none
PowerShell Discovery script RRS feed

  • Question

  • Hello,

    I am currently working on some configuration items and I am having some problems with my discovery script. Basically, I'm trying to see if a file exists, and run the remediation script if it doesn't. Here is my discovery script:

    Function Check-Path {
        $return = Test-Path 'C:\Users\Public\Desktop\File.txt'
        return $return
    }

    Function Check-True {
        if (Check-Path) {
            Return $true
        } else {
            Return $false
        }
    }
     
    Return Check-True

    Now I can't tell if this script is working correctly or not through Config manager. When I run it locally, it does detect if the file exists. The part I'm not sure on is the text that says, "Use the echo command to return the script value to Configuration Manager" in the Edit discovery script window. I'm not sure what result it is expecting.

    Since it is a Boolean, it should be just looking for a true or false, but when the file is absent, it isn't running the remediation script. (Here is the sanitized remediation script)

    Copy-Item '\\server\publicshare\file" -Destination "C:\Users\Public\Desktop"

    Here are the settings for my compliance rules:

    I'm guessing that the discovery script isn't sending the correct information to Config Manager in order to detect if the file exists. Please let me know if you need more information.

    Thanks,

    Ed

    Tuesday, July 21, 2015 6:41 PM

Answers

  • Powershell will return a exit code when it`s done running. if it was a success it would return 0.

    SO i would change the data type to Integer.

    The returned value of the script should be equal to 0 for compliance.

    I would change the script to this 

    if(!(Test-Path C:\Users\Public\Desktop\File.txt)){exit 1}
    exit 0

    You test to see is it doesn't exist and if it doesn't exist the script will end 1 witch tell SCCM that the compliance is not OK.

    This is the way i always did my compliance since powershell compliance.

    You will find good info about it here:http://blog.kloud.com.au/2014/08/12/powershell-detection-method-for-sccm-2012-application-compliance-management/
    Thursday, July 23, 2015 2:34 PM

All replies

  • The script is run in system context so \\server\publicshare will be accessed by using the computer account of the client. Would a client be able to access it?

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, July 21, 2015 7:07 PM
  • The easiest method to see what's working is to go to the client machine and opening the Configuration Manager Properties. Go to the tab Configurations and use View Report for your configuration baseline.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, July 21, 2015 7:08 PM
  • The script is run in system context so \\server\publicshare will be accessed by using the computer account of the client. Would a client be able to access it?

    Torsten Meringer | http://www.mssccmfaq.de

    Torsten, yes that share is accessible to everyone that has a domain account. The client I am testing on is using my credentials.

    Wednesday, July 22, 2015 11:09 AM
  • The easiest method to see what's working is to go to the client machine and opening the Configuration Manager Properties. Go to the tab Configurations and use View Report for your configuration baseline.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Fantastic, thank you. I'm still pretty new to Config manager so I didn't know this existed. The error I get is as follows:

    Wednesday, July 22, 2015 11:12 AM
  • Take a look at the client log files for more information about the failure. The related log files are mentioned here: https://technet.microsoft.com/en-us/library/hh427342.aspx?#BKMK_CompSettingsLog

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Wednesday, July 22, 2015 12:37 PM
  • Take a look at the client log files for more information about the failure. The related log files are mentioned here: https://technet.microsoft.com/en-us/library/hh427342.aspx?#BKMK_CompSettingsLog

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Thanks for the link to the log files, but I may have found something else that may be blocking the script from running. I have the execution policy for in the Config Manager client settings set to Bypass. However, when I run Get-ExecutionPolicy on the client machine, here are my results:

    So it looks like Group Policy is overriding the settings in the Config Manager client settings. As far as I know there are two ways to get around this.

    1. Set the execution policy via GPO to bypass. From what I understand, that is not a good idea.

    2. Sign my script. I don't know how to go about that, so if there are any guides around, that would be great.

    If there are any options, or if I'm completely off base, please let me know.

    Ed

    Wednesday, July 22, 2015 1:48 PM
  • ConfigMgr doesn't change the system policy, it simply runs scripts with specified restriction policy the same as you would if running PowerShell.exe with the -executionpolicy parameter. Without looking at the logs files, everything is just a guess.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, July 22, 2015 3:31 PM
  • ConfigMgr doesn't change the system policy, it simply runs scripts with specified restriction policy the same as you would if running PowerShell.exe with the -executionpolicy parameter. Without looking at the logs files, everything is just a guess.

