Let’s see how to Fix DCM Compliance Rules Error 0x87d00320 issue with SCCM (Configuration Manager). Learn how to create or build the Desired Configuration Management (DCM).
The rule fails to run and evaluate when creating a configuration item and targeting it using a configuration baseline. It fails with the error “0x87d00320 – The script host has not been installed yet.”
Compliance baseline with Powershell script was failing to evaluate.
Since there was a registry key (HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path) which points to the C:\windows\System32\WindowsPowershell\v1.0\Powershell.exe’ was missing on the clients (Both Server 2008 and 2012).
I tried to create them and evaluate the baseline manually and found the baseline evaluation was successful.
Troubleshooting Summary SCCM Compliance Rules Error 0x87d00320
Let’s see the troubleshooting Summary for SCCM Compliance Rules Error 0x87d00320 in the below list.
- Issues were happening on both VMs and physical machines.
- We have tried rebooting the client but the issue persists.
- We created a baseline with only one Configuration Item but the issue remained.
- We looked at the client logs and found the below error.
Log Details
Let’s identify the trouble “Compliance Rules Error 0x87d00320” via SCCM Logs DcmWmiProvider.log.
ScriptProvider::ReadDiscoveryInformation - ScriptType:0 ScriptProvider The needed Powershell script host is not installed. ScriptProvider 7044 (0x1B84) Failed in discovering instance. The script host has not been installed yet. (Error: 87D00320; Source: CCM) ScriptProvider 7044 (0x1B84) Failed to do HandleExecQueryAsync(). The script host has not been installed yet. (Error: 87D00320; Source: CCM) ScriptProvider 7044 (0x1B84) Failed to process CScriptProvider::GExecQueryAsync. The script host has not been installed yet. (Error: 87D00320; Source: CCM) ScriptProvider 7044 (0x1B84)
Solution – Compliance Rules Error 0x87d00320
Error 0x87d00320 translates to the script host has not been installed yet. Source: System Center Configuration Manager.
We have verified and confirmed that the Powershell execution policy was set to ‘Bypass’ in the client settings>Computer Agent.
https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings
Also, we have confirmed that the Powershell was set to Remote signed on the local machine through the GPO. We have also checked and confirmed that Powershell 2.0 was already enabled.
[X] Windows PowerShell PowerShellRoot Installed [X] Windows PowerShell 4.0 PowerShell Installed [X] Windows PowerShell 2.0 Engine PowerShell-V2 Installed [ ] Windows PowerShell Desired State Configuration. DSC-Service Available [X] Windows PowerShell ISE PowerShell-ISE Installed [ ] Windows PowerShell Web Access WindowsPowerShellWeb... Available
- We tried adding the below registry manually and rebooted the client and checked but it didn’t help.
- reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 1 /f
- reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /d RemoteSigned /f
- Created a new client setting with a Computer agent the PowerShell execution policy was set to ‘Bypass’ and deployed to a few clients for testing, but it didn’t help.
- Checked the settings using ‘Policy spy’ and confirmed that the value was set to 1.
- I have tried to reproduce the issue in my lab using the same script and the issue was not occurring.
- Invoke-WmiMethod -Namespace “ROOT\ccm\ClientSDK” -Class CCM_ClientUtilities -Name DetermineIfRebootPending | select-object -ExpandProperty “RebootPending”
- Move the client to another OU without any GPO inherited and check the results.
- We have updated that we have already tested it by disabling most of the GPOs except a few which is needed.
- Suggested to take a Procmon while reproducing the issue.
- Reviewed procmon and found the below entry.
- wmiprvse.exe 1104 RegQueryValue HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path NAME NOT FOUND C:\WINDOWS\system32\wbem\wmiprvse.exe Length: 44 NT AUTHORITY\SYSTEM
I have checked in my lab and could see the above registry key, hence compared it with non-working machines and found the Registry key was missing.
We have created the registry value manually and evaluated the baseline, and found the baseline evaluation was successful.
Resources
- SCCM Logs and Quick Tips to Read Logs
- FIX Software Center Crash Error SCNotification Has Stopped Working| SCCM | ConfigMgr
- Install SCCM Client Manually Using Command Line
- How to Build Configuration Manager Technical Preview LAB |SCCM 2002.2
Author
My name is Deepak Rai, and I am a Technical Lead on SCCM and Intune with more than 14 years of experience in IT. My main domain is SCCM (AKA ConfigMgr, CB, MECM, etc.), Intune, and Azure (Runbooks). I have worked on several platforms (Active Directory, Exchange, Veritas NETBACKUP, Symantec Backup Exec, NDMP devices Like Netapp, EMC Data Domain, Quantum using Backup Exec 2010 and 2012, HP storage works 4048 MSL G3, Data Deduplication related troubleshooting.) in these 13 years but at last ended up to the technology from which I started as IT Engineer (SCCM).
actually this is documented and noted here
https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/about-client-settings
Tip
If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways:
The Monitoring workspace in the console displays deployment status error ID 0x87D00327. It also displays the description Script is not signed.
Reports display the error type Discovery Error. Then reports display either error code 0x87D00327 and the description Script is not signed, or error code 0x87D00320 and the description The script host has not been installed yet. An example report is: Details of errors of configuration items in a configuration baseline for an asset.
The DcmWmiProvider.log file displays the message Script is not signed (Error: 87D00327; Source: CCM).
But this is a good article as usual Deepak
Thank you frack.