##UPDATE: Was able to reproduce on new 21H2 build of Windows 10, so apparently it is not just the version. Possibly the PowerCLI vs. PowerShell version or something, but am able to reproduce as described later.
Describe the bug
"VM move job for '' ended with unsupported state Blocked" error hit when running PS/PCLI script on new Windows 22H2 host, not seen on older Windows 21H2 host.
Problem was reported when setting up a new VAMT Windows execution host at customer site, was able to reproduce the problem in our lab.
Followed the execution policy settings here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
As well as the debug info below:
The error message "Command execution is blocked" in PowerShell typically occurs when PowerShell's execution policy restricts the running of scripts and/or the execution of certain commands. PowerShell execution policies are designed to help prevent the execution of malicious scripts and ensure system security.
There are different execution policies in PowerShell, each with varying levels of restriction:
Restricted: This is the default execution policy. It doesn't allow the execution of scripts or configuration files.
AllSigned: Only signed scripts from trusted publishers are allowed to run.
RemoteSigned: Local scripts can run, but scripts downloaded from the internet must be signed by a trusted publisher.
Unrestricted: All scripts can run without any restrictions. This is not recommended unless you trust all the scripts you run.
Bypass: No execution policy is applied. All scripts can run without restrictions.
If you see the "Command execution is blocked" error message, it means the current execution policy is restricting the execution of the specific command or script you are trying to run.
To change the execution policy, you'll need to open a PowerShell session with administrative privileges (Run as Administrator) and use the Set-ExecutionPolicy cmdlet. For example, to set the execution policy to "RemoteSigned," you can run:
powershellCopy codeSet-ExecutionPolicy RemoteSigned
Keep in mind that adjusting the execution policy can have security implications, so it's essential to choose an appropriate policy based on your needs and the level of trust you have in the scripts you'll be running.
If you are in a restricted environment where you don't have the necessary permissions to change the execution policy, you may need to contact your system administrator to get the proper permissions or have them run the necessary commands for you.
And this as well:
Apart from the PowerShell execution policy, there are a few other potential causes for the "Command execution is blocked" error in PowerShell:
Group Policy: In a domain environment, a Group Policy may be in place that enforces a specific PowerShell execution policy for all computers within the domain. If your system is part of a domain and has Group Policy settings applied, these settings could override the local execution policy settings.
Antivirus or Endpoint Protection Software: Some antivirus or endpoint protection software may have features that block the execution of certain commands or scripts. These security measures might perceive specific PowerShell commands as potentially harmful and prevent them from executing.
Script Blocking Software: Similarly, third-party script-blocking software may be installed on the system, which prevents the execution of PowerShell scripts or specific commands to enhance security.
User Account Control (UAC): If you are running PowerShell with standard user privileges on a Windows system with User Account Control enabled, certain operations might be blocked due to restricted permissions.
Execution Policy Set by Script: If you have a script that sets the execution policy and it's run at the start of your PowerShell session, it could be responsible for enforcing a restrictive execution policy.
Insufficient Privileges: Certain PowerShell commands require elevated privileges (Run as Administrator) to execute. If you are running PowerShell without administrative rights and attempting to execute a command that requires elevated privileges, you might encounter this error.
Missing or Corrupted PowerShell Components: In some cases, missing or corrupted PowerShell components could cause issues with script execution.
File System Permissions: If the script or the file you are trying to execute has restrictive file system permissions, it may block the execution.
To troubleshoot the issue, consider the following steps:
Check the current execution policy by running Get-ExecutionPolicy in PowerShell and ensure it's set to a suitable level.
If you suspect Group Policy settings may be affecting the execution policy, contact your domain administrator to inquire about the applied policies.
Review the settings of your antivirus or endpoint protection software to see if it's blocking PowerShell commands.
Try running PowerShell as an administrator to see if elevated privileges are needed for the specific command.
Review the scripts or commands you are trying to execute and ensure they are correct and not blocked by other security software or permissions.
If none of these steps resolve the issue, it might be beneficial to seek assistance from your system administrator or IT support team to diagnose and resolve the problem more thoroughly.
Reproduction steps
- Load Windows 10 22H2 to use as execution host
- Load PowerCLI
- Run VAMT migration as administrator
See errors like this:
Info] 08/19/2023 18:39:54 - There are currently 0 moves in progress and 10 moves waiting to start.