    Jason | http://blog.configmgrftw.com | @jasonsandys


    Jason, what logs would help narrow down the issue? I'm looking at CIDownloader.log and that seems to match the description of getting info on Configuration Items.
    Wednesday, July 22, 2015 4:41 PM
  • CIDownloader.log just shows the script being downloaded, not anything about it being run. Check CIAgent.log or DCMAgent.log (I don't remember which).

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, July 22, 2015 8:23 PM
  • CIDownloader.log just shows the script being downloaded, not anything about it being run. Check CIAgent.log or DCMAgent.log (I don't remember which).

    Jason | http://blog.configmgrftw.com | @jasonsandys

    I was able to find what I (think) I needed in CIAgent.log. Here is the only instance of the configuration baseline in the log file:

    <![LOG[CIAgentJob({B57854D1-49DE-4FC5-A5BA-4BDB0FE403C8}):  CI ScopeId_8D0657D4-9ADB-46EA-BBF8-BFFB26D0263A/Baseline_ab8364c1-0755-4455-85a3-c2de62ed05fb:1 (HQAVMainPC) targeted to S-1-5-21-1417001333-1770027372-725345543-12103 (Dependant of policy CI ScopeId_8D0657D4-9ADB-46EA-BBF8-BFFB26D0263A/Baseline_ab8364c1-0755-4455-85a3-c2de62ed05fb:1) is in scope for evaluation.]LOG]!><time="10:08:11.651+240" date="07-23-2015" component="CIAgent" context="" type="1" thread="6880" file="agentjob.cpp:3279">

    <![LOG[CIAgentJob({B57854D1-49DE-4FC5-A5BA-4BDB0FE403C8}):  CI ScopeId_8D0657D4-9ADB-46EA-BBF8-BFFB26D0263A/OperatingSystem_e4eb3618-5e5b-4966-881b-2ab885edc66f:11 (HQAVMainPrinterFile) targeted to S-1-5-21-1417001333-1770027372-725345543-12103 (Dependant of policy CI ScopeId_8D0657D4-9ADB-46EA-BBF8-BFFB26D0263A/Baseline_ab8364c1-0755-4455-85a3-c2de62ed05fb:1) is in scope for evaluation.]LOG]!><time="10:08:11.658+240" date="07-23-2015" component="CIAgent" context="" type="1" thread="6880" file="agentjob.cpp:3279">

    Thursday, July 23, 2015 2:21 PM
  • Powershell will return a exit code when it`s done running. if it was a success it would return 0.

    SO i would change the data type to Integer.

    The returned value of the script should be equal to 0 for compliance.

    I would change the script to this 

    if(!(Test-Path C:\Users\Public\Desktop\File.txt)){exit 1}
    exit 0

    You test to see is it doesn't exist and if it doesn't exist the script will end 1 witch tell SCCM that the compliance is not OK.

    This is the way i always did my compliance since powershell compliance.

    You will find good info about it here:http://blog.kloud.com.au/2014/08/12/powershell-detection-method-for-sccm-2012-application-compliance-management/
    Thursday, July 23, 2015 2:34 PM
  • Powershell will return a exit code when it`s done running. if it was a success it would return 0.

    SO i would change the data type to Integer.

    The returned value of the script should be equal to 0 for compliance.

    I would change the script to this 

    if(!(Test-Path C:\Users\Public\Desktop\File.txt)){exit 1}
    exit 0

    You test to see is it doesn't exist and if it doesn't exist the script will end 1 witch tell SCCM that the compliance is not OK.

    This is the way i always did my compliance since powershell compliance.

    You will find good info about it here:http://blog.kloud.com.au/2014/08/12/powershell-detection-method-for-sccm-2012-application-compliance-management/

    Frederick, thanks so much. Your advice was correct and my detection script works. Here it is:

    if (Test-Path 'C:\Users\Public\Desktop\file.txt'){
    Return 0}
    Else {Return 1}

    By changing the values to Integers, it resolved my issue. I incorrectly assumed that since PowerShell knows $True and $False, if I returned one of those values, it would accept that as a Boolean. Such a simple fix, but now that allows me to continue my work.

    Thanks again,

    Ed

    Friday, July 24, 2015 1:56 PM