ConfigMgr Client Health is a PowerShell script that increased our patch compliance from 85% to 99%. It detects and fixes known errors in Windows and the Configuration Manager Client, and enforces required services to run and start as Automatic. The script should run in the system context on the computers you want to validate and fix. The script works with PowerShell version 2 and higher, and is tested on Windows 7 SP1, Windows 8., Windows 10. Windows Server 2012 R2 and Windows Server 2016.
This script was created after one of my customers experienced very bad patch compliance, and a lot of clients very not patched, or reported as compliant while not being patched at all. Our investigation discovered several root causes, and I created a tool to fix them all. After running this script on their computers, patch compliance increased significantly.
Note: This is the main page for ConfigMgr Client Health. It will always contain the latest information about the latest released version, and this is the place to find the most current documentation.
Latest version: 0.8.3 – Released 2020-11-15
Download location: GitHub
Note: Latest database version is 0.7.5. Upgrade from previous versions require a database upgrade. Copy / paste the content of “createdatabase.sql” to upgrade the database to the latest version.
Requirements
- PowerShell version 5.1 or higher
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Features
ConfigMgr Client Health detects and fixes following errors:
- ConfigMgr client is not installed.
- ConfigMgr client is assigned the correct site code.
- ConfigMgr client is upgraded to current version if not at specified minimum version.
- ConfigMgr client not able to forward state messages to management point.
- ConfigMgr client stuck in provisioning mode.
- ConfigMgr client maximum log file size.
- ConfigMgr client cache size. Fixed size (MB) or percentage of disk space.
- ConfigMgr client certificate error.
- ConfigMgr client hardware inventory not running.
- ConfigMgr client CcmSQLCE.log exists and client is not in debug mode.
- Corrupt WMI.
- DNS server record matches local IP’s
- Drivers – Reports faulty or missing drivers on client.
- Logging to SQL database and / or file share
- Pending reboot check
- User-friendly reboot of computer with 3rd party reboot app when in pending reboot or computer uptime is more than specified in config.
- Services for ConfigMgr client is not running or disabled.
- Other services can be specified to start and run and specific state.
- Windows Update Agent not working correctly, causing client not to receive patches.
- Windows Update Agent missing patches that fixes known bugs.
How to use ConfigMgr Client Health
This tool should be placed on a network share available to all clients where everyone have read access and only administrators have write access.
PowerShell.exe
-ExecutionPolicy
Bypass
-Noninteractive
-File
"\\Server\Share\ConfigMgrClientHealth.ps1"
-Config
"\\Server\Share\Config.xml"
-Webservice
"https://server.domain/ConfigMgrClientHealth"
The Powershell script need to run with at least Administrator privileges. WMI remediation only works if the script is run with SYSTEM privileges. I recommend you deploy a GPO that create a scheduled task running this script with highest privileges (SYSTEM), and that it’s run from a network share. The health check use very little resources on the client.
Check out my guide: Powershell script with arguments as a scheduled task for how to deploy ConfigMgr Client Health as a scheduled task with group policy.
Run CreateDatabase.sql on your SQL server to create the SQL database. ConfigMgr Client Health can update the database either by accessing it directly using the computer account, or use the new webservice. The script sends the result of the health check to a webservice using either http or https, and the webservice use a service account to to update the SQL database. Instructions for installing and configuring the webservice are included in the in the downloaded file.
For the script to update the database directly, the computer account requires db_datareader and db_datawriter roles on the ClientHealth database on the SQL Server. A suggestion is to use “domain\domain computers” group.
Note: Pending reboot check is only implemented for logging and reporting. ConfigMgr Client Health do not have any functionality implemented to automatically reboot computers. But a computer stuck in pending reboot can be difficult to patch.
Updates
Place your mandatory updates in the respective folders for the operating system and architecture. Make sure to share the root update folder to everyone and everyone have read access. ConfigMgr Client Health will check the folder for its operating system and architecture and install any patches you place there.
