ConfigMgr Client Health

ConfigMgr Client Health is a PowerShell script that validates and automatically fixes errors on Windows computers managed by Microsoft Configuration Manager. This tool was created after one of my customers experienced very bad patch compliance, and a lot of clients very not patched, or reported as compliant while not being patched at all. Our investigation discovered several root causes, and I created a tool to fix them all. After running this script on their computers, patch compliance increased significantly.

Note: This is the main page for ConfigMgr Client Health. It will always contain the latest information about the latest released version, and this is the place to find the most current documentation.

Latest version: 0.5.6 – Released 2017-03-21
Download location: Microsoft  Technet Gallery

Requirements

  • Powershell version 2 or higher
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Features

ConfigMgr Client Health detects and fixes following errors:

  • ConfigMgr client is not installed.
  • ConfigMgr client is assigned the correct site code.
  • ConfigMgr client is upgraded to current version if not at specified minimum version.
  • ConfigMgr client not able to forward state messages to management point.
  • ConfigMgr client stuck in provisioning mode.
  • ConfigMgr client maximum log file size.
  • Corrupt WMI.
  • DNS server record matches local IPs
  • Drivers – Reports faulty or missing drivers on client.
  • Logging to fileshare
  • Pending reboot check
  • Userfriendly reboot of computer with 3rd party reboot app when in pending reboot or computer uptime is more than specified in config.
  • Services for ConfigMgr client is not running or disabled.
  • Other services can be specified to start and run and specific state.
  • Windows Update Agent not working correctly, causing client not to receive patches.
  • Windows Update Agent missing patches that fixes known bugs.

How to use ConfigMgr Client Health

This tool should be placed on a network share available to all clients where everyone have read access and only administrators have write access.

The Powershell script need to run with at least Administrator privileges. WMI remediation only works if the script is run with SYSTEM privileges. I recommend you deploy a GPO that create a scheduled task running this script with highest privileges (SYSTEM), and that it’s run from a network share. The health check use very little resources on the client.

Check out my guide: Powershell script with arguments as a scheduled task for how to deploy ConfigMgr Client Health as a scheduled task with group policy.

ConfigMgr Client Health example

Note: Pending reboot check is only implemented for logging and reporting. ConfigMgr Client Health do not have any functionality implemented to automatically reboot computers. But a computer stuck in pending reboot can be difficult to patch.

Updates

Place your mandatory updates in the respective folders for the operating system and architecture. Make sure to share the root update folder to everyone and everyone have read access. ConfigMgr Client Health will check the folder for its operating system and architecture and install any patches you place there.

ConfigMgr Client Health Update Folders

Unfortunately, I cannot add the updates together with my published tool due to license restrictions. But I recommend you download and add the following updates as they all fix problems with the Windows Update Agent. Computers missing these updates may experience problems scanning for and applying new patches.

Windows 7

Windows 8.1

Config.xml

ConfigMgr Client Health uses config.xml to configure its settings. Below is a picture of an example config.xml file.

ConfigMgr Client Health Configuration

Client

Settings to verify and enforce on the Configuration Manager Client

  • Version: Minimum version of Configuration Manager Client to enforce. A client who is running a version greater than or equal the one specified in config.xml will not be upgraded, but any client running an older version will be upgraded to the client installation located in <ClientInstallProperty>/Source:</ClientInstallProperty>
  • Sitecode: Configuration Manager Sitecode
  • Domain: Verify the clients computer is a member of this domain.
  • AutoUpgrade: True / False. ConfigMgr Client Health will upgrade the client only when this is set to true.
  • CacheSize: Sets the required cache size for ConfigMgr client.
  • Share: Fileshare where ConfigMgr client source files is located. It is used when client health is installing the ConfigMgr client for the first time, upgrade the client to minimum version, or reinstalling if determined necessary to fix serious errors.
  • Log: MaxLogSize: Maximum log file size on ConfigMgr client. MaxLogHistory: Maximum log file history on client. Enable: Enable or disable this check.

Client Install Property

These are install properties used when ConfigMgr Client Health is reinstalling the configuration manager client on your Windows computer. You can add and remove as many as you want, and all official ccmsetup.exe switches are supported. For a full list of supported ccmsetup.exe switches: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties

Service

Services to enforce a specific startup type and running state on the client.

  • Name: Name of service
  • Startuptype: Autoamtic, Manual, Disabled
  • State: Running, Stopped

DNSCheck

Option to check if IP addresses registered on DNS server record matches local IP adresses on the computer. Will perform a Resolv-DNSClient if Powershell version 4 or higher, or IPConfig /RegisterDNS if Powershell version 3 or lower.

  • Enable: Enable or disable this component. Values: True / False.

Drivers

Option to check if local drivers are working as intended. Will report back devices with missing drivers or faulty driver.

  • Enable: Enable or disable this component. Values: True / False.

Updates

ConfigMgr Client Health will detect operating system and architecture, and install all patches placed here for its operating system and architecture. A computer running Windows 7 64-bit will verify all patches in “\\CM01\ClientHealth$\Updates\Windows 7 64-Bit” are installed, and install those who are missing. This is a great way to install patches that fixes bugs in the Windows Update agent.

  • Share: Fileshare where updates are located
  • Enable: Enable or disable this component. Values: True / False.

Logging

Component that handles logging. Log files generated by the health check script. The account running the script must have change rights on the share and write security permissions.

  • Share: Fileshare where logs are stored.
  • Level: Determines the level of logging. Full or default.
  • MaxLogHistory: How many times the script will save its log history for the computer before it discards the log file and starts over.
  • Enable: Enable or disable this component. Values: True / False.

PendingReboot

Component that detects if the computer is in a pending reboot state or not.

  • StartRebootApplication: Setting to determince if ConfigMgr Client Health will start the reboot application if the computer is in a pending reboot state. Values: True / False
  • Enable: Enable or disable this component. Values: True / False.

RebootApplication

A reboot application is a 3rd party application (or command) that will force a mandatory reboot of the computer. I recommend the use of Coretech’s Shutdown Tool to reboot computers as it gives the users a notice and opportunity to postpone the reboot.

  • Application: UNC path to application file, or shutdown command.
  • Enable: Enable or disable this component. Values: True / False.

Coretech Shutdown Tool: http://blog.coretech.dk/kea/new-version-of-the-coretech-shutdown-tool/

MaxRebootDays

This setting determines how many days a computer can be online before ConfigMgr Client Health will start the reboot application. This setting do nothing if RebootApplication is disabled.

Remediation

These settings control what components ConfigMgr Client Health will validate and fix.

  • AdminShare: Checks if Admin$ and C$ is shared and working correctly on the computer. Fix: True / False.
  • ClientProvisioningMode: Checks if Configuration Manager Client is stuck in provisioningmode. Fix: True / False.
  • ClientStateMessages: Fix: True / False.
  • ClientWUAHandler: Fix: True / False.
  • WMI: Checks if WMI is corrupt. Fix: True / False.

 

 

Note: I’m happy to help with issues you have implementing this script, please use the comment below for that. It helps me a lot if the post your operating system and what rights the script is running. Minimum required rights are local administrator, recommended is system.