Invoke-IcingaCheckUpdates: Access is denied

MopaILS · July 13, 2023, 2:46pm

Hello

I set up the Windows agent and most of the checks through director seem to work.
However, with Invoke-IcingaCheckUpdates (with verbosity 1 as argument), I get the following plugin output:

[UNKNOWN] Windows Updates: 1 Unknown 6 Ok [UNKNOWN] Windows Update Error (0)
[UNKNOWN] Windows Update Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Any ideas on this? I already tried to change the Icinga2 service logon account running on the client from “Network Service” to “Local System”.

We are using:

Icinga Web 2 Version ==> 2.11.4
Director ==> 1.10.2
Operating System (on client) ==> Microsoft Windows Server 2019 Datacenter
Operating System (on master - Icinga2 server) ==> Debian GNU/Linux 11 (bullseye)

And the following components are installed on the client:

agent 2.13.7 2.14.0
framework 1.10.1 1.10.1
plugins 1.10.1 1.10.1
service 1.2.0 1.2.0

Thank you!

moreamazingnick · July 14, 2023, 6:17am

do you use the powershell service? If yes check and change the user as well

MopaILS · July 14, 2023, 12:07pm

Thanks for your feedback. Yes I use the Icinga powershell service. I also changed the log on from network service to local system but it behaves the same for the first 3 checks. After those, the service starts to time out and is no longer outputting even the error message:
Plugin Output : Timeout exceeded.

NiclasE · August 17, 2023, 6:02am

I also see this, did you figure out how to fix?

MopaILS · August 17, 2023, 7:58am

@NiclasE, no unfortunately I didn’t manage to fix it and didn’t receive further feedback. I read several statements on the Internet. Some were saying it is not possible to have it working, some saying it’s a matter of service rights etc.