Solved - Check Command is executed by the Agent and not by IFW Service - result access denied

Hello all,

I am setting up a new Icinga Server and monitoring for some Windows and Linux systems
I already have setup some windows hosts and windows icinga agent ans IFW with the IFW Service.
The IFW service is set to run as SYSTEM.
On 5 Systems all checks that I need work fine, but with the last windows server 2022 I get an access denied when I use the
Invoke-IcingaCheckUpdates plugin:

Windows Updates: 1 Unknown 6 Ok Windows Update Error
_ Windows Update Error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

I checked with Process Monitor from Sysinternals the Invoke-IcingaCheckUpdates is executed directly form the Icinga2 Agent Service and not from the IFW Service.

On the other systems it works fine.

This is how I installed the client components:

Install Icinga Agent MSI
Icinga2-v2.15.1-x86_64.msi
Install Icinga4Windows Framework
execute IcingaForWindows.ps1
Configure Icinga Master
Download Kickstart script Host Agent Tab
execute icinga2-agent-kickstart.ps1

#Add repository
Add-IcingaRepository -Name ‘Icinga Stable’ -RemotePath ‘https://packages.icinga.com/IcingaForWindows/stable/ifw.repo.json’;
check
Search-IcingaRepository -Name ‘*’ -Release;
install Plugins
Install-IcingaComponent -Name ‘plugins’

Enable-IcingaFrameworkApiChecks
Register-IcingaBackgroundDaemon -Command ‘Start-IcingaWindowsRESTApi’;
Register-IcingaBackgroundDaemon -Command ‘Start-IcingaForWindowsDaemon’;
Show-IcingaRegisteredBackgroundDaemons
List of configured background daemons on this system:

Start-IcingaForWindowsDaemon

No arguments defined

Start-IcingaWindowsRESTApi

No arguments defined

Restart-Icinga

Enable-IcingaAgentFeature -Feature api;
Restart-IcingaService icinga2;

Further Information:
PS C:\Program Files\ICINGA2\sbin> .\icinga2 --version
icinga2.exe - The Icinga 2 network monitoring daemon (version: v2.15.1)

Copyright (c) 2012-2025 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later https://gnu.org/licenses/gpl2.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
Platform: Windows
Platform version: 8 (Server)
Kernel: Windows
Kernel version: 6.2
Architecture: x86_64

Build information:
Compiler: MSVC 19.44.35217.0
Build host: ICINGABUILD1
OpenSSL version: OpenSSL 3.0.18 30 Sep 2025

Application information:

General paths:
Config directory: C:\ProgramData\icinga2\etc\icinga2
Data directory: C:\ProgramData\icinga2\var\lib\icinga2
Log directory: C:\ProgramData\icinga2\var\log\icinga2
Cache directory: C:\ProgramData\icinga2\var\cache\icinga2
Spool directory: C:\ProgramData\icinga2\var\spool\icinga2
Run directory: C:\ProgramData\icinga2\var\run\icinga2

Old paths (deprecated):
Installation root: C:\Program Files\ICINGA2
Sysconf directory: C:\ProgramData\icinga2\etc
Run directory (base): C:\ProgramData\icinga2\var\run
Local state directory: C:\ProgramData\icinga2\var

Internal paths:
Package data directory: C:\Program Files\ICINGA2\share\icinga2
State path: C:\ProgramData\icinga2\var\lib\icinga2/icinga2.state
Modified attributes path: C:\ProgramData\icinga2\var\lib\icinga2/modified-attributes.conf
Objects path: C:\ProgramData\icinga2\var\cache\icinga2/icinga2.debug
Vars path: C:\ProgramData\icinga2\var\cache\icinga2/icinga2.vars
PID path: C:\ProgramData\icinga2\var\run\icinga2/icinga2.pid
PS C:\Program Files\ICINGA2\sbin>

Operating System and version
Windows Server 2022 EN

PS C:\Program Files\ICINGA2\sbin> .\icinga2 feature list
Disabled features: debuglog mainlog
Enabled features: api checker notification windowseventlog

Icinga Web 2 Version 2.12.5
Git commit e0836c569734d6414c307ec0094cfed9a9dce694
PHP Version 8.4.11
Git commit date 2025-07-16
Loaded Libraries
icinga/icinga-php-library 0.17.0
icinga/icinga-php-thirdparty 0.13.1
Loaded Modules
director 1.11.5 Configure
icingadb 1.2.2 Configure
incubator 0.23.0 Configure
Copyright © 2013-2025 Icinga GmbH

PS C:\Program Files\ICINGA2\sbin> .\icinga2 daemon -C
[2025-11-01 21:07:32 +0100] information/cli: Icinga application loader (version: v2.15.1)
[2025-11-01 21:07:32 +0100] information/cli: Loading configuration file(s).
[2025-11-01 21:07:32 +0100] information/ConfigItem: Committing config item(s).
[2025-11-01 21:07:32 +0100] information/ApiListener: My API identity: MYserver.loc.domain.com
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 4 Zones.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 5 TimePeriods.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 23 HostGroups.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 6 NotificationCommands.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 2 Endpoints.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 1 ApiListener.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 408 CheckCommands.
[2025-11-01 21:07:32 +0100] information/ConfigItem: Instantiated 1 FileLogger.
[2025-11-01 21:07:32 +0100] information/ScriptGlobal: Dumping variables to file ‘C:\ProgramData\icinga2\var\cache\icinga2/icinga2.vars’
[2025-11-01 21:07:32 +0100] information/cli: Finished validating the configuration file(s).

Thank you in advance for any suggestion
–Zauberlehrling

The problem is solved.
Mainly it was because of an host template the was migrated by basket from an old Icinga installation, which showed the old kickstartet script not the new IfW script.
After fixing this I removed the Agent installation and deleted the complet Agent configuration under c:\programdata\icinga2.

Installed the Icinga MSI new and run the new IfW init script and now all is up an working

Have a nice Sunday

–Zauberlehrling