Hello community 
We are currently trying to implement JEA profiles for our Icinga for Windows installations.
Current situation:
Icinga Agent and IfW are installed on all Windows VMs. Depending on the function of the server the service runs either as “NetworkService” or “LocalSystem”.
Now systems where the service runs as “NetworkService” have the problem that the Update check (Invoke-IcingaCheckUpdate) or ScheduledTask check (self-written script) throw “Acess denied” errors.
What we tried:
Installed a JEA profile as per the documentation, using a AD user account.
After this the check switched from
to
(no changes to the configuration of the check or the command were made)
Adding the -JEAProfile IcingaForWindows parameter to the didn’t change a thing, which I didn’t expect it to, as it seems to be using this as default anyway.
Questions that now came up:
- Is JEA even the right approach to our problem?
– or would we still stumble into the sameAccess deniedproblem, because the underlying user does not have the necessary right to those (PowerShell) providers - How would we get PowerShell scripts (or the CMDlets they use) that we have created ourselves included in the JEA profile?
- How do you supply the user password for a domain user during the setup of
– the icinga agent
– the JEA profile
Hopefully someone can share some insights or answer my questions.
Thanks and have a good day 