Last updated on July 17th, 2023 at 10:29 am
As many of you know I now work for Recast Software as part of that process, my old lab was running on hardware that Recast now owns. So, if you follow my twitter account, I bought a new server to host my labs. This meant that I need to rebuild everything from the ground up. So far within the journey I have created a new AD forest and Domain. Created server SQL server to host SQL from Microsoft Endpoint Configuration Manager (MECM) and Setup MECM. I currently have NO clients within the MECM lab, Seriously I have barely setup the lab. On my list of things to do was I wanted to setup a Startup script to ensure that CM client is installed and healthy all the time. This blog covers my notes setting up Anders Rødland ConfigMgr Client Health Startup Script since I have not setup his script before. It also means that I will be learning how to do it “right” on the fly too.
ConfigMgr Client Health Scripts – aka Startup Scripts
Why a start up script, simply put, a start up script help ensure that the computer is healthy every time the computer boots. Since these scripts run as local system account, you do not have to worry about if the user has admin access to fix.
Scripts
There are two main scripts that most MECM admins use:
Jason Sandys’
Client Startup Script – MEMFTW!
Anders Rødland
ConfigMgr Client Health – Tips from a Microsoft Certified IT Pro (andersrodland.com)
Why did I pick Anders script? I wanted to update his SSRS reports to give more details. Nothing more.
How Long Will it Add to My Boot Time?
There are two parts to this question, initial run and subsequence runs.
I will answer this way, you will never notice it in either case. Why because it will run in the back ground and because it runs in the background unless you go to look you will not see the PowerShell scrip running. However if you do go look the initial run might be listed within the process list for ~10-15 minutes, if it is installing CM client and forcing polices to run.
Getting Started
If you start reading Roland’s doc, he skips over the bit about setting up his script and tells you the features instead.
High level setup steps
- Create Shares
- Copy files into share
- Edit the config file
- Setup SQL database (optional but recommend)
- Setting up the Webservice (optional but recommend)
- Setup up the start up script
Create Shares
CM Client
Because of the permission on the CM Client folder, I copied the CM client folder (Aka E:\Program Files\Microsoft Configuration Manager\Client) to another server and created a share there. The downside to this method is that I will need to remember when I upgrade to copy over the updated Client files. For simplicity I added the Client Files to the CM Health Share, in a later post, when I upgrade to HTTPS I will also harden this by moving the CM client files to another share.
CM Health
I created a share NOT on the site server to allow the logs and the script to be stored. In my case, I used the my wsus server for these tasks. As it isn’t do much else other than being a SUP. For this share I granted Everyone change rights. I didn’t adjust the file permissions.
Edit the config file
For the v1 of this blog, I did NOT adjust the optional items Updates or RebootApplication plus both are set to false anyways. With any luck I will do a follow up blog about them.
Setup SQL database
I’m a database (db) guy, and I want to use the webservice with the SQL db. For the db, I’m going to use my remote SQL server that also host my CM db.
Setting up the Webservice
This is not clear from the doc but start by creating a plain user account within the domain called ClientHealth, you will use this for IIS later. Don’t forget to grant database owner (DBO) rights to this account!
Basically, follow the instructions. Highlevel steps below
- Ensure .net 4.8 is installed.
- Copy the files to a folder
- Create an IIS Application pool
- Create modify the Application pool using the user account you created.
- Test the website in edge.
Make sure that you edit the Config.xml and set line 19 to False; This will used the IIS Apppoool account vs the computer account.
<Log Name=”SQL” Server=”memsql.op.memreports.com” Enable=”False” />
Testing your setup
I recommend testing that you setup everything correct BEFORE blindly adding the gpo setting. I did this by running PowerShell ISE. You will notice within the Script results that I have an error access the webservice, the problem was I didn’t grant DBO rights to the web service account. Once I did that everything was great!
Setup up the start up script
Now there isn’t much to it at this point, I manually tested the command on a computer BEFORE creating the Start Up GPO. Once done every time a computer comes online or reboots, the start up script will run and install the CM client and report its health.
If you have any questions about this post, please feel free to touch base @Garthmj. My next blog is more of a step by step on adding the GPO to run this script for all computers. Watch for it. I’m also looking at writing a blog on his report, if you have suggested for edit to those reports, let me know.