Icinga PowerShell Framework: JEA Profile usage

Hello community :slight_smile:

We are currently trying to implement JEA profiles for our Icinga for Windows installations.

Current situation:
Icinga Agent and IfW are installed on all Windows VMs. Depending on the function of the server the service runs either as “NetworkService” or “LocalSystem”.
Now systems where the service runs as “NetworkService” have the problem that the Update check (Invoke-IcingaCheckUpdate) or ScheduledTask check (self-written script) throw “Acess denied” errors.

What we tried:
Installed a JEA profile as per the documentation, using a AD user account.
After this the check switched from


(no changes to the configuration of the check or the command were made)

Adding the -JEAProfile IcingaForWindows parameter to the didn’t change a thing, which I didn’t expect it to, as it seems to be using this as default anyway.

Questions that now came up:

  • Is JEA even the right approach to our problem?
    – or would we still stumble into the same Access denied problem, because the underlying user does not have the necessary right to those (PowerShell) providers
  • How would we get PowerShell scripts (or the CMDlets they use) that we have created ourselves included in the JEA profile?
  • How do you supply the user password for a domain user during the setup of
    – the icinga agent
    – the JEA profile

Hopefully someone can share some insights or answer my questions.

Thanks and have a good day :v:

1 Like

happy new year!

Bumping this up again, hoping that there is someone out there that has successfully used the JEA profiles and can help :slight_smile: