Windows Client Health DEX Pack

Multi-tenant SaaS platform Green checkmark | Single-tenant SaaS platform | On-premises platform

Used to create the Windows Client Health instruction set and Windows Client Health policy.

Over time Windows devices can develop performance problems related to device or service availability. This policy verifies the available storage capacity on devices, notifies of application crashes, monitors WMI health and service function, and also checks the behavior of core Windows services.

The Windows client health policy covers all of the following:

Manages Windows devices and service availability performance problems
Safeguards disk space integrity, ensuring sufficient storage capacity
Ensures optimum performance of the Configuration Manager client and that WMI is active and integrated
Notifies of application crashes and remediation assists. Investigates root cause for specific issues.

This policy is intended for deployment to Windows devices only.

Instructions

The following table shows the instructions included in the Integrated Product Pack. Unless already uploaded, the following instructions are added to an Instruction set named: Windows Client Health

Readable Payload	Type	Description	Name	Version
What applications have crashed?	Question	List application crashes. Returns an aggregated list of applications which have crashed and the number of times each of them crashed, including the application module which caused the crash, and application and module versions. The drill-down shows each device which suffered the crash, the file paths of the faulting application and module, the exception code and offset, and the time of the crash.	1E-Explorer-WindowsClientHealth-ApplicationCrashes	3
What crashes has <ApplicationName> suffered?	Question	List application crashes for a specific application.	1E-Explorer-WindowsClientHealth-ApplicationCrashesFiltered	3
What is the content of the Log located at <filepath>?	Question	Retrieve the content of a specified log file.	1E-Explorer-WindowsClientHealth-GetLogFileContent	3
Start the WMI service	Action	Start the Windows Management Instrumentation (WMI) service.	1E-Explorer-WindowsClientHealth-StartWMIService	3

Policies

Before deploying the Windows Client Health Policy you need to be familiar with its contents and comfortable that you want to apply it to the devices in your network.
By default, automated fixes in the Policies provided by 1E are not enabled, this means you will have to specifically enable the ones you want to use before they can take effect.
A new or updated Policy should first be verified by deploying it to a Management Group containing a small number of devices, reviewing the Endpoint Automation reports, and confirming the checks and enabled fixes are working as expected. When you are comfortable with the results you can then deploy to larger Management Groups.
The policy contains the rule Check application crash count (not assigned to any policy by default) which by default specifies the Application Name as MyApplication.exe. You do not need to change this before deployment, but you can edit the rule to specify an the executable that you want to monitor, or clone the rule to monitor other executables. You will need to edit the rule and change the name in the Trigger and the Check tabs.

The following table shows the policies included in the Integrated Product Pack.

Name	Description
Windows Client Health	The Windows Client Health policy ensures that the health of the Windows operating system is compliant with a reference baseline.

Rules

The following table shows the rules included in the Integrated Product Pack.

Any parameter values shown in the Check and Fix fragments, Triggers and Precondition fragment columns are specifically set in the rules when the pack is uploaded. These may be different from the default values shown in the Fragments table. You can modify these if required.

