Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Detection and remediation scripts should have more control over the execution of PowerShell

When defining a Configuration Item with Powershell have the possibility to influence the behavior of the script (eg -noprofile, setting allowed time to run)

286 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Roland De Clerck shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    13 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Nick Kosenka-Evans commented  ·   ·  Flag as inappropriate

        Did the ability to configure allowed run time make it into the update? The 1810 release notes mentions the -NoProfile change, but nothing about script run time.

      • Jakob Gottlieb Svendsen (MVP) commented  ·   ·  Flag as inappropriate

        We currently have seen this issue at 2 enterprise companies.

        The issue is when SCCM Triggers a CI script, it does not add the "-NoProfile" to the powershell.exe execution (or disables the profile load in other ways, i am not sure how CM executes PowerShell).

        Besides triggering the profile. SCCM does not generate its own host name, and uses the same name as the default PowerShell shell.

        Therefore it will trigger up to 4 standard profiles on the machine, if they exist:

        AllUsersAllHosts : C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
        AllUsersCurrentHost : C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
        CurrentUserAllHosts : C:\Users\JGS\Documents\WindowsPowerShell\profile.ps1
        CurrentUserCurrentHost : C:\Users\JGS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

        A CI expects a specific return output, many of our expect BOOLEAN. which means CI fails if script outputs more than that.
        Some of our CIs even run in user context, which makes it trigger the personal profile too!

        We cannot control personal profiles, and we have multiple customers with valid reason for outputting guidelines etc to the screen when admins open powerShell, using AllUsers profiles.
        These profiles interfer with CI scripts and break the execution of the CIs.

        We suggest that either

        1. No profiles is ever triggered by adding -NoProfile to the execution of Powershell.exe or disabled them in other ways.
        2. Make it as an option on the CI to no execute profiles.

        If not, there are many things in a profile that can break CI execution.
        It should even possible to cheat SCCM to say all boolean PowerShell CIs are compliant, but outputting $true and exiting PowerShell. (have not tested)

        also, An example is servers with SharePoint 2010 components installed.
        For some reason SharePoint 2010 add's its Import-module cmd to the AllUsersAllHosts profile (very bad practice, but installer does this automatically, probably because it is SP2010 and there was not real guidelines back).
        if for some reason this import fails, ie. because of no connection to server
        (it also fails if it has never been amnually run as it doesnt know which server to connecto to)

        It break all CI exection, we have one customer with around 30 servers that cannot run PowerShell based CIs at all..

      • Charlton Stanley commented  ·   ·  Flag as inappropriate

        Hey MS, its been 3 years. The lack of -noprofile is becoming more painful for sysadmins, as more and more products\tasks require the use of powershell. I'll admit that depending on the industry, this may not be an issue for some admins, but I think most have dealt with this at least once, whether in CIs or while writing application detections. Could we possibly get some forward progress on this?
        Very Respectfully,
        Charlton

      • Mark Litscher commented  ·   ·  Flag as inappropriate

        I would also like to see this and the NonInteractive flag as a default or option for Application Detection scripts. The way this currently exists end users can block PowerShell Configuration Baselines or Application Deployment checks simply by placing invalid Powershell in their MyDocuments/WindowsPowerShell/Microsoft.PowerShell_profile.

      • Koenraad Rens commented  ·   ·  Flag as inappropriate

        We only have a few computers and users with a PowerShell profile script.
        I decided to change these scripts. I added this first line:

        if ((gwmi -Query "select commandline from win32_process where processid = $pid").Commandline -like '*ccm\systemtemp*') {exit}

        This exits the profile script when the Original script is a Compliance script.

      • Koenraad Rens commented  ·   ·  Flag as inappropriate

        The -noprofile option should have been the default. I can understand it is difficult to change that now. Maybe you fear to break existing solutions and you want to implement a nice option in the interface to change the behavior.
        I think many administrators would like a quick solution which would change all scripts to run with the -noprofile option. And if it’s difficult to implement that in the interface, make a PowerShell command first. Something like ‘Set-CMNoProfile’. Anybody using PowerShell for compliance would be able to run such a command.

      • Mike Horton commented  ·   ·  Flag as inappropriate

        Needs to be done. My compliance baseline for WannaCry is failing on all our 2008 R2 servers because it's timing out.

      • Marco commented  ·   ·  Flag as inappropriate

        Yes, we need a -noprofile for the PowerShell script; currently if a profile is configured to import modules that is what is passed back to SCCM instead of my script results.. In the compliance report of failed systems I see returned results of "Importing cmdlet blah blah" a few hundred times but not my actual script output of "PASSED" or "FAILED".

      • Thomas Hughes commented  ·   ·  Flag as inappropriate

        It would really be nice if the remediation script timeout setting was configurable in Custom Settings for the client, or at least in the Remediation Script properties of the CI.

      • Dwayne commented  ·   ·  Flag as inappropriate

        It actually would be really nice if it ran with the -noprofile switch by default

      Feedback and Knowledge Base