ConfigMgr Client Health - Improve Patch

Compliance
ConfigMgr Client Health is a PowerShell script that increased our patch compliance from 85% to
99%. It detects and fixes known errors in Windows and the Configuration Manager Client, and
enforces required services to run and start as Automatic. The script should run in the system context
on the computers you want to validate and fix. The script works with PowerShell version 2 and higher,
and is tested on Windows 7 SP1, Windows 8.1 and Windows 10.

This script was created after one of my customers experienced very bad patch compliance, and a lot of
clients very not patched, or reported as compliant while not being patched at all. Our investigation
discovered several root causes, and I created a tool to fix them all. After running this script on their
computers, patch compliance increased significantly.

Note: This is the main page for ConfigMgr Client Health. It will always contain the latest
information about the latest released version, and this is the place to find the most
current documentation.

Latest version: 0.7.2 – Released 2017-10-24

Download location: Microsoft Technet Galleries

Note: Latest database version is 0.7.0. Upgrade from version 0.7.0 and higher do no not require a
database upgrade. Upgrading from older versions of ConfigMgr Client Health requires database
upgrade. Copy / paste the content of “createdatabase.sql” to upgrade the database to the latest version.

Requirements
Powershell version 2 or higher
Windows 7
Windows 8
Windows 8.1
Windows 10
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016

Features
ConfigMgr Client Health detects and fixes following errors:

ConfigMgr client is not installed.

ConfigMgr client is assigned the correct site code.
ConfigMgr client is upgraded to current version if not at specified minimum version.
ConfigMgr client not able to forward state messages to management point.
ConfigMgr client stuck in provisioning mode.
ConfigMgr client maximum log file size.
ConfigMgr client cache size. Fixed size (MB) or percentage of disk space.
ConfigMgr client certificate error.
ConfigMgr client hardware inventory not running.
ConfigMgr client CcmSQLCE.log exists and client is not in debug mode.
Corrupt WMI.
DNS server record matches local IP’s
Drivers – Reports faulty or missing drivers on client.
Logging to SQL database and / or file share
Pending reboot check
User-friendly reboot of computer with 3rd party reboot app when in pending reboot or computer
uptime is more than specified in config.
Services for ConfigMgr client is not running or disabled.
Other services can be specified to start and run and specific state.
Windows Update Agent not working correctly, causing client not to receive patches.
Windows Update Agent missing patches that fixes known bugs.

How to use ConfigMgr Client Health

This tool should be placed on a network share available to all clients where everyone have read access
and only administrators have write access.

PowerShell.exe -
ExecutionPolicy

PowerShell.exe -ExecutionPolicy Bypass -Noninteractive -File

"\\Server\Share\ConfigMgrClientHealth.ps1" -Config "\\Server\Share\Config.xml"

The Powershell script need to run with at least Administrator privileges. WMI remediation only works
if the script is run with SYSTEM privileges. I recommend you deploy a GPO that create a scheduled
task running this script with highest privileges (SYSTEM), and that it’s run from a network share. The
health check use very little resources on the client.

Check out my guide: Powershell script with arguments as a scheduled task for how to deploy
ConfigMgr Client Health as a scheduled task with group policy.

Run CreateDatabase.sql on your SQL server to create the SQL database. ConfigMgr Client Health
requires the computer account of the computer running the health check to have datareader and
datawriter roles on the ClientHealth database. A suggestion is to use “domain\domain computers”
group.
Note: Pending reboot check is only implemented for logging and reporting. ConfigMgr Client Health
do not have any functionality implemented to automatically reboot computers. But a computer stuck
in pending reboot can be difficult to patch.

Updates
Place your mandatory updates in the respective folders for the operating system and architecture.
Make sure to share the root update folder to everyone and everyone have read access. ConfigMgr
Client Health will check the folder for its operating system and architecture and install any patches
you place there.

Unfortunately, I cannot add the updates together with my published tool due to license restrictions. But
I recommend you download and add the following updates as they all fix problems with the Windows
Update Agent. Computers missing these updates may experience problems scanning for and applying
new patches.

Windows 7

Windows 8.1

Config.xml

ConfigMgr Client Health uses config.xml to configure its settings. Below is a picture of an example
config.xml file.
Client

Settings to verify and enforce on the Configuration Manager Client

Version: Minimum version of Configuration Manager Client to enforce. A client who is running
a version greater than or equal the one specified in config.xml will not be upgraded, but any
client running an older version will be upgraded to the client installation located in
<ClientInstallProperty>/Source:</ClientInstallProperty>
Sitecode: Configuration Manager Sitecode
Domain: Verify the clients computer is a member of this domain.
AutoUpgrade: True / False. ConfigMgr Client Health will upgrade the client only when this is
set to true.
CacheSize: Sets the required cache size for ConfigMgr client. A fixed number is read as KB. A
number with % after is read as percentage of total disk space.
Share: Fileshare where ConfigMgr client source files is located. It is used when client health is
installing the ConfigMgr client for the first time, upgrade the client to minimum version, or
reinstalling if determined necessary to fix serious errors.
Log: MaxLogSize: Maximum log file size on ConfigMgr client. MaxLogHistory: Maximum log
file history on client. Enable: Enable or disable this check.

