Sysmon version 15 and above are protected process and hence, stopping or restarting the process is not possible and only solution is to uninstall them and do the necessary changes. Please refer this article for reference: "https://learn.microsoft.com/en-us/answers/questions/1344367/unable-to-stop-sysmon-15-0".
The issue is that when we want to install sysmon in a windows workstation or server, this template "https://github.com/OTRF/Blacksmith/blob/master/templates/azure/Win10/nestedtemplates/sysmonInstall.json" executes a powershell DSC function to install sysmon on those devices. As a result, this powershell script is executed "https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/dsc/software/Install-Sysmon.ps1". In this script, some permission changes are made to the sysmon windows event log channel and the sysmon service is restarted. Since sysmon version 15 and above are protected processes, this restart attempt fails and causes the DSC execution to fail as well.
Sample error message:
PowerShell DSC resource DSC_xScriptResource failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: The set script threw an error. ---> Microsoft.PowerShell.Commands.ServiceCommandException: Service 'Sysmon (sysmon)' cannot be stopped due to the following error: Cannot stop sysmon service on computer '.'. ---> System.InvalidOperationException: Cannot stop sysmon service on computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied\r\n --- End of inner exception stack trace ---\r\n at System.ServiceProcess.ServiceController.Stop()\r\n at Microsoft.PowerShell.Commands.ServiceOperationBaseCommand.DoStopService(ServiceController serviceController, Boolean force, Boolean waitForServiceToStop)\r\n --- End of inner exception stack trace ---\r\n --- End of inner exception stack trace --- The SendConfigurationApply function did not succeed.'. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot. "}]}
As a result, the successive resource deployments that depend on the successful execution of the "deployWin10VM" like "JoinWorkstations" which performs the AD domain join doesn't happen.
Please check on this and see what can be done to fix or bypass the issue.
Sysmon version 15 and above are protected process and hence, stopping or restarting the process is not possible and only solution is to uninstall them and do the necessary changes. Please refer this article for reference: "https://learn.microsoft.com/en-us/answers/questions/1344367/unable-to-stop-sysmon-15-0".
The issue is that when we want to install sysmon in a windows workstation or server, this template "https://github.com/OTRF/Blacksmith/blob/master/templates/azure/Win10/nestedtemplates/sysmonInstall.json" executes a powershell DSC function to install sysmon on those devices. As a result, this powershell script is executed "https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/dsc/software/Install-Sysmon.ps1". In this script, some permission changes are made to the sysmon windows event log channel and the sysmon service is restarted. Since sysmon version 15 and above are protected processes, this restart attempt fails and causes the DSC execution to fail as well.
Sample error message:
PowerShell DSC resource DSC_xScriptResource failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: The set script threw an error. ---> Microsoft.PowerShell.Commands.ServiceCommandException: Service 'Sysmon (sysmon)' cannot be stopped due to the following error: Cannot stop sysmon service on computer '.'. ---> System.InvalidOperationException: Cannot stop sysmon service on computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied\r\n --- End of inner exception stack trace ---\r\n at System.ServiceProcess.ServiceController.Stop()\r\n at Microsoft.PowerShell.Commands.ServiceOperationBaseCommand.DoStopService(ServiceController serviceController, Boolean force, Boolean waitForServiceToStop)\r\n --- End of inner exception stack trace ---\r\n --- End of inner exception stack trace --- The SendConfigurationApply function did not succeed.'. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot. "}]}
As a result, the successive resource deployments that depend on the successful execution of the "deployWin10VM" like "JoinWorkstations" which performs the AD domain join doesn't happen.
Please check on this and see what can be done to fix or bypass the issue.