Configuration Manager Client Health with PowerShell DSC
By Steve Bowman
Published September 2, 2014
Estimated Reading Time: 2 minutes

PowerShell Desired State Configuration is an extremely promising technology that was released as part of PowerShell 3.0 and has continued to make improvements in PowerShell 4.0.  DSC can be used to not only detect problems with configuration drift but also to completely configure a system according to your exact specifications.  You can perform checks on the Registry, files, groups and users, adding or removing server roles, and even installing software.

 
 

I recently was challenged with using DSC to look at System Center Configuration Manager client health.  There have been quite a few great examples of VBscripts or PowerShell scripts over the past few years that do a great job.  Many of those scripts are hundreds of lines long and have a lot of logic to detect problems with the Configuration Manager client.  One of the most comprehensive solutions was written by Dan Thomson and is available on CodePlex.

 
 

One of the biggest advantages of using PowerShell DSC over traditional scripts is that all of the logic for doing things like checking for services, registry settings, software installation, etc. is built right into the product.  So all you have to do is write the specifications for what you want to check and DSC does the rest for you.

 
 

After learning the basics of DSC in a couple of hours I looked through Dan’s scripts and pulled out  most of the health check items and created this simple DSC configuration file.  This accomplishes most of what other scripts accomplish in less than 100 lines!

In this script I have made the installation of the SCCM client install with parameters mandatory.  So if the client is not installed it will be installed.  Once the client is installed all of the services and registry entries are checked and will be fixed automatically every 30 minutes if there is “drift” from the settings.

 
 

Here is my configuration script:

 
Configuration ConfigMgrHealthCheck
{

[Parameter(Mandatory=$True)]
[string]$CMInstallArguments

Package ConfigMgrClient
{
Ensure = “Present”
Path = “\\modelsc02\smsClient\ccmsetup.exe”
Arguments = $CMInstallArguments
Name = “Configuration Manager Client”
# Logpath = “c:\users\tim.mintner\desktop”
ProductId = “D6804B3A-BFEC-4AB4-BFA5-FD9BECC80630”
}

Service BITS
{
Name = “BITS”
StartupType = “Automatic”
State = “Running”
}

Service winmgmt
{
Name = “winmgmt”
StartupType = “Automatic”
State = “Running”
}

Service wuauserv
{
Name = “wuauserv”
StartupType = “Automatic”
State = “Running”
}

Service lanmanserver
{
Name = “lanmanserver”
StartupType = “Automatic”
State = “Running”
}

Service RpcSs
{
Name = “RpcSs”
StartupType = “Automatic”
State = “Running”
}

Service ccmexec
{
Name = “ccmexec”
StartupType = “Automatic”
State = “Running”
}

Service lanmanworkstation
{
Name = “lanmanworkstation”
StartupType = “Automatic”
State = “Running”
}
Service CryptSvc
{
Name = “CryptSvc”
StartupType = “Automatic”
State = “Running”
}
Service ProtectedStorage
{
Name = “ProtectedStorage”
StartupType = “Automatic”
State = “Running”
}
Service PolicyAgent
{
Name = “PolicyAgent”
StartupType = “Automatic”
State = “Running”
}
Service RemoteRegistry
{
Name = “RemoteRegistry”
StartupType = “Automatic”
State = “Running”
}

Registry EnableDCOM
{
Ensure = “Present”
Key = “HKEY_Local_Machine\SOFTWARE\Microsoft\Ole”
ValueName = “EnableDCOM”
ValueData = “Y”
Force = $true

}

}

ConfigMgrHealthCheck -CMInstallArguments “/mp:modelsc02” -OutputPath .\
#Start-DscConfiguration -path .\ -verbose

 

By no means is this a perfect client health script.  One thing it does not do is check for WMI corruption.  Part of the reason for that is that DSC is dependent on WMI so if WMI is broken DSC would not function.

 

Hopefully this will show you both the power and simplicity of DSC and you can start creating your own configurations.

 

Tim Mintner

Post Tags: client health | DSC | powershell | SCCM
Article By Steve Bowman
Steve Bowman is a Partner at Model Technology as well as their Vice President of Sales and Marketing. Steve is a father, husband, Franciscan, and lover of technology. He's bilingual in business and technology and have over 30 years of experience in selling enterprise technology solutions in a variety of industries.

Related Posts

Paying high cyber-insurance premiums?

Prove you’re cyber-ready and reduce your premiums through our NIST-based cybersecurity assessment. Then make the most of your assessment results through monthly consulting sessions with our vCISO Director of Cybersecurity.

Learn More