Hello,
i have a problem with the Windows Update Sensor within the PRTG Network Monitoring tool. Because of safety reasons we do not wan't PRTG to run in our Domain as an Administrator, we achieved this state by creating a Non Admin Domain User with following privileges:
- Member of: D-COM User
- Member of: Performance Monitoring User
- Member of: Remote Management User
WMI Read access on Root/CIMV2
However, this is working for every sensor except for the Windows Update Sensor, the sensor appears yellow in the Console with the error code: "Update history does not contain any entries. Please enable the sensor debug options and contact support for further help"
As long as you run the necessary commands locally with the non admin user it works, if you try it remote, you'll receive an "access denied" error.
$searcher = (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher();$searcher.Search("Type='Software'").Updates
I have already seen some topics in this forum which relate to my problem, so far i wasn't able to find a solution for that, since these posts are from 2017 im hoping there might be a solution now.
Thanks.
I totally understand your concern. Since this question comes up from time to time we already had multiple internal discussions regarding this in the past however I'm afraid we really don't have any further information on this either. Unfortunately Windows/Microsoft does not really document which exact access rights is needed for every call. Also, from our experience, it doesn't seem like there are specific settings for access rights that are always valid, as some settings work for some customers but not for others.
?
However the following articles helped other customers in this regard:
- https://support.infrasightlabs.com/help-pages/setting-up-wmi-access-through-ad-gpo/
- https://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines/44997
-https://docs.microsoft.com/en-us/windows/win32/wmisdk/securing-a-remote-wmi-connection
- https://www.ibm.com/docs/en/capm?topic=configuration-creating-user-windows-management-instrumentation-wmi-permissions
- If the target device is not in the same domain as PRTG, please choose "Negotiate authentication" instead of Kerberos in the sensor settings.
- The user needs administrator rights at least on the local device. Therefore, if it's not possible to add the user to the domain administrator group, please try adding the user to the local administrator group.
Oct, 2021 - Permalink