Unfortunately, I cannot add the updates together with my published tool due to license restrictions. But I recommend you download and add the following updates as they all fix problems with the Windows Update Agent. Computers missing these updates may experience problems scanning for and applying new patches.
Windows 7
- KB3138612
- KB3102810 https://support.microsoft.com/en-us/help/3102810/installing-and-searching-for-updates-is-slow-and-high-cpu-usage-occurs-in-windows-7-and-windows-server-2008-r2
Windows 8.1
Config.xml
ConfigMgr Client Health uses config.xml to configure its settings. Below is a picture of an example config.xml file.
LocalFiles
A path to a directory locally on the computer running the script where ConfigMgr Client Health will store temporary files. Default is C:\ClientHealth
Client
Settings to verify and enforce on the Configuration Manager Client
- Version: Minimum version of Configuration Manager Client to enforce. A client who is running a version greater than or equal the one specified in config.xml will not be upgraded, but any client running an older version will be upgraded to the client installation located in <ClientInstallProperty>/Source:</ClientInstallProperty>
- Sitecode: Configuration Manager Sitecode
- Domain: Verify the clients computer is a member of this domain.
- AutoUpgrade: True / False. ConfigMgr Client Health will upgrade the client only when this is set to true.
- CacheSize: Sets the required cache size for ConfigMgr client. A fixed number is read as KB. A number with % after is read as percentage of total disk space.
- Share: Fileshare where ConfigMgr client source files is located. It is used when client health is installing the ConfigMgr client for the first time, upgrade the client to minimum version, or reinstalling if determined necessary to fix serious errors.
- Log: MaxLogSize: Maximum log file size on ConfigMgr client. MaxLogHistory: Maximum log file history on client. Enable: Enable or disable this check.
Client Install Property
These are install properties used when ConfigMgr Client Health is reinstalling the configuration manager client on your Windows computer. You can add and remove as many as you want, and all official ccmsetup.exe switches are supported. For a full list of supported ccmsetup.exe switches: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties
Service
Services to enforce a specific startup type and running state on the client.
- Name: Name of service
- Startup type: Automatic, Manual, Disabled
- State: Running, Stopped
BITSCheck
Option to check and remediate if BITS have any jobs stuck with errors. Enabling this check may fix errors where downloads are stuck at 0% in software center.
- Enable: Enable or disable this component. Values: True / False.
- Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.
DNSCheck
Option to check if IP addresses registered on DNS server record matches local IP addresses on the computer. Will perform a Resolve-DNSClient if Powershell version 4 or higher, or IPConfig /RegisterDNS if Powershell version 3 or lower.
- Enable: Enable or disable this component. Values: True / False.
- Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.
Drivers
Option to check if local drivers are working as intended. Will report back devices with missing drivers or faulty driver.
- Enable: Enable or disable this component. Values: True / False.
Updates
ConfigMgr Client Health will detect operating system and architecture, and install all patches placed here for its operating system and architecture. A computer running Windows 7 64-bit will verify all patches in “\\CM01\ClientHealth$\Updates\Windows 7 64-Bit” are installed, and install those who are missing. This is a great way to install patches that fixes bugs in the Windows Update agent.
- Share: Fileshare where updates are located
- Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.
- Enable: Enable or disable this component. Values: True / False.
Logging
Data gathered by the ConfigMgr Client Health script is stored in ClientHealth database on the SQL server and / or log share specified in the config.xml file. The agent will always log the following events to log share if log share is enabled.
- Computer fails to connect to the SQL database.
- Driver error. The failed drivers are listed in the log file for the specific computers.
- DNS error. IP addresses from the DNS server and local computer is listed in the log file if the DNS check fails and reports Error in the database. Possible cause: DNS Server have an IP address registered that is not used by the computer.
Log settings
- Share: File share where logs are stored.
- Level: Depreciated
- MaxLogHistory: How many times the script will save its log history for the computer before it discards the log file and starts over.