Name	Type	Description	Check and Fix fragments	Triggers	Precondition fragment
Check application crash count (not assigned to any policy by default)	Check	Check that an application has not crashed excessively. By default, this check is not assigned to the policy.	1E-GuaranteedState-WindowsClientHealth-Check-ApplicationCrashes ApplicationName=myApplication.exe MaxCrashCount=1 Days=7 ApplicationName is case insensitive but is required to be the filename of the executable for example unreliableapp.exe (without the path). .	TriggerTemplate-ProcessCrash Executable=myApplication.exe The Executable parameter must match the ApplicationName parameter in the associated Check fragment..	1E-GuaranteedState-General-PreCondition-WindowsDevice No parameters
Check free disk space	Check	Check that the system disk has at least 5 Gb of free space. (changed from 2 to 5 Gb in v5.0)	1E-GuaranteedState-WindowsClientHealth-Check-SystemDriveFreeSpace ThresholdGb=5	TriggerTemplate-IntervalHours Interval Hours=6	1E-GuaranteedState-General-PreCondition-WindowsDevice No parameters
Check WMI repository health	Check	Check that the WMI repository is in a healthy state.	1E-GuaranteedState-WindowsClientHealth-Check-WmiBasicHealth No parameters	TriggerTemplate-IntervalHours Interval Hours=3	1E-GuaranteedState-General-PreCondition-WindowsDevice No parameters
Ensure WMI service is running (not enabled and not assigned to any policy by default)	Fix	Ensure that the WMI service is running. By default, this fix is disabled, and not assigned to the policy.	1E-GuaranteedState-General-Check-ServiceState ServiceName=winmgmt State=Running 1E-GuaranteedState-WindowsClientHealth-Fix-StartWMIService No parameters	TriggerTemplate-ServiceStatusChange Service Name=winmgmt	1E-GuaranteedState-General-PreCondition-WindowsDevice No parameters

Fragments

The following table shows the fragments included in the Integrated Product Pack.

The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these fragments, unless you select alternative values.

Name	Type	Readable Payload and summary	Parameters
1E-GuaranteedState-General-PreCondition-InstalledSoftware	Precondition	Run if <SoftwareTitle> is installed Uses the Software.GetInstallations to see if SoftwareTitle is installed. The Software Title parameter can be a partial string such as SQL Server which will match on the first SQL Server title that is found installed on the device. Not used by any policy rules by default.	SoftwareTitle default empty
1E-GuaranteedState-General-PreCondition-MinWindowsVersion	Precondition	Run if device is Windows <MinimumVersion> Uses Agent.GetSummary method to get MinimumVersion, and passes if it matches the given parameter. XP or greater (5.2) - also matches Server 2003 Vista or greater (6.0) - also matches Server 2008 7 or greater (6.1) - also matches Server 2008 R2 8 or greater (6.2) - also matches Server 2012 8.1 or greater (6.3) - also matches Server 2012 R2 10 or greater (10.0) - also matches Server 2016 Not used by any policy rules by default.	MinimumVersion XP or greater Vista or greater 7 or greater 8 or greater 8.1 or greater 10 or greater (default)
1E-GuaranteedState-General-PreCondition-OperatingSystem	Precondition	Run if operating system is <OsText> Uses the Agent.GetSummary method to get OsText, and passes if it matches the given parameter. Not used by any policy rules by default.	OsText Android macOS Red Hat SUSE Ubuntu Windows 10 Windows 7 Windows 8.1 Windows Server 2012 Windows Server 2016 Windows Vista Windows XP (default empty)
1E-GuaranteedState-General-PreCondition-OSAndSoftware	Precondition	Run if operating system is <OsText> and <SoftwareTitle> is installed Uses the Agent.GetSummary method to get OsText. Uses the Software.GetInstallations to see if SoftwareTitle is installed.	OsText see above SoftwareTitle default empty
1E-GuaranteedState-General-PreCondition-WindowsDevice	Precondition	Determine if device is running Windows Is Operating System type = Windows. Uses the Device.GetSummary method.	No parameters
1E-GuaranteedState-General-Check-ServiceState	Check	Check that service "<ServiceName>" is <State> Uses the OperatingSystem.GetServiceInfo method to check the specified service is in the specified state. You specify the service by its short name. Service names are listed under registry HKLM\CurrentControlSet\Services. You can determine the short name of a service using the PowerShell cmdlet: Copy `get-service -DisplayName "Network Location Awareness"` The above example will return NlaSvc, whch is the short name you specify in the <ServiceName> parameter. Another example is WindDefend, which is the short name of the Microsoft Defender Antivirus Service.	ServiceName default empty State Running Stopped
1E-GuaranteedState-WindowsClientHealth-Check-ApplicationCrashes	Check	Check that application <ApplicationName> has not suffered more than <MaxCrashCount> crashes for the last <Days> days <Days> is Days back from now. <ApplicationName> is case insensitive but is required to be the filename of the executable, for example unreliableapp.exe (without the path). This fragment queries the root\cimv2 WMI space with the query: *"SELECT FROM Win32_NTLogEvent WHERE (logfile='Application') AND (type='Error') AND (EventCode=1000) AND (Message LIKE '%name: %ApplicationName%,%')" in order to retrieve the event log entries relating to application crashes for a specific application. If the count of events exceeds the parameter <MaxCrashCount>** then compliance failure is returned.	ApplicationName default empty MaxCrashCount default 1 Days default 7
1E-GuaranteedState-WindowsClientHealth-Check-SystemDriveFreeSpace	Check	Check that system drive has at least <ThresholdGb> Gb of free space <ThresholdGb> is free space in gigabytes. This fragment runs the WMI query "Select DeviceId, FreeSpace from Win32_LogicalDisk" and filters the results to include just the system drive. It then determines whether the reported free space exceeds the <ThresholdGb> parameter and returns compliance failure if it does not.	ThresholdGb 0 to 999, no default
1E-GuaranteedState-WindowsClientHealth-Check-WmiBasicHealth	Check	Check that Windows WMI repository is consistent and can process basic query This fragment first verifies repository integrity by issuing the command winmgmt /verifyrepository. If this reports that the repository is ok, the WMI query "Select Name from Win32_computerSystem" is issued against the root\cimv2 namespace. If this also succeeds, the fragment returns success, otherwise it returns failure, with the Data column containing one of the following depending on whether the consistent check or the subsequent query failed: WMI repository is not consistent WMI repository is consistent but failed to process basic query	No parameters
1E-GuaranteedState-WindowsClientHealth-Fix-StartWMIService	Fix	Start the WMI service This fragment uses the OperatingSystem.ControlService method to set the action of the Winmgmt (WMI) service to Start. It then enumerates running services and if the service is now running, it returns compliance success otherwise failure. The data column in the response always contains the value winmgmt.	No parameters