[Info] 08/19/2023 18:39:54 - New batch of moves: Rocky9-HPE-1, CentOS7-HPE-2, Rocky9-HPE-2, Ubuntu2004-HPE-2, Ubuntu2004-HPE-1
[Error] 08/19/2023 18:40:21 - VM move job for 'CentOS7-HPE-2' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:22 - Refreshing VM 'CentOS7-HPE-2' object
[Info] 08/19/2023 18:40:22 - Preparing to set 'VAMT : failed' tag on 'CentOS7-HPE-2'
[Info] 08/19/2023 18:40:22 - Successfully to set 'VAMT : failed' tag on 'CentOS7-HPE-2'
[Error] 08/19/2023 18:40:22 - VM move job for 'Rocky9-HPE-1' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:22 - Refreshing VM 'Rocky9-HPE-1' object
[Info] 08/19/2023 18:40:22 - Preparing to set 'VAMT : failed' tag on 'Rocky9-HPE-1'
[Info] 08/19/2023 18:40:23 - Successfully to set 'VAMT : failed' tag on 'Rocky9-HPE-1'
[Error] 08/19/2023 18:40:23 - VM move job for 'Rocky9-HPE-2' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:23 - Refreshing VM 'Rocky9-HPE-2' object
[Info] 08/19/2023 18:40:23 - Preparing to set 'VAMT : failed' tag on 'Rocky9-HPE-2'
[Info] 08/19/2023 18:40:23 - Successfully to set 'VAMT : failed' tag on 'Rocky9-HPE-2'
[Error] 08/19/2023 18:40:23 - VM move job for 'Ubuntu2004-HPE-1' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:23 - Refreshing VM 'Ubuntu2004-HPE-1' object
[Info] 08/19/2023 18:40:24 - Preparing to set 'VAMT : failed' tag on 'Ubuntu2004-HPE-1'
[Info] 08/19/2023 18:40:24 - Successfully to set 'VAMT : failed' tag on 'Ubuntu2004-HPE-1'
[Error] 08/19/2023 18:40:24 - VM move job for 'Ubuntu2004-HPE-2' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:25 - Refreshing VM 'Ubuntu2004-HPE-2' object
[Info] 08/19/2023 18:40:25 - Preparing to set 'VAMT : failed' tag on 'Ubuntu2004-HPE-2'
[Info] 08/19/2023 18:40:25 - Successfully to set 'VAMT : failed' tag on 'Ubuntu2004-HPE-2'
[Info] 08/19/2023 18:40:25 - There are currently 0 moves in progress and 5 moves waiting to start.
[Info] 08/19/2023 18:40:25 - New batch of moves: Win2019-HPE-2, CentOS7-HPE-1, Win2019-HPE-1, Win2012r2-HPE-1, Win2012r2-HPE-2
[Error] 08/19/2023 18:40:46 - VM move job for 'Win2012r2-HPE-1' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:46 - Refreshing VM 'Win2012r2-HPE-1' object
[Info] 08/19/2023 18:40:46 - Preparing to set 'VAMT : failed' tag on 'Win2012r2-HPE-1'
[Info] 08/19/2023 18:40:46 - Successfully to set 'VAMT : failed' tag on 'Win2012r2-HPE-1'
[Error] 08/19/2023 18:40:46 - VM move job for 'Win2019-HPE-1' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:46 - Refreshing VM 'Win2019-HPE-1' object
[Info] 08/19/2023 18:40:47 - Preparing to set 'VAMT : failed' tag on 'Win2019-HPE-1'
[Info] 08/19/2023 18:40:47 - Successfully to set 'VAMT : failed' tag on 'Win2019-HPE-1'
[Error] 08/19/2023 18:40:47 - VM move job for 'Win2019-HPE-2' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:47 - Refreshing VM 'Win2019-HPE-2' object
[Info] 08/19/2023 18:40:47 - Preparing to set 'VAMT : failed' tag on 'Win2019-HPE-2'
[Info] 08/19/2023 18:40:48 - Successfully to set 'VAMT : failed' tag on 'Win2019-HPE-2'
[Error] 08/19/2023 18:40:48 - VM move job for 'CentOS7-HPE-1' ended with unsupported state Blocked. Considering this job failed.
[Info] 08/19/2023 18:40:48 - Refreshing VM 'CentOS7-HPE-1' object
[Info] 08/19/2023 18:40:48 - Preparing to set 'VAMT : failed' tag on 'CentOS7-HPE-1'
[Info] 08/19/2023 18:40:48 - Successfully to set 'VAMT : failed' tag on 'CentOS7-HPE-1'
[Info] 08/19/2023 18:40:48 - There are currently 1 moves in progress and 0 moves waiting to start.
Expected behavior
Migration should work, and it does when running the exact same scripts on a Windows 10 21H2 build, so odds are good that it is some default policy or security behavior that has changed between these Windows 10 builds that is now blocking this.
Additional context
This one works:
This one does not: