWindowsUpdate script fails when extracting the cmdlet.

Currently there is a workaround available for Windows Server Core AMIs and a more complete fix is currently being investigated. The workaround involves creating a custom ConfigureWindowsUpdate document with a tweak to fix the extraction process.

Below is a function that would replace the call to

(New-Object -Com Shell.Application).namespace($powerShellModuleLocation).CopyHere((New-Object -Com Shell.Application).namespace($tempLocation).Items(), 16)

function ExtractZipCoreOs($zipFilePath, $destPath) {
    try
    {
        [System.Reflection.Assembly]::LoadWithPartialName("System.IO.Compression.FileSystem") | Out-Null

        $zip = [System.IO.Compression.ZipFile]::OpenRead($zipFilePath)

        foreach ($item in $zip.Entries) {
            $extractedPath = Join-Path $destPath $item.FullName

            if ($item.Length -eq 0) {
                if ((Test-Path $extractedPath) -eq 0) {
                    mkdir $extractedPath | Out-Null
                }
            } else {
                $fileParent = Split-Path $extractedPath

                if ((Test-Path $fileParent) -eq 0) {
                    mkdir $fileParent | Out-Null
                }

                [System.IO.Compression.ZipFileExtensions]::ExtractToFile($item,(Join-Path -Path $powerShellModuleLocation -ChildPath $item.FullName), $true)
            }
        }
    } 
    catch
    {
        throw "Error encountered when extracting ConfigureWindowsUpdate zip file.`n$($_.Exception.Message)"
    }
    finally
    {
        $zip.Dispose()
    }
}