Client Install Property

These are install properties used when ConfigMgr Client Health is reinstalling the configuration
manager client on your Windows computer. You can add and remove as many as you want, and all
official ccmsetup.exe switches are supported. For a full list of supported ccmsetup.exe
switches: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-
properties

Service

Services to enforce a specific startup type and running state on the client.
Name: Name of service
Startup type: Automatic, Manual, Disabled
State: Running, Stopped

BITSCheck

Option to check and remediate if BITS have any jobs stuck with errors. Enabling this check may fix
errors where downloads are stuck at 0% in software center.

Enable: Enable or disable this component. Values: True / False.

Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.

DNSCheck

Option to check if IP addresses registered on DNS server record matches local IP addresses on the
computer. Will perform a Resolve-DNSClient if Powershell version 4 or higher, or IPConfig
/RegisterDNS if Powershell version 3 or lower.

Enable: Enable or disable this component. Values: True / False.

Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.

Drivers

Option to check if local drivers are working as intended. Will report back devices with missing drivers
or faulty driver.

Enable: Enable or disable this component. Values: True / False.

Updates

ConfigMgr Client Health will detect operating system and architecture, and install all patches placed
here for its operating system and architecture. A computer running Windows 7 64-bit will verify all
patches in “\\CM01\ClientHealth$\Updates\Windows 7 64-Bit” are installed, and install those who are
missing. This is a great way to install patches that fixes bugs in the Windows Update agent.

Share: Fileshare where updates are located

Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.
Enable: Enable or disable this component. Values: True / False.

Logging

Data gathered by the ConfigMgr Client Health script is stored in ClientHealth database on the SQL
server and / or log share specified in the config.xml file. The agent will always log the following
events to log share if log share is enabled.

Computer fails to connect to the SQL database.

Driver error. The failed drivers are listed in the log file for the specific computers.
DNS error. IP addresses from the DNS server and local computer is listed in the log file if the
DNS check fails and reports Error in the database. Possible cause: DNS Server have an IP
address registered that is not used by the computer.

Log settings
Share: File share where logs are stored.
Level: Depreciated
MaxLogHistory: How many times the script will save its log history for the computer before it
discards the log file and starts over.
Enable: Enable or disable this component. Values: True / False.

PendingReboot

Component that detects if the computer is in a pending reboot state or not.

StartRebootApplication: Setting to determince if ConfigMgr Client Health will start the reboot
application if the computer is in a pending reboot state. Values: True / False
Enable: Enable or disable this component. Values: True / False.

RebootApplication

A reboot application is a 3rd party application (or command) that will force a mandatory reboot of the
computer. I recommend the use of Coretech’s Shutdown Tool to reboot computers as it gives the users
a notice and opportunity to postpone the reboot.

Application: UNC path to application file, or shutdown command.

Enable: Enable or disable this component. Values: True / False.

Coretech Shutdown Tool: http://blog.coretech.dk/kea/new-version-of-the-coretech-shutdown-tool/

MaxRebootDays

This setting determines how many days a computer can be online before ConfigMgr Client Health will
start the reboot application. This setting do nothing if RebootApplication is disabled.

OSDiskFreeSpace

Free space in percent on C: of the client. It’s recommended to have at least 10% free space on the OS
drive.

HardwareInventory

ConfigMgr Hardware Inventory.

Days: ConfigMgr Client Health will start a hardware inventory on the client if last execution
time was more than the days specified in this setting.
Enable: True / False
Fix: Script will fix any errors if set to True. Only logs errors if False. Values: True / False.

SoftwareMetering

This setting enables a test and remediation on the software metering prep driver.

Remediation

These settings control what components ConfigMgr Client Health will validate and fix.
AdminShare: Checks if Admin$ and C$ is shared and working correctly on the computer. Fix:
True / False.
ClientProvisioningMode: Checks if Configuration Manager Client is stuck in provisioningmode.
Fix: True / False.
ClientStateMessages: Fix: True / False.
ClientWUAHandler: Fix: True / False.
ClientCertificate: Fix: True / False. Checks if the PKI certificate used by ConfigMgr client is
stored in the certificate store.
WMI: Checks if WMI is corrupt. Fix: True / False.

SQL Database
Execute the SQL query stored s”Createdatabase.sql” on your SQL server to create the SQL database.
This query will create the database if it doesn’t exist, or upgrade it to the current version if already
present.

You also need to give the Active Directory group “domain computeres” datareader and datawriter
rights on the database.

The table Clients contains the following information in the database:

Hostname: Hostname of the computer.