- Enable: Enable or disable this component. Values: True / False.
PendingReboot
Component that detects if the computer is in a pending reboot state or not.
- StartRebootApplication: Setting to determince if ConfigMgr Client Health will start the reboot application if the computer is in a pending reboot state. Values: True / False
- Enable: Enable or disable this component. Values: True / False.
RebootApplication
A reboot application is a 3rd party application (or command) that will force a mandatory reboot of the computer. I recommend the use of Coretech’s Shutdown Tool to reboot computers as it gives the users a notice and opportunity to postpone the reboot.
- Application: UNC path to application file, or shutdown command.
- Enable: Enable or disable this component. Values: True / False.
Coretech Shutdown Tool: http://blog.coretech.dk/kea/new-version-of-the-coretech-shutdown-tool/
MaxRebootDays
This setting determines how many days a computer can be online before ConfigMgr Client Health will start the reboot application. This setting do nothing if RebootApplication is disabled.
OSDiskFreeSpace
Free space in percent on C: of the client. It’s recommended to have at least 10% free space on the OS drive.
HardwareInventory
ConfigMgr Hardware Inventory.
- Days: ConfigMgr Client Health will start a hardware inventory on the client if last execution time was more than the days specified in this setting.
- Enable: True / False
- Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.
SoftwareMetering
This setting enables a test and remediation on the software metering prep driver.
Remediation
These settings control what components ConfigMgr Client Health will validate and fix.
- AdminShare: Checks if Admin$ and C$ is shared and working correctly on the computer. Fix: True / False.
- ClientProvisioningMode: Checks if Configuration Manager Client is stuck in provisioningmode. Fix: True / False.
- ClientStateMessages: Fix: True / False.
- ClientWUAHandler: Fix: True / False.
- ClientCertificate: Fix: True / False. Checks if the PKI certificate used by ConfigMgr client is stored in the certificate store.
- WMI: Checks if WMI is corrupt. Fix: True / False.
SQL Database
Execute the SQL query stored s”Createdatabase.sql” on your SQL server to create the SQL database. This query will create the database if it doesn’t exist, or upgrade it to the current version if already present.
You also need to give the Active Directory group “domain computeres” datareader and datawriter rights on the database.
The table Clients contains the following information in the database:
- Hostname: Hostname of the computer.
- OperatingSystem: Operating system of the computer.
- Architecture: Operating system architecture.
- Build: Build number of the operating system.
- Manufacturer: Hardware Manufacturer.
- Model: Hardware Model.
- InstallDate: Date and time when the computer was installed.
- OSUpdates: Date and time when the computer installed its latest patch.
- LastLoggedOnUser: The username who last logged on the computer.
- ClientVersion: Configuration Manager Client Version.
- PSVersion: Powershell version.
- PSBuild PowerShell build number.
- Sitecode: Configuration Manager Client Sitecode.
- Domain: The domain the computer is joined to.
- MaxLogSize: Configuration Manager Client max size for log files.
- MaxLogHistory: Configuration Manager Client max number of log history files pr log file.
- CacheSize: Configuration Manager Client cache size.
- ClientCertificate: The state of the Configuration Manager client certificate check.
- Provisioning Mode: The state of the Configuration Manager Client provisioning mode check.
- DNS: The state of the DNS check. If ‘Error’, Verify specific log file for more information on this error. The DNS server have registered an IP address for the hostname that is not present on the specific computer, and the IP addresses are listed in the log file.
- Drivers: The state of the driver check. Verify specific log file for more information on this error. The drivers with errors are listed in the log file.
- Updates: The state of the update check. Updates attempted to install on last execution is listed here.
- Pending reboot. The state of the pending reboot check.
- LastBootTime: Last boot time of the computer.
- OSDiskFreeSpace: Free space in percent on the C: drive.
- Services: The state of the services check.
- AdminShare: The state of the AdminShare check.
