SCCM 2012 R2 Compliance Error 87D00329

This topic contains 1 reply, has 2 voices, and was last updated by  Tore Groneng 2 years, 1 month ago.

  • Author
    Posts
  • #31831

    Chris Dial
    Participant

    We have a few compliance items set up in SCCM 2012 R2 that use PowerShell scripts for detection and remediation. Most of these scripts are relatively simple, and have been working fine as compliance items using PowerShell 2.0. We have recently upgraded our workstations to Windows Management Framework 4, in an effort to bring them up to WMF 5. Unfortunately, this appears to have broken the compliance items. The scripts still run fine locally, but return error 0x87d00329 when initiated during compliance evaluation. The following gets reported to the event log when the compliance items try to run:

    `
    Version=1
    EventType=PowerShell
    EventTime=130912064509210575
    ReportType=1
    Consent=1
    ReportIdentifier=7b8c723e-83c7-11e5-b958-9890969d9453
    Response.type=4
    Sig[0].Name=NameOfExe
    Sig[0].Value=powershell.exe
    Sig[1].Name=FileVersionOfSystemManagementAutomation
    Sig[1].Value=10.0.10105.0
    Sig[2].Name=InnermostExceptionType
    Sig[2].Value=System.ArgumentException
    Sig[3].Name=OutermostExceptionType
    Sig[3].Value=System.ArgumentException
    Sig[4].Name=DeepestPowerShellFrame
    Sig[4].Value=werShell.ConsoleHost.InitializeStandardInputReader
    Sig[5].Name=DeepestFrame
    Sig[5].Value=System.IO.FileStream..ctor
    Sig[6].Name=ThreadName
    Sig[6].Value=Consol.. main thread
    DynamicSig[1].Name=OS Version
    DynamicSig[1].Value=6.1.7601.2.1.0.256.4
    DynamicSig[2].Name=Locale ID
    DynamicSig[2].Value=1033
    FriendlyEventName=PowerShell
    ConsentKey=PowerShell
    AppName=powershell
    AppPath=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    `

    Here is an example of one of the scripts that is having problems now:

    `
    $compliance = "Non-Compliant"
    $domain = "MyDomain"
    $add = "MyLocalAdmins"
    $group = [ADSI]"WinNT://./Administrators,group"
    $test = @($group.Invoke("Members"))
    Foreach ($member in $test) {
    If ($member.GetType().InvokeMember("Name",'GetProperty', $null, $member, $null) -eq $add){
    $compliance = "Compliant"
    }
    }
    $compliance

  • #31857

    Tore Groneng
    Participant

    I would start with running the script manually on a failing node. If that works I would look into executionpolicy for the user the script runs as. Does the script execute from a local drive or does it reside on a network disk/mapped disk?

    The eventlog information hints at system.io.filestream constructor thingy. If you have a compliance script that involves fileoperation, you could try to look at that.

    If you are still stuck after this, I would set up powershell transcript for a single workstation and inspect the logfile after the complicance script has been invoked.

    Cheers

    Tore

You must be logged in to reply to this topic.