OperatingSystem: Operating system of the computer.
Architecture: Operating system architecture.
Build: Build number of the operating system.
Manufacturer: Hardware Manufacturer.
Model: Hardware Model.
InstallDate: Date and time when the computer was installed.
OSUpdates: Date and time when the computer installed its latest patch.
LastLoggedOnUser: The username who last logged on the computer.
ClientVersion: Configuration Manager Client Version.
PSVersion: Powershell version.
PSBuild PowerShell build number.
Sitecode: Configuration Manager Client Sitecode.
Domain: The domain the computer is joined to.
MaxLogSize: Configuration Manager Client max size for log files.
MaxLogHistory: Configuration Manager Client max number of log history files pr log file.
CacheSize: Configuration Manager Client cache size.
ClientCertificate: The state of the Configuration Manager client certificate check.
Provisioning Mode: The state of the Configuration Manager Client provisioning mode check.
DNS: The state of the DNS check. If ‘Error’, Verify specific log file for more information on
this error. The DNS server have registered an IP address for the hostname that is not present on
the specific computer, and the IP addresses are listed in the log file.
Drivers: The state of the driver check. Verify specific log file for more information on this error.
The drivers with errors are listed in the log file.
Updates: The state of the update check. Updates attempted to install on last execution is listed
here.
Pending reboot. The state of the pending reboot check.
LastBootTime: Last boot time of the computer.
OSDiskFreeSpace: Free space in percent on the C: drive.
Services: The state of the services check.
AdminShare: The state of the AdminShare check.
StateMesasges: The state of the StateMesasges check. Verifies that the client successfully sends
state messages to the management point.
WUAHandler: The state of the WUAHandler check. Performs check on Windows Update Agent
Handler and registry.pol.
WMI: The state of the WMI check.
ClientInstalled. The date when ConfigMgr Client Health installed the Configuration Manager
Client.
Version: The version of ConfigMgr Client Health script executed by the computer.
Timestamp: Latest execution time of the script.
HWInventory: Latest timestamp when hardware inventory ran on the client.
SWMetering: The state of the software metering check
BITS: The state of the Background Intelligent Transfer Service check.
Patchlevel. The current patchlevel of the device.

ConfigMgr Client Health Reports

Ben Morris have created a very cool report that you can import into SQL Server Reporting Sservices
and SCCM. This is the same report that I used during my demo at System Center User Group Sweden.

Download: Technet Galleries

Useful SQL queries to run on the ClientHealth database

All computers, ordered by latest script execution time

SELECT * FROM
dbo.Clients ORDER

SELECT * FROM dbo.Clients ORDER BY Timestamp DESC

Computers with less than 10% free space on C:

SELECT Hostname,
OperatingSystem,

SELECT Hostname, OperatingSystem, InstallDate, LastLoggedOnUser, OSDiskFreeSpace FROM

dbo.Clients WHERE OSDiskFreeSpace <=10 ORDER BY OSDiskFreeSpace ASC

Computers with low or no free space on C: can be hard to patch and deploy software to, but I do not
want the client health script to attempt any auto-cleaning of files. Running this SQL query on the
Client Health database lists all computers with 10% or less free space on C:. This is a list we send to
our service desk, and they will help the users to clean up, or reinstall the computers.

Computers not patched in the latest 60 days

SELECT Hostname,
OperatingSystem,

SELECT Hostname, OperatingSystem, InstallDate, OSUpdates, LastLoggedOnUser FROM

dbo.Clients WHERE OSUpdates <= DATEADD(DAY, -60, GETDATE())

Computers who have not patched in 60 days or more should be investigated. This query gives you that
list. The easy solution is to just reinstall the computers. The goal of ConfigMgr Client Health is to find
as many causes as possible to why a computer is not patching, and automatically try to fix them.
Please let me know if you find a root cause and fix not detected by this script and I would love to add
it.

Right click tool console extension

The right click tool console extension makes it easy to remotely start ConfigMgr Client Health on
devices and collections. It uses PowerShell to remotely start the scheduled task that executes
ConfigMgr Client Health.

Windows Remote Management (WinRM) must be enabled on the devices for this console extension to
work.
Use the PowerShell installer “Install.ps1” to install the right click tool console extension. The installer
takes two arguments:

-Path
The path to where the console extension stores its assembly and scripts.

-ScheduledTaskName
The name of the scheduled task that starts ConfigMgr Client Health on your computers.

-MaxThreads
Optional parameter. Configures the maximum number of simultaneous threads when running against a
collection of devices. Default value is 20.

Example:

Install.ps1 -Path
"C:\Program

Install.ps1 -Path "C:\Program Files\ConfigMgr Client Health Console Extension" -

ScheduledTaskName "ConfigMgr Client Health" -MaxThreads 40

Note: I’m happy to help with issues you have implementing this script, please use the comment below
for that. It helps me a lot if the post your operating system and what rights the script is running.
Minimum required rights are local administrator, recommended is system.

This solution is provided AS-IS and comes with no warranties. Use at your own risk.
Excerpted from ConfigMgr Client Health - Improve Patch Compliance
https://www.andersrodland.com/configmgr-client-health/