Invoke-IcingaCheckUpdates 1.7.0 - local call results in WARNING, service-call by Incinga2 says OK

[tectumopticum]

I've created a service/monitor with the Invoke-IcingaCheckUpdates command, version 1.7.0 (same issue with 1.6.0).
"Inspect" shows the following call:

'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '-NoProfile' '-NoLogo' '-ExecutionPolicy' 'ByPass' '-C' 'try { Use-Icinga -Minimal; } catch { Write-Output '\''The Icinga PowerShell Framework is either not installed on the system or not configured properly. Please check https://icinga.com/docs/windows for further details'\''; exit 3; }; Exit-IcingaExecutePlugin -Command '\''Invoke-IcingaCheckUpdates'\'' ' '-UpdateFilter' '@()' '-Warning' '0' '-Critical' '5' '-Verbosity' '1' '-NoPerfData'

There is currently one update waiting on the system, so the monitor should create a WARNING-state.

Opening a PS locally (no difference between an admin-PS and a non-privileged PS) and call this command

Invoke-IcingaCheckUpdates -UpdateFilter @() -Warning 0 -Critical 5 -Verbosity 1 -NoPerfData
[WARNING] Windows Updates [WARNING] Pending Update Count
\_ [WARNING] Pending Update Count
   \_ [WARNING] Pending Update Count: 1 is greater than threshold 0
1

The Icinga2-service is running in the context of "NT AUTHORITY\NetworkService".

[LordHepipud]

Thank you for the issue. The problem is, that the Network User is not having enough permissions to fetch the current Windows Update list.

To resolve this, you can either use JEA Profiles

Or change the GPO to allow fetching for pending updates for any user:

Computer Configuration -> Administrative Templates -> Windows Component -> Windows Update

Enable "Allow non administrative Users to receive update notifications"

If last option does not resolve the problem, the only solution would be the usage of JEA Profiles

[tectumopticum]

gpedit -> Computer Configuration -> Administrative Templates -> Windows Component -> Windows Update

Thanks for the info - this option doesn't resolve the problem, even after reboot.

[tectumopticum]

one last suggestion: if the plugin receives an information from the os that it is not allowed to query this object it should probably better send an UNKNOWN instead of OK and add the os-answer to the output (if possible)

[LordHepipud]

Yes this would be nice, but as far as I can tell it is not possible. We already added some checks if certain objects can't be accessed, but if you fetch the Windows Updates and have no permissions, you receive an empty list.

Maybe I can find another solution for this topic.

[LordHepipud]

I tried to dig down on this issue and made some smaller adjustments to the update plugin. However, in case there is no exception thrown during the lookup on updates, we cannot print an error as far as I'm aware.

For permission errors, I would advise to have a look on JEA Profiles