On Windows when upgrading with a new logon user and password, the windows service does not get updated.

[tuxmea]

During an upgrade of Puppet Agent on Windows, the Puppet service resource does not manage the logon user and password. This is only set during initial installation and not managed later on.

At some customers the security requests to change passwords regularly. This also affects service accounts.

[joshcooper]

@tuxmea I thought gMSA was designed to solve this issue, so credentials can be rotated centrally without having to reconfigure each node? Puppet supports running as a gMSA service. There used to be blog post about it. Our MSI properties also discuss this https://www.puppet.com/docs/puppet/8/install_agents.html#msi_properties

Of course, if the service is running as domain service or local account, then having the ability to manage the credentials in the module makes sense.

[anthonysomerset]

so theres a workaround for this - i have a related issue

it may be down to this from here: https://puppet.com/docs/puppet/latest/install_agents.html#msi_properties

Important: If you set a non-default value for PUPPET_SERVER, PUPPET_CA_SERVER, PUPPET_AGENT_CERTNAME, or PUPPET_AGENT_ENVIRONMENT, the installer replaces the existing value in puppet.conf and re-uses the value at upgrade unless you specify a new value. Therefore, if you've customized these properties, don't change the setting directly in puppet.conf; instead, re-run the installer and set a new value at installation.

I had this issue because my CA server hostname is not default/same as the master so during some upgrades it gets reverted to original

you can workaround it with an override of puppet_agent::install_options, e.g. for me:

puppet_agent::install_options:
  - REINSTALLMODE="amus"
  - PUPPET_SERVER="puppet-enc.domain"
  - PUPPET_CA_SERVER="puppet-ca.domain"

you could add additonal lines for PUPPET_AGENT_ACCOUNT_USER and the related params from the MSA properties and any upgrade will change to the configured values on next upgrade