Most of the organizations use SCCM to deploy Third party software, OS patches etc to endpoints.It’s a very tedious process for the SCCM admin to verify if all the endpoints are 100% compliant.
I would like to present a solution where you can ensure whether the SCCM agent is running / services are enabled / disabled. Depending on the result it can start the services or download the installation files and locally install the SCCM agent on the endpoint.
So here is how SNAC can help you tackle this problem.
The best part is this requires no Hardware enforcers or DHCP software plug-in to be configured.
Pre-requisites:
1. Make sure your SEPM 11 / 12 is SNAC ready. In Policies Tab you see Host Integrity Policy option, if not you can add SNAC.xml file to the License folder in SEPM.
Note: Please restart SEPM services, on adding SNAC license.
2. Ensure SEP is functioning properly on endpoints.
3. Create an HI policy and assign it to groups
4. Copy the required SCCM agent installation files to a shared network folder or an internal Http / FTP site
Let's see how to create an HI policy, to check if SCCM agent is installed / disabled / stopped / uninstalled.
1. Login to SEPM
2. Click on Policies and select Host Integrity
3. On the Right Pane, right Click and Select “Add”
4. Enter a description for the policy
5. Click on “Requirements”
6. Click on “Add”, select “Custom requirement” and click “OK”
7. Click on “Add” and select “IF... THEN”
8. Check for services “ccmexec” and “bits” if running on endpoint
o On the right pane, In Select a condition --à Scroll and select “Utility: Service is running”
o Under “Check if the following service is running” --à Enter the Service name “CcmExec”
9. On the Left Pane - check for another service
o Right Click on “Utility Service is running”
o Click on “Add”
o Click on “AND”
10. On the right pane
o In Select a condition --à Scroll and select “Utility: Service is running”
o Under “Check if the following service is running” --à Enter the Service name “BITS”
11. On the Left Pane ---àclick on “THEN” --àEnter the comment “SMS agent is running”
12. On the Left pane, Click on “THEN” comment “SMS agent is running” --à click “ADD” --àSelect “Return”
13. On the right pane, select “Pass”
Note: If both the services are running on the endpoint the HI policy will “Pass”.
If both the services / either service is not running the HI policy will “Fail”.
If the services are disabled, we can start the service via HI policy.
If SMS agent is not installed, we can download the files and execute locally via the HI policy.
Restart of SCCM services – Disabled / stopped
14. On the left Pane, click on “THEN” click on “Add” and select “Else”
15. Enter the comment “Start SCCM service”
16. Click on “Else --->Comment ---->Start SMS service” click on “Add” click “Function” and select “Utility: Run a program”
17. On the Right Pane, under specify the command type “net start bits”
18. Click on “Add” click “Function” and select “Utility: Run a program”
o On the Right Pane, under specify the command type “net start ccmexec”
Installation of SCCM Agent
19. Check for services “ccmexec” and “bits” running on endpoint.
o On the left pane click on “Utility: Run a program” click on “Add” click on “IF…..THEN”
20. On the right pane
o In Select a condition --à Scroll and select “Utility: Service is running”
o Under “Check if the following service is running” --à Enter the Service name “ccmexec”
21. Add an check for another service
o In Select a condition --à Scroll and select “Utility: Service is running”
o Under “Check if the following service is running” --à Enter the Service name “bits”
22. Click on “THEN” and insert a comment “SMS agent is running”
23. On the Left pane, Click on “THEN” comment “SMS agent is running” --à click “ADD” --àclick “Return” and select “Pass” on the right pane
Note: If the services are not running / the agent is not deployed. Initiate installation files to be downloaded from an ftp / network shared folder and be executed locally.
24. On the left Pane, click on “THEN” click on “Add” and select “Else”
25. On the Left Pane ---àclick on “ELSE” --àclick on “Add” --à click on “Function” and select “File: Download a File”
o Under “Download the file” provide path to download the files and provide a “Target folder” locally to copy the files
Note: copy all the SCCM agent installation files ( MHosts.vbs, ccmclean.exe, ccmdelcert.exe, cmsetup.exe, delete.cmd, excluded.txt, local.vbs, lmhosts, sleep.exe, Trace32.exe, UI_local.cmd) to %systemroot%\system32 folder
Execute the script: Cscript local.vbs
As per the screenshot above, customer created a bat file. It contained a script to copy the installation files and execute (Cscript local.vbs) locally
Click on “Add” --àclick on “Function” and select “Utility: Run a Program”
o Under “Specify the command” enter the command “c:\temp\sccmagent.bat”
26. On the Left pane, Click on “Utility: Run a program ” click “Add” click “Return”
o Select “Pass”
