System Center 2012 Configuration Manager has a nice new feature to help with that pesky problem of client health. A new client heath task on each machine will perform checks to make sure that key areas such as prerequisites, dependent services and WMI are all functioning and if needed remediate those issues, even repair of WMI or reinstall the client. While this feature can help identify and remediate issues found on the client, and has been shown to increase overall client health, what if you wanted to disable remediation on just some systems but not all. As an example we may want to disable remediation on Servers so no actions are performed on WMI that may cause issues with other applications. In this blog I will discuss the different ways I have found to successfully disable automatic remediation for the Configuration Manager Health Evaluation.
There are a few ways to accomplish this:
Disable Automatic Remediation using Client Push
Disable Automatic Remediation using Group Policy Preferences
Disable Automatic Remediation using Configuration Baseline
Disable Automatic Remediation
The Configuration Manager Health Evaluation runs as a schedule task and launches an executable called CCMEVAL.EXE which will perform checks and remediation listed in the CCMEVAL.XML file. The SMS Agent Host service will check every hour if this schedule task is present and if the corresponding registry keys are present as well. This can be seen by reviewing the CCMEvalTask.log file in the %windir%\ccm\logs directory.
To disable the Automatic Remediation of the Health Evaluator the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly will need to be changed from the default value of FALSE to TRUE. More information can be found on TechNet here.
Changing the key manually works great for a single machine for testing purposes, however trying to disable this on multiple machines may not be practical. So lets review a few ways to disable automatic remediation for multiple machines.
Disable Automatic Remediation using Client Push Properties
When disabling automatic remediation for all machines we can address this at install time or post install time. If we want to install all clients without remediation currently TechNet list a CCMSETUP command line option of /NotifyOnly to disable the remediation during the client install. In my testing this currently does not work and will leave the remediation enabled, as verified by reviewing the registry key list above.
Now if we happen to review the Client.MSI we will find that in the Property Table there is a Public Property for NOTIFYONLY set to FALSE.
With NOTIFYONLY being an MSI Public Property, this means this property can be put on a command line when used with CCMSETUP, used in the Administrative Template for Client Install commands, or used in the Client Push Installation Properties along with any of the other Client.msi properties. If we put this command in the Client Push Properties it will publish this to Active Directory and be used anytime a machine launches CCMSETUP.EXE without any command line parameters. It will also be used when I push a client to the machine manually or automatically if client push is enabled.
To enable this as a Client Push property:
Now for all new installs or reinstalls using Client Push or even running CCMSETUP.EXE with no command line parameters the Client Health remediation will be disabled.
Using the Install Property is great if you are starting your client rollout and also to make sure that all servers moving forward do not have this enabled by default. However, what about the servers that already have the agent? Depending on my Active Directory organization I may have all my servers in a single OU or at least in a few manageable OUs where I can link a GPO.
Group Policy Preferences allow administrators to manager a greater number of items, such as registry settings, using a GPO. If you are interested there is more information here. There are also some prerequisites needed, such as a client side extension that will need to be install on our Operating Systems versions lower than Windows 7 and Windows 2008. For our scenario this would mean we need this on our Windows 2003 Servers. For now we will go on the basis that this install has already been deployed, if not you may want to skip this section and go straight to using Configuration Items.
Something to note is that during the install of the Configuration Manager client the registry key above would be removed and set to the default value of FALSE be used until the GPO Policy was refreshed. This could leave a Server in an undesirable state for a period of time. Also, in some cases, such as an Active Directory structure that would not allow for easy linking of the GPO or if the clients side extensions have not been rolled out we may still need another option. This is a good option but may not be fore everyone.
Disable Automatic Remediation using Compliance Baseline
Setting a Client Push Property is great, but that would affect all the installs for that specific site. If you are managing machines of which some you want the remediation enabled and others you do not then this would not work. The best option I found was to keep it all in Configuration Manager by using Configuration Items Auto Remediation to assist here. We can take advantage of the Client Push Property to disable the Auto Remediation on all clients and only enable it on those who need it since they need to have the client first.
Update Client Push Properties for NOTIFYONLY.
The first step is to make sure that all machines are install with auto remediation disabled so we do not get a machines, such as a server in a non desirable state. Use the steps above to complete this.
Create a Collection of Workstation Machines
The next step is to create a query based collection that has only the machines that we wish to have the automatic remediation enabled on. I created a collection that had a single query rule for:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows % Workstation%"
Make sure to take advantage of Dynamic collection updating by selecting the box for "Use incremental updates for this collection".
Create Configuration Item for Registry Key
We can use the new automatic remediation feature of Compliance settings to not only monitor if this NOTIFYONLY registry key is set to False, but change that value as needed.
Create and Deploy Baseline for CCM Evaluation Remediation
Now that we have a Configuration Item created we need to create a Baseline that we can use to deploy to our workstation collection.
This process could also be repeated to make sure that all Servers have the value set to TRUE for those machines that currently have the agent already rolled out.
So in conclusion we have a few different way to disable the automatic remediation for those key machines that should not be remediated with out administrative intervention, such as servers. We are able to use the Client Push Property for NOTIFYONLY to disable the remediation for all machines and use a Configuration Baseline to target only selected machines for remediation. In another post we will take a deeper look at what remediation's actions are specifically done.