- StateMesasges: The state of the StateMesasges check. Verifies that the client successfully sends state messages to the management point.
- WUAHandler: The state of the WUAHandler check. Performs check on Windows Update Agent Handler and registry.pol.
- WMI: The state of the WMI check.
- ClientInstalled. The date when ConfigMgr Client Health installed the Configuration Manager Client.
- Version: The version of ConfigMgr Client Health script executed by the computer.
- Timestamp: Latest execution time of the script.
- HWInventory: Latest timestamp when hardware inventory ran on the client.
- SWMetering: The state of the software metering check
- BITS: The state of the Background Intelligent Transfer Service check.
- Patchlevel. The current patchlevel of the device.
ConfigMgr Client Health Reports
Ben Morris have created a very cool report that you can import into SQL Server Reporting Sservices and SCCM. This is the same report that I used during my demo at System Center User Group Sweden.
Download: Technet Galleries
Useful SQL queries to run on the ClientHealth database
All computers, ordered by latest script execution time
SELECT * FROM dbo.Clients ORDER BY Timestamp DESC
Computers with less than 10% free space on C:
SELECT Hostname, OperatingSystem, InstallDate, LastLoggedOnUser, OSDiskFreeSpace FROM dbo.Clients WHERE OSDiskFreeSpace <=10 ORDER BY OSDiskFreeSpace ASC
Computers with low or no free space on C: can be hard to patch and deploy software to, but I do not want the client health script to attempt any auto-cleaning of files. Running this SQL query on the Client Health database lists all computers with 10% or less free space on C:. This is a list we send to our service desk, and they will help the users to clean up, or reinstall the computers.
Computers not patched in the latest 60 days
SELECT Hostname, OperatingSystem, InstallDate, OSUpdates, LastLoggedOnUser FROM dbo.Clients WHERE OSUpdates <= DATEADD(DAY, -60, GETDATE())
Computers who have not patched in 60 days or more should be investigated. This query gives you that list. The easy solution is to just reinstall the computers. The goal of ConfigMgr Client Health is to find as many causes as possible to why a computer is not patching, and automatically try to fix them. Please let me know if you find a root cause and fix not detected by this script and I would love to add it.
Right click tool console extension
The right click tool console extension makes it easy to remotely start ConfigMgr Client Health on devices and collections. It uses PowerShell to remotely start the scheduled task that executes ConfigMgr Client Health.
Windows Remote Management (WinRM) must be enabled on the devices for this console extension to work.
Use the PowerShell installer “Install.ps1” to install the right click tool console extension. The installer takes two arguments:
-Path
The path to where the console extension stores its assembly and scripts.
-ScheduledTaskName
The name of the scheduled task that starts ConfigMgr Client Health on your computers.
-MaxThreads
Optional parameter. Configures the maximum number of simultaneous threads when running against a collection of devices. Default value is 20.
Example:
Install.ps1 -Path "C:\Program Files\ConfigMgr Client Health Console Extension" -ScheduledTaskName "ConfigMgr Client Health" -MaxThreads 40
Webservice Troubleshooting
Edit web.config and change the setting: “stdoutLogEnabled” to True. Make sure the folder specified in “stdoutLogFile” exists. Log files with the specific errors are created in that folded if logging is enabled.
Webservice with SQL Express or different instance name.
Edit web.config and make sure connection string SQLDatabase specifies hostname\SQLexpress.
Note: I’m happy to help with issues you have implementing this script, please use the comment below for that. It helps me a lot if the post your operating system and what rights the script is running. Minimum required rights are local administrator, recommended is system.
Disclaimer from the legal department: This solution is provided AS-IS and comes with no warranties. Use at your own risk.
Hi, this is really interesting tool. should I create the database on the SCCM SQL server?
Hi,
We have implemented the script in our environment and is really good and providing good results.
Could you please help me on how to exclude the systems which are not ran by the scheduled task for n no of days. Because we are seeing lot of machines are decommissioned and still they are coming in the report.