FIS DCM Compliance Rules Error 0x87d00320 Issue with ConfigMgr | SCCM

Let’s see how to Fix DCM Compliance Rules Error 0x87d00320 issue with SCCM (Configuration Manager). Learn how to create or build the Desired Configuration Management (DCM).

The rule fails to run and evaluate when creating a configuration item and targeting it using configuration baseline. It fails with the error “0x87d00320 – The script host has not been installed yet.”

FIX DCM Compliance Rules Error 0x87d00320 with ConfigMgr
FIX DCM Compliance Rules Error 0x87d00320 with ConfigMgr

Compliance baseline with Powershell script was failing to evaluate.

Since there was a registry key (HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path) which points to the C:\windows\System32\WindowsPowershell\v1.0\Powershell.exe’ was missing on the clients (Both Server 2008 and 2012).

Patch My PC

I tried to create them and evaluate the baseline manually and found the baseline evaluation was successful.

Troubleshooting Summary SCCM Compliance Rules Error 0x87d00320

Let’s see the troubleshooting Summary for SCCM Compliance Rules Error 0x87d00320 in the below list.

  • Issues was happening on both VMs and Physical machines.
  • We have tried rebooting the client but the issue persists.
  • We created a baseline with only one Configuration Item but the issue remained.
  • We looked at the client logs and found the below error.

Log Details

Let’s identify the trouble “Compliance Rules Error 0x87d00320” via SCCM Logs DcmWmiProvider.log.

ScriptProvider::ReadDiscoveryInformation - ScriptType:0        
ScriptProvider 
The needed Powershell script host is not installed.        
ScriptProvider  7044 (0x1B84)
Failed in discovering instance. 
The script host has not been installed yet. (Error: 87D00320; Source: CCM) ScriptProvider   7044 (0x1B84)
Failed to do HandleExecQueryAsync(). 
The script host has not been installed yet. (Error: 87D00320; Source: CCM)        ScriptProvider 7044 (0x1B84)
Failed to process CScriptProvider::GExecQueryAsync. 
The script host has not been installed yet. (Error: 87D00320; Source: CCM)  ScriptProvider 7044 (0x1B84) 

Solution – Compliance Rules Error 0x87d00320

Error 0x87d00320 translates to the script host has not been installed yet. Source: System Center Configuration Manager.

We have verified and confirmed that the Powershell execution policy was set to ‘Bypass’ in the client settings>Computer Agent.

https://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings

Also, we have confirmed that the Powershell was set to Remote signed on the local machine through the GPO. We have also checked and confirmed that Powershell 2.0 was already enabled.

Fix DCM Compliance Rules Error 0x87d00320 with ConfigMgr | SCCM
Fix DCM Compliance Rules Error 0x87d00320 with ConfigMgr | SCCM
[X] Windows PowerShell PowerShellRoot Installed
[X] Windows PowerShell 4.0 PowerShell Installed
[X] Windows PowerShell 2.0 Engine PowerShell-V2 Installed
[ ] Windows PowerShell Desired State Configuration. DSC-Service  Available
[X] Windows PowerShell ISE PowerShell-ISE Installed
[ ] Windows PowerShell Web Access WindowsPowerShellWeb... Available 
  • We tried adding the below registry manually and rebooted the client and checked but it didn’t help.
    • reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 1 /f
    • reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /d RemoteSigned /f
  • Created a new client setting with Computer agent the PowerShell execution policy was set to ‘Bypass’ and deployed to few clients for testing, but it didn’t help.
  • Checked the settings using ‘Policy spy’ and confirmed that the value was set to 1.
  • I have tried to reproduce the issue in my lab using the same script and the issue was not occurring.
    • Invoke-WmiMethod -Namespace “ROOT\ccm\ClientSDK” -Class CCM_ClientUtilities -Name DetermineIfRebootPending  | select-object -ExpandProperty “RebootPending”
  • Move the client to another OU without any GPO inherited and check the results.
  • We have updated that we have already tested it by disabling most of the GPOs except few which is needed.
  • Suggested to take a Procmon while reproducing the issue.
  • Reviewed procmon and found the below entry.
    • wmiprvse.exe   1104  RegQueryValue                HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\Path  NAME NOT FOUND C:\WINDOWS\system32\wbem\wmiprvse.exe   Length: 44       NT AUTHORITY\SYSTEM

I have checked in my lab and could see the above registry key, hence compared it with non-working machines and found the Registry key was missing.

We have created the registry value manually and evaluated the baseline, and found the baseline evaluation was successful.

Resources

Author

My name is Deepak Rai, and I am a Technical Lead on SCCM and Intune with more than 14 years of experience in IT. My main domain is SCCM (AKA ConfigMgr, CB, MECM, etc.), Intune, and Azure (Runbooks). I have worked on several platforms (Active Directory, Exchange, Veritas NETBACKUP, Symantec Backup Exec, NDMP devices Like Netapp, EMC Data Domain, Quantum using Backup Exec 2010 and 2012, HP storage works 4048 MSL G3, Data Deduplication related troubleshooting.) in these 13 years but at last ended up to the technology from which I started as IT Engineer (SCCM).

2 thoughts on “FIS DCM Compliance Rules Error 0x87d00320 Issue with ConfigMgr | SCCM”

  1. actually this is documented and noted here
    https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/about-client-settings

    Tip
    If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways:

    The Monitoring workspace in the console displays deployment status error ID 0x87D00327. It also displays the description Script is not signed.
    Reports display the error type Discovery Error. Then reports display either error code 0x87D00327 and the description Script is not signed, or error code 0x87D00320 and the description The script host has not been installed yet. An example report is: Details of errors of configuration items in a configuration baseline for an asset.
    The DcmWmiProvider.log file displays the message Script is not signed (Error: 87D00327; Source: CCM).

    But this is a good article as usual Deepak

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.