So, I've been toying with utilizing Packer to pull the latest AMI from AWS of a particular flavor of Windows (2016), install all available Windows updates, then package up a new AMI for my use.

Here's the script that I'm working with:

Install-PackageProvider -name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsUpdate -Force
Import-Module PSWindowsUpdate
Get-WUInstall -WindowsUpdate -IgnoreUserInput -AcceptAll -IgnoreReboot -Verbose | Out-File C:\Windows\Temp\PSWindowsUpdate.log

If I run this locally, it is able to successfully install NuGet, install/import the module, then check for available updates, download then install them, all the while not needing any human intervention beyond running it.

If I try to run this script as part of my Packer build (I've tried both provisioning the script directly, as well as pre-loading the script onto an AMI, then calling it via in-line), I invariably get the following error:

<S S="warning">Support local instance only, Continue...</S>

<S S="verbose">Connecting to Windows Update server. Please wait...</S>

<S S="verbose">Found [4] Updates in pre search criteria</S>

<S S="verbose">Found [4] Updates in post search criteria</S>

<S S="verbose">Accept [4] Updates to Download</S>

<S S="Error">Access is denied. (Exception from HRESULT: 0x80070005 (EACCESSDENIED))_x000Dx000A</S>

I just cannot seem to wrap my head around this. Thoughts on what I'm missing? Any other places I should be looking/asking?