从通过 SCCM 部署的 Powershell 脚本中运行 SFC.EXE

Question

I'm trying to create a Powershell script that will be deployed to any node that is showing bad update health to automate some of the simple tasks without having to interrupt users during their workday. The Powershell script works perfectly if ran from an elevated PS prompt. It also runs fine when the same script is deployed to a test machine via SCCM with one exception: it won't call SFC.EXE /SCANNOW .

I've tried using:

Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -Wait -NoNewWindow

Start-Process -FilePath "sfc.exe" -ArgumentList '/scannow' -Wait -NoNewWindow

Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -RedirectStandardOutput "C:\SFC-Out.log" -RedirectStandardError "C:\SFC-Err.log" -Wait -NoNewWindow

& "sfc.exe" "/scannow"

Invoke-Command -ScriptBlock { sfc.exe /scannow }

Again, all of these examples work exactly as intended when run from an elevated PS prompt, but fail when run from the deployed PowerShell script. When I used the -RedirectStandardOutput, I checked the file SFC-Out.log and it read:

"Windows Resource Protection could not start the repair service"

I think this is because SCCM runs programs/scripts in the SYSTEM context instead of a user context (or even an elevated user context, but SYSTEM is supposed to be higher than an elevated session).

Is there a way to accomplish this? Sorry for the bad formatting, this is my first post on this site.

Answer 1

A bit late but I encountered the same issue. Not sure if this is the case for you but the cause was configuring the deployment of the script with SCCM to run as a 32 bit process. The script was being deployed to 64 bit systems. When I unchecked "run as 32 bit process" in the deployment configuration SFC worked without an issue under the context of a System account.

Answer 2

I created a package (not an application) in SCCM and had to use the redirect using the elusive sysnative folder for x64 machines:

https://www.thewindowsclub.com/sysnative-folder-in-windows-64-bit

So it would be:

C:\Windows\Sysnative\SFC.EXE /SCANNOW

Answer 3

What you have will work, just missing "-Verb RunAs" to elevate permissions. So your cmdlet should read:-

Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -Wait -Verb RunAs

Answer 4

I've been reading and searching online for this, the only answer so far is that It can't be run due to sccm using the system account. It's also the same behavior when trying to run winmgt .

Answer 5

Fast forward to SCCM Current Branch 2109 and I was able to solve this problem by using the new Scripts feature built into SCCM. Using & 'sfc.exe' '/scannow' works, and I can manually run this script against any device collection showing devices in error. Start-Process -FilePath "sfc.exe" -ArgumentList "/scannow" -NoNewWindow -Wait works too.