From 157e3873240b9105407842ff0ad2b15e4385d814 Mon Sep 17 00:00:00 2001 From: Lord Hepipud Date: Fri, 27 Nov 2020 15:31:37 +0100 Subject: [PATCH] Fixes Windows Updates permission exception; Add KB --- doc/10-Knowledge-Base.md | 1 + doc/knowledgebase/IWKB000006.md | 22 +++++++++++++++++++ .../Icinga_IcingaExceptionEnums.psm1 | 5 ++++- 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 doc/knowledgebase/IWKB000006.md diff --git a/doc/10-Knowledge-Base.md b/doc/10-Knowledge-Base.md index 95df068..8c83172 100644 --- a/doc/10-Knowledge-Base.md +++ b/doc/10-Knowledge-Base.md @@ -13,3 +13,4 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent | [IWKB000003](knowledgebase/IWKB000003.md) | The Icinga Agent service `icinga2` cannot be started/modified/added because it is marked for deletion. | | [IWKB000004](knowledgebase/IWKB000004.md) | Use-Icinga : The 'Use-Icinga' command was found in the module 'icinga-powershell-framework', but the module could not be loaded. For more information, run 'Import-Module icinga-powershell-framework' | | [IWKB000005](knowledgebase/IWKB000005.md) | powershell.exe : Failed to start service 'Icinga PowerShell Service (icingapowershell)'. | +| [IWKB000006](knowledgebase/IWKB000006.md) | The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". | diff --git a/doc/knowledgebase/IWKB000006.md b/doc/knowledgebase/IWKB000006.md new file mode 100644 index 0000000..558380b --- /dev/null +++ b/doc/knowledgebase/IWKB000006.md @@ -0,0 +1,22 @@ +# Icinga Knowledge Base - IWKB000006 + +## Short Message + +The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". + +## Example Exception + +[UNKNOWN]: Icinga Permission Error was thrown: WindowsUpdate + +The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". + +## Reason + +This issue is caused by calling [Invoke-IcingaCheckUpdates](https://icinga.com/docs/windows/latest/plugins/doc/plugins/14-Invoke-IcingaCheckUpdates/) over PowerShell Remote execution, with for example [check_by_powershell](https://github.com/Icinga/check_by_powershell). +The Windows COM Object is rejecting every access to these information over remote connections, making it impossible to execute the plugin. + +## Solution + +Right now there is no solution available for this problem. Microsoft is not allowing to grant permission to these objects over remote connections, which makes it impossible to use them. In addition there is no proper alternative for fetching pending Windows Updates and Hotfixes. + +A possible fix which is suggested online is to add a scheduled task, running the command after being triggered by our execution and afterwards fetching the result from the task. This solution requires more research, testing and development. diff --git a/lib/icinga/exception/Icinga_IcingaExceptionEnums.psm1 b/lib/icinga/exception/Icinga_IcingaExceptionEnums.psm1 index ce5e800..b0bd814 100644 --- a/lib/icinga/exception/Icinga_IcingaExceptionEnums.psm1 +++ b/lib/icinga/exception/Icinga_IcingaExceptionEnums.psm1 @@ -15,7 +15,10 @@ 'Message' = 'The user you are running this command as does not have permission to access the requested Wmi-Object. To fix this, please add the user the Agent is running with to the "Remote Management Users" groups and grant access to the WMI branch for the Class/Namespace mentioned above and add the permission "Remote enable".'; 'IWKB' = 'IWKB000001'; } - WindowsUpdate = 'The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". In order to fetch currently installed and pending updates, please grant the user the required permissions for fetching this information.'; + WindowsUpdate = @{ + 'Message' = 'The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session".'; + 'IWKB' = 'IWKB000006'; + } }; [hashtable]$Inputs = @{