Permission denied error when using patch management on a Windows node for Puppet Enterprise

After using patch management on a Windows node, you get a permission denied error for the pe_patch_groups.ps1 file (part of the pe_patch module.)

Error messages

Error: /Stage[main]/Pe_patch/File[C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1]: Could not evaluate: Could not read file C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1: Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1

You are getting this error because a file needed to run patching has misconfigured permissions.

Version and installation information

PE version: All supported versions

Solution

The correct file permissions for PE patch in Windows are Everyone with read and System with full control. Only the system account, used by the Puppet service, has those permissions. This error happens when you use the Administrators account to run patching and the group has been removed or the permissions of the group are changed.

To fix this, change the permissions of the file to add a local administrator with full control of the file.

1. To check the permissions, run:

   PS C:\Users<USER NAME)> (get-acl C:/ProgramData/PuppetLabs/pe_patch/pe_patch_groups.ps1).access | ft IdentityReference,F ileSystemRights,AccessControlType,IsInherited,InheritanceFlags -auto

   Which outputs something similar to:

   IdentityReference          FileSystemRights                                 AccessControlType IsInherited InheritanceFlags
   
   -----------------          ----------------                                 ----------------- ----------- ----------------
   
   Everyone                   ReadAttributes, ReadPermissions, Synchronize     Allow             False       None
   
   NT AUTHORITY\SYSTEM        FullControl                                      Allow             False       None
   
   BUILTIN\Administrators     FullControl                                      Allow             False       None
   
   NEWEST-LOADING\None        FullControl                                      Allow             False       None

2. Complete the following steps to fix the issue on each affected node.

   1. Navigate to the C:/ProgramData/PuppetLabs/pe_patch/ folder, right click it, and then click Properties.
   2. On the Security tab, click Advanced and then click the Add button.
   3. In the new popup window, click the Select a principal link.
   4. In the Select User or Group window, click on Advanced and click the Find Now button.
   5. From the results, select the Administrator account, and click OK.
   6. To apply permission, select the Full control checkbox options and click OK.