UAG DirectAccess management ‘Apply Policy’ fails after Windows PowerShell update

Forefront UAG 2010 DirectAccess settings are written to Active Directory Group Policy for client and gateway provisioning. The GPO policies are created in AD via a PowerShell script from the UAG server. A recent update to Windows PowerShell affects the execution of this script and causes the policy application to fail.

In the UAG DirectAccess management console, the configuration settings are applied to Group Policy with Apply Policy then Apply Now. When successful, the DirectAccess Policy Configuration Log will display “ Script run completed with no errors or warnings”. However, due to script parsing changes with the new PowerShell 3.0 update, Apply policy - Apply now may return an error similar to the following:

> Executing policy script.
At C:\Users\UAGadmin\AppData\Local\Temp\tmp12ab.tmp.ps1:98 char:46
+ ErrorPrintLine("Failed to delete $item: $error")
+ ~~~~~~
Variable reference is not valid. ':' was not followed by a valid variable name
character. Consider using ${} to delimit the name.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : InvalidVariableReferenceWithDrive
> aborted

The actual error in the DirectAccess policy script is line 98.

Ø ErrorPrintLine("Failed to delete $item: $error")

This line is used to print an error message if it occurs during execution of the script; printing the error text with the contents of variables $item and $error separated by a colon (“:”). This above error occurs because of how this ErrorPrintLine parameter is now parsed differently in PowerShell 3.0. The colon with the variable name is used to denote variable scope so a parameter is expected after the colon which triggers the PS3 parser error.

You can resolve this issue by removing the optional WMF 3.0 update KB2506143 from the UAG server. This will allow you to apply the DirectAccess policy settings directly from the UAG server console as previously available. Alternately, you can export the UAG DirectAccess policy script and edit the problem line to work around the parsing error. Change the problem line to explicitly delimit the item variable using {} (or you could simply add a space between the variable $item and the colon to separate the characters in the print line). You can then execute the PowerShell script to apply the GPO settings (run with PowerShell).

Change this line # 98: ErrorPrintLine("Failed to delete $item: $error") to delimit the parameter name with {}.

Change to: ErrorPrintLine("Failed to delete ${item}: $error")

[ or ErrorPrintLine("Failed to delete $item : $error") ]

More Information

Microsoft Windows Management Framework 3.0 (KB) KB2506143
https://support.microsoft.com/kb/2506143

Author

Billy Price – Security Escalation Engineer, Microsoft CTS Forefront Security Edge Team

Reviewer

Richard Barker – Security Support Escalation Engineer, Microsoft CTS Forefront Security Edge Team