Trigger templates

The following table shows the trigger templates included in the Windows Client Health Integrated Product Pack.

The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these templates, unless you select alternative values.

Name	Readable Payload and summary	Parameters
TriggerTemplate-IntervalHours	Every <intervalHours> hours Periodic (hours)	Interval Hours 0 to 999 hours (approximately 42 days), default interval is 12 hours.
TriggerTemplate-IntervalMinutes	Every <intervalMinutes> minutes Periodic (minutes)	Interval Minutes 0 to 99,999 minutes (approximately 69 days), default interval is 30 minutes.
TriggerTemplate-IntervalSeconds	Every <intervalSeconds> seconds Periodic (seconds)	Interval Seconds 0 to 999,999 seconds (approximately 11 days), default interval is 3600 seconds (1 hour).
TriggerTemplate-ProcessCrash	On crash of process "<executable>" When a process crashes (Windows only) Monitors the Windows Application Event Log for event 1000. Executable is case insensitive but is required to be the whole filename without the folder path, such as unreliableapp.exe A partial string such as unreliableapp will not trigger on a crash of unreliableapp.exe.	Executable Filename of executable to be monitored, default is empty.
TriggerTemplate-ServiceStatusChange	On change of running state of the "<serviceName>" service When the state of the named Windows service changes. You can determine the short name of a service using the PowerShell cmdlet. Copy `get-service -DisplayName "Network Location Awareness"` This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter.	Service Name Short name of service - for example NomadBranch.
TriggerTemplate-WindowsEventLog	On Windows"<channel>"; event log entry matching "<query>" (debounce for <debounce> seconds) When an event log entry is created (Windows only). A channel is an event sink, example standard channel names are Application or Security. To determine the available event channels execute the following PowerShell command: Copy `Get-WinEvent -ListLog ` Or to view the event channels on a remote computer: Copy `Get-WinEvent -ListLog -ComputerName <hostname>` Similarly to view event log entries for a given channel either use Event Viewer or from PowerShell for example: Copy `Get-EventLog application \| where {($_.EntryType -Match "Error") -or ($_.EntryType -Match "Warning")}` Or: Copy `[dateTime]$oneWeekAgo = (get-date).addDays(-7) Get-EventLog -LogName Application -After $oneWeekAgo -computerName . \| ? {$_.EventID -eq 1000}` A query is used to filter the event log messages for a given channel. Examples can be found at Consuming Events (Windows Event Log). For example to query all OneNote application crashes error log messages: Copy `[System[(Level=2) and (EventID=1000)]] and [EventData[Data='onenote.exe']]` Debounce is a settling period to ensure that in the case of multiple events, only a single event is registered within the space of a given time period.	Channel Text string, default null. Query Text string, default null. Debounce Time Seconds 0 to 99 seconds, default 0.
TriggerTemplate-WindowsRegistryChange (added in 5.0)	On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>) When the value of a Windows registry key changes.	Hive, which must be one of: HKLM (default) HKCR Subkey : free text string, default empty. Include Sub Keys : 1/0 default 0.

