ConfigMgr Client Health

ConfigMgr Client Health is a PowerShell script that increased our patch compliance from 85% to 99%. It detects and fixes known errors in Windows and the Configuration Manager Client, and enforces required services to run and start as Automatic. The script should run in the system context on the computers you want to validate and fix. The script works with PowerShell version 2 and higher, and is tested on Windows 7 SP1, Windows 8.1 and Windows 10.

This script was created after one of my customers experienced very bad patch compliance, and a lot of clients very not patched, or reported as compliant while not being patched at all. Our investigation discovered several root causes, and I created a tool to fix them all. After running this script on their computers, patch compliance increased significantly.

Note: This is the main page for ConfigMgr Client Health. It will always contain the latest information about the latest released version, and this is the place to find the most current documentation.

Latest version: 0.6.0 – Released 2017-04-24
Download location: Microsoft  Technet Gallery

Requirements

  • Powershell version 2 or higher
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Features

ConfigMgr Client Health detects and fixes following errors:

  • ConfigMgr client is not installed.
  • ConfigMgr client is assigned the correct site code.
  • ConfigMgr client is upgraded to current version if not at specified minimum version.
  • ConfigMgr client not able to forward state messages to management point.
  • ConfigMgr client stuck in provisioning mode.
  • ConfigMgr client maximum log file size.
  • ConfigMgr client cache size. Fixed size (MB) or percentage of disk space.
  • ConfigMgr client certificate error.
  • Corrupt WMI.
  • DNS server record matches local IP’s
  • Drivers – Reports faulty or missing drivers on client.
  • Logging to SQL database
  • Pending reboot check
  • User-friendly reboot of computer with 3rd party reboot app when in pending reboot or computer uptime is more than specified in config.
  • Services for ConfigMgr client is not running or disabled.
  • Other services can be specified to start and run and specific state.
  • Windows Update Agent not working correctly, causing client not to receive patches.
  • Windows Update Agent missing patches that fixes known bugs.

How to use ConfigMgr Client Health

This tool should be placed on a network share available to all clients where everyone have read access and only administrators have write access.

The Powershell script need to run with at least Administrator privileges. WMI remediation only works if the script is run with SYSTEM privileges. I recommend you deploy a GPO that create a scheduled task running this script with highest privileges (SYSTEM), and that it’s run from a network share. The health check use very little resources on the client.

Check out my guide: Powershell script with arguments as a scheduled task for how to deploy ConfigMgr Client Health as a scheduled task with group policy.

Run CreateDatabase.ps1 on your SQL server to create the SQL database. ConfigMgr Client Health requires computer account of the computer running the health check to have datareader and datawriter roles on the ClientHealth database. CreateDatabase.ps1 grants the Active Directory group “Domain Computers” these rights to the ClientHealth database.

ConfigMgr Client Health example

Note: Pending reboot check is only implemented for logging and reporting. ConfigMgr Client Health do not have any functionality implemented to automatically reboot computers. But a computer stuck in pending reboot can be difficult to patch.

Updates

Place your mandatory updates in the respective folders for the operating system and architecture. Make sure to share the root update folder to everyone and everyone have read access. ConfigMgr Client Health will check the folder for its operating system and architecture and install any patches you place there.

ConfigMgr Client Health Update Folders

Unfortunately, I cannot add the updates together with my published tool due to license restrictions. But I recommend you download and add the following updates as they all fix problems with the Windows Update Agent. Computers missing these updates may experience problems scanning for and applying new patches.

Windows 7

Windows 8.1

Config.xml

ConfigMgr Client Health uses config.xml to configure its settings. Below is a picture of an example config.xml file.

Client

Settings to verify and enforce on the Configuration Manager Client

  • Version: Minimum version of Configuration Manager Client to enforce. A client who is running a version greater than or equal the one specified in config.xml will not be upgraded, but any client running an older version will be upgraded to the client installation located in <ClientInstallProperty>/Source:</ClientInstallProperty>
  • Sitecode: Configuration Manager Sitecode
  • Domain: Verify the clients computer is a member of this domain.
  • AutoUpgrade: True / False. ConfigMgr Client Health will upgrade the client only when this is set to true.
  • CacheSize: Sets the required cache size for ConfigMgr client. A fixed number is read as KB. A number with % after is read as percentage of total disk space.
  • Share: Fileshare where ConfigMgr client source files is located. It is used when client health is installing the ConfigMgr client for the first time, upgrade the client to minimum version, or reinstalling if determined necessary to fix serious errors.
  • Log: MaxLogSize: Maximum log file size on ConfigMgr client. MaxLogHistory: Maximum log file history on client. Enable: Enable or disable this check.

Client Install Property

These are install properties used when ConfigMgr Client Health is reinstalling the configuration manager client on your Windows computer. You can add and remove as many as you want, and all official ccmsetup.exe switches are supported. For a full list of supported ccmsetup.exe switches: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties

Service

Services to enforce a specific startup type and running state on the client.

  • Name: Name of service
  • Startuptype: Autoamtic, Manual, Disabled
  • State: Running, Stopped

DNSCheck

Option to check if IP addresses registered on DNS server record matches local IP adresses on the computer. Will perform a Resolv-DNSClient if Powershell version 4 or higher, or IPConfig /RegisterDNS if Powershell version 3 or lower.

  • Enable: Enable or disable this component. Values: True / False.

Drivers

Option to check if local drivers are working as intended. Will report back devices with missing drivers or faulty driver.

  • Enable: Enable or disable this component. Values: True / False.

