stackoom
  简体   繁体   中英

SCCM Compliance state always 'Compliant' when remediation script runs

 原文  2016-03-16 10:59:16       powershell/ sccm

Question

We're trying to use SCCM 2012 R2 to run some checks on clients and fix problems when needed. For this we use the PowerShell 'Script' option.

Problem description:

When a 'Discovery script' reports 'Non-Compliant' the 'Remediation script' is launched. Regardless of the output of the 'Remediation script', the result in the report on the client in 'Configuration Manager > Configurations' is always 'Compliant' even when the 'Remediation script' failed to fix the issue and as a result has different output then defined in the 'Rules for compliance conditions'.

It seems that from the moment a 'Remediation script' is selected, the output of the SCCM Compliance State is always 'Compliant'.

Example:

- Situation:

When there are files or folders in the folder 'C:\\Users\\me\\Downloads\\Input_Test' the 'Discovery script' reports 'Not compliant to anything' and kicks of the 'Remediation script'. The remediation script takes action and can't fix the problem so it reports back something else then 'Compliant', like 'Non-Compliant'. The SCCM Compliance State should say after execution of the 'Remediation script': 'Non-Compliant' (which is not the case).

- PowerShell Discovery script: 

$Paths = Get-ChildItem -Path 'C:\Users\me\Downloads\Input_Test' | Select -ExpandProperty FullName
New-EventLog -LogName Application -Source SCCMCompliance
if ($Paths) {
    $Compliance = 'Non-Compliant'
    Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Discovery script: Non-Compliant”
}
else {
    $Compliance = 'Compliant'
    Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Information -EventID 0 -Message “Discovery script: Compliant”
}
$Compliance

- PowerShell Remediation script: 

Write-Output 'Non-Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Remediation script: Non-Compliant $Paths”

- SCCM Rules for compliance conditions: 在此处输入图片说明 在此处输入图片说明

- SCCM Compliance State in the Configuration Manager: 在此处输入图片说明

In the Windows event viewer all steps can be tracked easily. Am I missing something super obvious here?

1 answers

solution1
 1 ACCPTED  2016-03-16 11:18:00

After much pain and hurt myself and @DarkLite1 have found that SCCM does not check compliance state after it has performed remediation

From the moment you use a 'Remediation script' the only 2 possible Compliance statusses are: 'Compliant' or 'Exit with error code'. This is done in PowerShell with 'Exit 1'.

For more information please see. https://social.technet.microsoft.com/Forums/en-US/0f0f3e6f-7e9f-4376-a926-fc0b6aef5bf1/sccm-compliance-state-always-compliant-when-remediation-script-runs?forum=configmanagersecurity

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SCCM Baseline compliance - Output from Powershell script for reporting purposes $ENV:USERNAME returns the machine name when SCCM runs a script as admin with a non-admin logged in SCCM - Querying Device compliance via powershell How to get an environment variable in a Powershell script when it is deployed by SCCM? PS1 uninstallation script in SCCM $ENV:USERNAME in SCCM Powershell script I have created a custom compliance policy in Endpoint manager but the device statuses are 'Error' instead of 'non-compliant' or 'compliant' Powershell script to send WoL via SCCM Install programs from the SCCM via a script Force close files that are in use when the script runs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM