Fix DCM Compliance Rules Error 0x87d00320 with ConfigMgr | SCCM

2
Compliance Rules Error 0x87d00320

Let’s see how to Fix DCM Compliance Rules Error 0x87d00320 with Configuration Manager. Learn how to reate or build the Desired Configuration Management (DCM).

Issue Description:

When created a configuration item and targeted it using configuration baseline the rule fails to run and evaluate. Fails with error ” 0x87d00320 The script host has not been installed yet. “

FIX DCM Compliance Rules Error 0x87d00320 with ConfigMgr
FIX DCM Compliance Rules Error 0x87d00320 with ConfigMgr

Compliance baseline with Powershell script was failing to evaluate.

Since there was a registry key (HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path) which points to the C:\windows\System32\WindowsPowershell\v1.0\Powershell.exe’ was missing on the clients (Both Server 2008 and 2012).

I tried to manually create them and tried to evaluate the baseline and found the baseline evaluation was successful.

Altaro Office 365 Backup
Advertisement Altaro Office 365 Backup

Troubleshooting Summary

  • Issues was happening on both VMs and Physical machines.
  • We have tried rebooting the client but the issue persists.
  • We created a baseline with only one Configuration Item but the issue remained.
  • We looked at the client logs and found the below error.

Log Details

Let see how to identify the trouble “Compliance Rules Error 0x87d00320” via SCCM Logs DcmWmiProvider.log.

ScriptProvider::ReadDiscoveryInformation - ScriptType:0        
ScriptProvider 
The needed Powershell script host is not installed.        
ScriptProvider  7044 (0x1B84)
Failed in discovering instance. 
The script host has not been installed yet. (Error: 87D00320; Source: CCM) ScriptProvider   7044 (0x1B84)
Failed to do HandleExecQueryAsync(). 
The script host has not been installed yet. (Error: 87D00320; Source: CCM)        ScriptProvider 7044 (0x1B84)
Failed to process CScriptProvider::GExecQueryAsync. 
The script host has not been installed yet. (Error: 87D00320; Source: CCM)  ScriptProvider 7044 (0x1B84) 

Solution – Compliance Rules Error 0x87d00320

We have verified and confirmed that the Powershell execution policy was set to ‘Bypass’ in the client settings>Computer Agent.

https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings

  • Also, we have confirmed that the Powershell was set to Remote signed on the local machine through the GPO.
  • We have also checked and confirmed that the Powershell 2.0 was already enabled.
[X] Windows PowerShell PowerShellRoot Installed
[X] Windows PowerShell 4.0 PowerShell Installed
[X] Windows PowerShell 2.0 Engine PowerShell-V2 Installed
[ ] Windows PowerShell Desired State Configuration. DSC-Service                    Available
[X] Windows PowerShell ISE PowerShell-ISE Installed
[ ] Windows PowerShell Web Access WindowsPowerShellWeb... Available 
  • We tried adding the below registry manually and rebooted the client and checked but it didn’t help.
    • reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 1 /f
    • reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /d RemoteSigned /f
  • Created a new client setting with Computer agent the PowerShell execution policy was set to ‘Bypass’ and deployed to few clients for testing, but it didn’t help.
  • Checked the settings using ‘Policy spy’ and confirmed that the value was set to 1
  • I have tried to reproduce the issue in my lab using the same script and the issue was not occurring.
    • Invoke-WmiMethod -Namespace “ROOT\ccm\ClientSDK” -Class CCM_ClientUtilities -Name DetermineIfRebootPending  | select-object -ExpandProperty “RebootPending”
  • Move the client to another OU without any GPO inherited and check the results.
  • We have updated that we have already tested it by disabling most of the GPOs except few which is needed.
  • Suggested to take a Procmon while reproducing the issue.
  • Reviewed procmon and found the below entry.
    • wmiprvse.exe   1104  RegQueryValue                HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path  NAME NOT FOUND C:\WINDOWS\system32\wbem\wmiprvse.exe   Length: 44       NT AUTHORITY\SYSTEM
  • I have checked in my lab and could see the above registry key, hence compared it with non-working machines and found the Registry key was missing.
  • We have tried to manually create the registry value and tried to evaluate the baseline and found the baseline evaluation was successful.

Resources

2 COMMENTS

  1. actually this is documented and noted here
    https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/about-client-settings

    Tip
    If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways:

    The Monitoring workspace in the console displays deployment status error ID 0x87D00327. It also displays the description Script is not signed.
    Reports display the error type Discovery Error. Then reports display either error code 0x87D00327 and the description Script is not signed, or error code 0x87D00320 and the description The script host has not been installed yet. An example report is: Details of errors of configuration items in a configuration baseline for an asset.
    The DcmWmiProvider.log file displays the message Script is not signed (Error: 87D00327; Source: CCM).

    But this is a good article as usual Deepak

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.