Invoke-IcingaCheckUpdates: Access is denied


I set up the Windows agent and most of the checks through director seem to work.
However, with Invoke-IcingaCheckUpdates (with verbosity 1 as argument), I get the following plugin output:

[UNKNOWN] Windows Updates: 1 Unknown 6 Ok [UNKNOWN] Windows Update Error (0)
[UNKNOWN] Windows Update Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Any ideas on this? I already tried to change the Icinga2 service logon account running on the client from “Network Service” to “Local System”.

We are using:

  • Icinga Web 2 Version ==> 2.11.4
  • Director ==> 1.10.2
  • Operating System (on client) ==> Microsoft Windows Server 2019 Datacenter
  • Operating System (on master - Icinga2 server) ==> Debian GNU/Linux 11 (bullseye)

And the following components are installed on the client:

agent 2.13.7 2.14.0
framework 1.10.1 1.10.1
plugins 1.10.1 1.10.1
service 1.2.0 1.2.0

Thank you!

do you use the powershell service? If yes check and change the user as well

Thanks for your feedback. Yes I use the Icinga powershell service. I also changed the log on from network service to local system but it behaves the same for the first 3 checks. After those, the service starts to time out and is no longer outputting even the error message:
Plugin Output : Timeout exceeded.

I also see this, did you figure out how to fix?

@NiclasE, no unfortunately I didn’t manage to fix it and didn’t receive further feedback. I read several statements on the Internet. Some were saying it is not possible to have it working, some saying it’s a matter of service rights etc.

Isn’t there anyone that has a solution for checking Windows updates?