Updates

ConfigMgr Client Health will detect operating system and architecture, and install all patches placed here for its operating system and architecture. A computer running Windows 7 64-bit will verify all patches in “\\CM01\ClientHealth$\Updates\Windows 7 64-Bit” are installed, and install those who are missing. This is a great way to install patches that fixes bugs in the Windows Update agent.

  • Share: Fileshare where updates are located
  • Enable: Enable or disable this component. Values: True / False.

Logging

Data gathered by the ConfigMgr Client Health script is stored in ClientHealth database on the SQL server specified in the config.xml file. Logging to file share is still done under these specific conditions:

  • Computer fails to connect to the SQL database.
  • Driver error. The failed drivers are listed in the log file for the specific computers.
  • DNS error. IP addresses from the DNS server and local computer is listed in the log file if the DNS check fails and reports Error in the database. Possible cause: DNS Server have an IP address registered that is not used by the computer.

Log settings

  • Share: File share where logs are stored.
  • Level: Depreciated
  • MaxLogHistory: How many times the script will save its log history for the computer before it discards the log file and starts over.
  • Enable: Enable or disable this component. Values: True / False.

PendingReboot

Component that detects if the computer is in a pending reboot state or not.

  • StartRebootApplication: Setting to determince if ConfigMgr Client Health will start the reboot application if the computer is in a pending reboot state. Values: True / False
  • Enable: Enable or disable this component. Values: True / False.

RebootApplication

A reboot application is a 3rd party application (or command) that will force a mandatory reboot of the computer. I recommend the use of Coretech’s Shutdown Tool to reboot computers as it gives the users a notice and opportunity to postpone the reboot.

  • Application: UNC path to application file, or shutdown command.
  • Enable: Enable or disable this component. Values: True / False.

Coretech Shutdown Tool: http://blog.coretech.dk/kea/new-version-of-the-coretech-shutdown-tool/

MaxRebootDays

This setting determines how many days a computer can be online before ConfigMgr Client Health will start the reboot application. This setting do nothing if RebootApplication is disabled.

Remediation

These settings control what components ConfigMgr Client Health will validate and fix.

  • AdminShare: Checks if Admin$ and C$ is shared and working correctly on the computer. Fix: True / False.
  • ClientProvisioningMode: Checks if Configuration Manager Client is stuck in provisioningmode. Fix: True / False.
  • ClientStateMessages: Fix: True / False.
  • ClientWUAHandler: Fix: True / False.
  • ClientCertificate: Fix: True / False. Checks if the PKI certificate used by ConfigMgr client is stored in the certificate store.
  • WMI: Checks if WMI is corrupt. Fix: True / False.

 

SQL Database

  • Hostname: Hostname of the computer.
  • OperatingSystem: Operating system of the computer.
  • Architecture: Operating system architecture.
  • Build: Build number of the operating system.
  • Manufacturer: Hardware Manufacturer.
  • Model: Hardware Model.
  • InstallDate: Date and time when the computer was installed.
  • OSUpdates: Date and time when the computer installed its latest patch.
  • LastLoggedOnUser: The username who last logged on the computer.
  • ClientVersion: Configuration Manager Client Version.
  • PSVersion: Powershell version.
  • PSBuild PowerShell build number.
  • Sitecode: Configuration Manager Client Sitecode.
  • Domain: The domain the computer is joined to.
  • MaxLogSize: Configuration Manager Client max size for log files.
  • MaxLogHistory: Configuration Manager Client max number of log history files pr log file.
  • CacheSize: Configuration Manager Client cache size.
  • ClientCertificate: The state of the Configuration Manager client certificate check.
  • Provisioning Mode: The state of the Configuration Manager Client provisioning mode check.
  • DNS: The state of the DNS check. If ‘Error’, Verify specific log file for more information on this error. The DNS server have registered an IP address for the hostname that is not present on the specific computer, and the IP addresses are listed in the log file.
  • Drivers: The state of the driver check. Verify specific log file for more information on this error. The drivers with errors are listed in the log file.
  • Updates: The state of the update check. Updates attempted to install on last execution is listed here.
  • Pending reboot. The state of the pending reboot check.
  • LastBootTime: Last boot time of the computer.
  • OSDiskFreeSpace: Free space in percent on the C: drive.
  • Services: The state of the services check.
  • AdminShare: The state of the AdminShare check.
  • StateMesasges: The state of the StateMesasges check.
  • WUAHandler: The state of the WUAHandler check.
  • WMI: The state of the WMI check.
  • ClientInstalled. The date when ConfigMgr Client Health installed the Configuration Manager Client.
  • Version: The version of ConfigMgr Client Health script executed by the computer.
  • Timestamp: Latest execution time of the script.

 

Useful SQL queries to run on the ClientHealth database

All computers, ordered by latest script execution time

Computers with less than 10% free space on C:

Computers with low or no free space on C: can be hard to patch and deploy software to, but I do not want the client health script to attempt any auto-cleaning of files. Running this SQL query on the Client Health database lists all computers with 10% or less free space on C:. This is a list we send to our service desk, and they will help the users to clean up, or reinstall the computers.

Computers not patched in the latest 60 days

Computers who have not patched in 60 days or more should be investigated. This query gives you that list. The easy solution is to just reinstall the computers. The goal of ConfigMgr Client Health is to find as many causes as possible to why a computer is not patching, and automatically try to fix them. Please let me know if you find a root cause and fix not detected by this script and I would love to add it.

 

Note: I’m happy to help with issues you have implementing this script, please use the comment below for that. It helps me a lot if the post your operating system and what rights the script is running. Minimum required rights are local administrator, recommended is system.