What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

PRTG Windows Update Sensor (Powershell) - Non Admin User Configuration

Votes:

0

Hello,

i have a problem with the Windows Update Sensor within the PRTG Network Monitoring tool. Because of safety reasons we do not wan't PRTG to run in our Domain as an Administrator, we achieved this state by creating a Non Admin Domain User with following privileges:

- Member of: D-COM User
- Member of: Performance Monitoring User
- Member of: Remote Management User
WMI Read access on Root/CIMV2

However, this is working for every sensor except for the Windows Update Sensor, the sensor appears yellow in the Console with the error code: "Update history does not contain any entries. Please enable the sensor debug options and contact support for further help"

As long as you run the necessary commands locally with the non admin user it works, if you try it remote, you'll receive an "access denied" error.

$searcher = (New-Object -ComObject Microsoft.Update.Session).CreateUpdateSearcher();$searcher.Search("Type='Software'").Updates

I have already seen some topics in this forum which relate to my problem, so far i wasn't able to find a solution for that, since these posts are from 2017 im hoping there might be a solution now.

Thanks.

access-denied powershell prtg windows-update-sensor wmi

Created on Oct 4, 2021 12:21:42 PM

Last change on Oct 5, 2021 4:15:36 AM by Felix Wiesneth [Paessler Support]



1 Reply

Votes:

0

I totally understand your concern. Since this question comes up from time to time we already had multiple internal discussions regarding this in the past however I'm afraid we really don't have any further information on this either. Unfortunately Windows/Microsoft does not really document which exact access rights is needed for every call. Also, from our experience, it doesn't seem like there are specific settings for access rights that are always valid, as some settings work for some customers but not for others.

However the following articles helped other customers in this regard:

https://support.infrasightlabs.com/help-pages/setting-up-wmi-access-through-ad-gpo/

https://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines/44997

-https://docs.microsoft.com/en-us/windows/win32/wmisdk/securing-a-remote-wmi-connection

- https://www.ibm.com/docs/en/capm?topic=configuration-creating-user-windows-management-instrumentation-wmi-permissions

- If the target device is not in the same domain as PRTG, please choose "Negotiate authentication" instead of Kerberos in the sensor settings.

- The user needs administrator rights at least on the local device. Therefore, if it's not possible to add the user to the domain administrator group, please try adding the user to the local administrator group.

Created on Oct 6, 2021 1:38:28 PM by Timo Dambach [Paessler Support]

Last change on Oct 6, 2021 1:39:00 PM by Timo Dambach [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.