Name

Readable Payload and summary

Parameters

TriggerTemplate-IntervalHours

Every <intervalHours> hours

Periodic (hours)

Interval Hours

0 to 999 hours (approximately 42 days), default interval is 12 hours.

TriggerTemplate-IntervalMinutes

Every <intervalMinutes> minutes

Periodic (minutes)

Interval Minutes

0 to 99,999 minutes (approximately 69 days), default interval is 30 minutes.

TriggerTemplate-IntervalSeconds

Every <intervalSeconds> seconds

Periodic (seconds)

Interval Seconds

0 to 999,999 seconds (approximately 11 days), default interval is 3600 seconds (1 hour).

TriggerTemplate-ProcessCrash

On crash of process "<executable>"

When a process crashes (Windows only)

Monitors the Windows Application Event Log for event 1000.

Executable is case insensitive but is required to be the whole filename without the folder path, such as unreliableapp.exe A partial string such as unreliableapp will not trigger on a crash of unreliableapp.exe.

Executable

Filename of executable to be monitored, default is empty.

TriggerTemplate-ServiceStatusChange

On change of running state of the "<serviceName>" service

When the state of the named Windows service changes.

You can determine the short name of a service using the PowerShell cmdlet.

Copy

get-service -DisplayName "Network Location Awareness"

This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter.

Service Name

Short name of service - for example NomadBranch.

TriggerTemplate-WindowsEventLog

On Windows"<channel>"; event log entry matching "<query>" (debounce for <debounce> seconds)

When an event log entry is created (Windows only).

A channel is an event sink, example standard channel names are Application or Security.

To determine the available event channels execute the following PowerShell command:

Copy

Get-WinEvent -ListLog *

Or to view the event channels on a remote computer:

Copy

Get-WinEvent -ListLog * -ComputerName <hostname>

Similarly to view event log entries for a given channel either use Event Viewer or from PowerShell for example:

Copy

Get-EventLog application | where {($_.EntryType -Match "Error") 
-or ($_.EntryType -Match "Warning")}

Or:

Copy

[dateTime]$oneWeekAgo = (get-date).addDays(-7) Get-EventLog -LogName Application 
-After $oneWeekAgo -computerName . | ? {$_.EventID -eq 1000}

A query is used to filter the event log messages for a given channel. Examples can be found at Consuming Events (Windows Event Log).

For example to query all OneNote application crashes error log messages:

Copy

*[System[(Level=2) and (EventID=1000)]] and *[EventData[Data='onenote.exe']]

Debounce is a settling period to ensure that in the case of multiple events, only a single event is registered within the space of a given time period.

Channel

Text string, default null.

Query

Text string, default null.

Debounce Time Seconds

0 to 99 seconds, default 0.

TriggerTemplate-WindowsRegistryChange

(added in 5.0)

On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>)

When the value of a Windows registry key changes.

Hive, which must be one of:

HKLM (default)
HKCR

Subkey : free text string, default empty.

Include Sub Keys : 1/0 default 0.