Application Resilience policies for Microsoft SCCM

Application Resilience policies for Microsoft SCCM are supported on devices running:

• a supported version of the Windows operating system

• PowerShell version 5.1 or higher

  Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

• one of the following versions of Microsoft SCCM:

  • 5.00.x

The following table describes the health checks performed on the Microsoft SCCM components:

If you select Report higher versions as Compliant, higher versions report Compliant if all health checks, other than the version check, pass.

Microsoft SCCM component	Test performed
Windows Management Instrumentation (WMI)	A connection can be established to the WMI and a simple query can be run
Admin share1	The admin share is present and enabled
Assigned site1	The assigned site can be retrieved
Domain attribute1	The domain attribute is reachable and the device is on the network
Client version	The version number of the installed SCCM client
Client variables	The SCCM client variables can be retrieved
CCM services	The SCCM client service and its dependent services are running Services checked: SMS Agent Host (ccmexec)2 Windows Management Instrumentation (winmgmt) Server (lanmanserver)1 Remote Procedure Call (rpcss)
Management point1	The management point can be retrieved
Registry setting for DCOM	DCOM is enabled and allows for remote client connections
Hardware inventory1	A hardware scan has been run and the last hardware inventory date and time can be retrieved
Software inventory1	A software scan has been run and the last software inventory data and time can be retrieved
Application name
The application uses the following name: Configuration Manager Client

¹ Only checked if selected in the policy configuration

² If Microsoft SCCM is using Task Sequence, the RAR component doesn't check to see if SMS Agent Host (ccmexec) is running

You can configure an Application Resilience policy for Microsoft SCCM to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Microsoft SCCM if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue	Resolution
Repair
The WMI service isn't running, or it can't be queried	The RAR component runs a Windows process (ccmrepair.exe) to repair the WMI service.
Admin share isn't enabled, or it isn't present1	The RAR component restarts the Server (lanmanserver) service.
One or more of the following Microsoft SCCM services are not running: SMS Agent Host (ccmexec)2 Windows Management Instrumentation (winmgmt) Server (lanmanserver)1 Remote Procedure Call (rpcss)	The RAR component restarts each stopped service. Application Resilience can't repair or reinstall the SCCM client if a service (other than the SMS Agent Host service) is removed.
The DCOM registry key has an incorrect value	The RAR component resets the registry key.
No scan date and time detected for hardware inventory scans1	The RAR component reschedules the scan.
No scan date and time detected for software inventory scans1
Reinstall
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.
The SMS Agent Host (ccmexec) service isn't installed	The RAR component downloads and installs the configured version of the application. If Hardware inventory scan and/or Software inventory scan are selected in the policy configuration, no scan date and time are detected for them, and rescheduling the scans doesn't resolve the issue, the device reports as Not Compliant. The RAR component doesn't attempt to reinstall the configured version of the client as it may not fix the issue. If the device continues to report as Not Compliant, you can try deselecting the Hardware inventory scan and/or the Software inventory scan in the policy configuration.
Microsoft SCCM failed to be repaired, or the expected version isn't installed

¹ Only checked if selected in the policy configuration

² If Microsoft SCCM is using Task Sequence, the RAR component doesn't check to see if SMS Agent Host (ccmexec) is running

If you want the Secure Endpoint Agent to reinstall Microsoft SCCM if it is non-functional or missing, you need to prepare the Microsoft SCCM installer file.

To prepare the installer:

1. On the SCCM Server, navigate to the following location:

   C:\Program Files\Microsoft Configuration Manager\Client

2. Select all files and folders in the Client folder and add them to a new zip file.

   Do not include the Client folder in your zip file; only include its contents.

3. Copy the zip file to the location where you want to store the installer. You can host the installer on any web server. Both HTTP and HTTPS protocols are supported. If necessary, you can restrict access to the download by enabling HTTP basic authentication on the server.
4. Use a hash generator tool of your choice to generate a SHA-256 hash. For example, you can use the CertUtil.exe command-line utility, which is included with most Windows operating systems.

The Microsoft SCCM installer file is prepared.

You need to regenerate the hash if you make changes to the ZIP file.

Before you activate an Application Resilience policy you need to configure the policy. In addition to the settings in Configuring Application Resilience policies, you need to configure the application version and select the Microsoft SCCM-related components that apply to your organization.

To configure the application version and Microsoft SCCM components:

1. Under Microsoft SCCM version, enter the version of Microsoft SCCM you expect to be running on your devices.

   • The target version must be a sequence of digits separated by a period.

   • You can use wildcard "*" characters after the major version number, for example, 5.* or 5.00.* or 5.00.9068.*.

   Make sure the version you are entering is consistent with version 5.* or higher.

2. By default, the policy performs a number of health checks of Microsoft SCCM components. If a particular Microsoft SCCM component isn't applicable to your organization's Microsoft SCCM deployment, the health check may return a status of Not Compliant when Microsoft SCCM is, in fact, functioning correctly. To avoid false results, you can exclude one or more of the following components from the Microsoft SCCM health check by clearing the component's checkbox:

   SCCM component	Description
   Admin share	The admin share is used to deploy the Microsoft SCCM software remotely by allowing administrative remote access to the disk volume over the network. The health check tests that the admin share is present and enabled.
   Assigned site	The health check tests to see if the assigned site can be retrieved.
   Domain attribute	The health check tests to see if the domain attribute is reachable and the device is on the network.
   Lanmanserver service	This service enables the sharing of file and print resources over the network. The health check detects if the lanmanserver service is running.
   Management point	The health check tests to see if the management point can be retrieved.
   Hardware inventory scan (report and repair only)	The health check detects the date and time when the SCCM client last scanned a device's installed hardware.
   Software inventory scan (report and repair only)	The health check detects the date and time when the SCCM client last scanned a device's installed software.

If you selected Report and repair, you need to enter the folder where the ccmrepair.exe file is located.

If you selected Report, repair, and reinstall, use the installer and SHA-256 Hash key from Preparing the Microsoft SCCM installer file in Configuring Application Resilience settings and, if required, configure and upload the installation file.

To configure the Microsoft SCCM specific settings:

1. Under Folder location of ccmrepair.exe, enter the location of the folder that contains the ccmrepair.exe file. If you use a configuration file, this is likely the value used for the CCMINSTALLDIR parameter.

2. Depending on your Microsoft SCCM implementation, a configuration file may be required to set parameters for the Microsoft SCCM client installation. Create the configuration file using the mobileclienttemplate.tcf template file stored in the following location on the SCCM site server:

   Copy

   <Configuration Manager directory>\bin\<platform>

   For more information about creating a configuration file, refer to the Microsoft System Center documentation.

   • To add a new configuration file, click Upload File, navigate to the file, and select it. The file name shows next to the Upload File button.
   • To remove a configuration file that was uploaded previously, select the checkbox next to Delete previously uploaded config file.

3. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

   • The application version is lower than the expected version.
   • The application can't be repaired.