Windows Client Health DEX Pack
| Monitor and maintain Windows endpoint health with the Windows Client Health integrated DEX Pack, which provides prebuilt policies, rules, and remediation actions for disk space, WMI integrity, service availability, and application crash monitoring. This reference explains the included instructions, triggers, checks, and automated fixes that help improve device stability, reduce support issues, and support proactive endpoint management through Endpoint Automation.
Used to create the Windows Client Health instruction set and Windows Client Health policy.
Over time Windows devices can develop performance problems related to device or service availability. This policy verifies the available storage capacity on devices, notifies of application crashes, monitors WMI health and service function, and also checks the behavior of core Windows services.
The Windows client health policy covers the following:
-
Manages Windows devices and service availability performance problems.
-
Safeguards disk space integrity, ensuring sufficient storage capacity.
-
Ensures optimum performance of the Configuration Manager client and that WMI is active and integrated.
-
Notifies of application crashes and remediation assists. Investigates root cause for specific issues.
This policy is intended for deployment to Windows devices only.
Instructions
The following table shows the instructions included in the Integrated Product Pack. Unless already uploaded, the following instructions are added to an Instruction set named: Windows Client Health
|
Readable Payload |
Type |
Description |
Name |
Version |
|---|---|---|---|---|
|
What applications have crashed? |
Question |
List application crashes. Returns an aggregated list of applications which have crashed and the number of times each of them crashed, including the application module which caused the crash, and application and module versions. The drill-down shows each device which suffered the crash, the file paths of the faulting application and module, the exception code and offset, and the time of the crash. |
1E-Explorer-WindowsClientHealth-ApplicationCrashes |
3 |
|
What crashes has <ApplicationName> suffered? |
Question |
List application crashes for a specific application. |
1E-Explorer-WindowsClientHealth-ApplicationCrashesFiltered |
3 |
|
What is the content of the Log located at <filepath>? |
Question |
Retrieve the content of a specified log file. |
1E-Explorer-WindowsClientHealth-GetLogFileContent |
3 |
|
Start the WMI service |
Action |
Start the Windows Management Instrumentation (WMI) service. |
1E-Explorer-WindowsClientHealth-StartWMIService |
3 |
Policies
-
Before deploying the Windows Client Health Policy you need to be familiar with its contents and comfortable that you want to apply it to the devices in your network.
-
By default, automated fixes in the Policies provided by 1E are not enabled, this means you will have to specifically enable the ones you want to use before they can take effect.
-
A new or updated Policy should first be verified by deploying it to a Management Group containing a small number of devices, reviewing the Endpoint Automation reports, and confirming the checks and enabled fixes are working as expected. When you are comfortable with the results you can then deploy to larger Management Groups.
-
The policy contains the rule Check application crash count (not assigned to any policy by default) which by default specifies the Application Name as MyApplication.exe. You do not need to change this before deployment, but you can edit the rule to specify an the executable that you want to monitor, or clone the rule to monitor other executables. You will need to edit the rule and change the name in the Trigger and the Check tabs.
The following table shows the policies included in the Integrated Product Pack.
|
Name |
Description |
|---|---|
|
Windows Client Health |
The Windows Client Health policy ensures that the health of the Windows operating system is compliant with a reference baseline. |
Rules
The following table shows the rules included in the Integrated Product Pack.
Any parameter values shown in the Check and Fix fragments, Triggers and Precondition fragment columns are specifically set in the rules when the pack is uploaded. These may be different from the default values shown in the Fragments table. You can modify these if required.
|
Name |
Type |
Description |
Check and Fix fragments |
Triggers |
Precondition fragment |
|---|---|---|---|---|---|
|
Check application crash count (not assigned to any policy by default) |
Check |
Check that an application has not crashed excessively. By default, this check is not assigned to the policy. |
1E-GuaranteedState-WindowsClientHealth-Check-ApplicationCrashes
ApplicationName is case insensitive but is required to be the filename of the executable for example unreliableapp.exe (without the path). . |
TriggerTemplate-ProcessCrash
The Executable parameter must match the ApplicationName parameter in the associated Check fragment.. |
1E-GuaranteedState-General-PreCondition-WindowsDevice
|
|
Check free disk space |
Check |
Check that the system disk has at least 5 Gb of free space. (changed from 2 to 5 Gb in v5.0) |
1E-GuaranteedState-WindowsClientHealth-Check-SystemDriveFreeSpace
|
TriggerTemplate-IntervalHours
|
1E-GuaranteedState-General-PreCondition-WindowsDevice
|
|
Check WMI repository health |
Check |
Check that the WMI repository is in a healthy state. |
1E-GuaranteedState-WindowsClientHealth-Check-WmiBasicHealth
|
TriggerTemplate-IntervalHours
|
1E-GuaranteedState-General-PreCondition-WindowsDevice
|
|
Ensure WMI service is running (not enabled and not assigned to any policy by default) |
Fix |
Ensure that the WMI service is running. By default, this fix is disabled, and not assigned to the policy. |
1E-GuaranteedState-General-Check-ServiceState
1E-GuaranteedState-WindowsClientHealth-Fix-StartWMIService
|
TriggerTemplate-ServiceStatusChange
|
1E-GuaranteedState-General-PreCondition-WindowsDevice
|
Fragments
The following table shows the fragments included in the Integrated Product Pack.
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these fragments, unless you select alternative values.
|
Name |
Type |
Readable Payload and summary |
Parameters |
|---|---|---|---|
|
1E-GuaranteedState-General-PreCondition-InstalledSoftware |
Precondition |
Run if <SoftwareTitle> is installed Uses the Software.GetInstallations to see if SoftwareTitle is installed. For more information, refer to Writing instructions > Functions and Methods reference > Tachyon Agent Methods in the PDF version of the 1E SDK documentation. The Software Title parameter can be a partial string such as SQL Server which will match on the first SQL Server title that is found installed on the device. Not used by any policy rules by default. |
SoftwareTitle
|
|
1E-GuaranteedState-General-PreCondition-MinWindowsVersion |
Precondition |
Run if device is Windows <MinimumVersion> Uses Agent.GetSummary method to get MinimumVersion, and passes if it matches the given parameter.
Not used by any policy rules by default. |
MinimumVersion
|
|
1E-GuaranteedState-General-PreCondition-OperatingSystem |
Precondition |
Run if operating system is <OsText> Uses the Agent.GetSummary method to get OsText, and passes if it matches the given parameter. Not used by any policy rules by default. |
OsText
(default empty) |
|
1E-GuaranteedState-General-PreCondition-OSAndSoftware |
Precondition |
Run if operating system is <OsText> and <SoftwareTitle> is installed Uses the Agent.GetSummary method to get OsText. Uses the Software.GetInstallations to see if SoftwareTitle is installed. |
OsText
SoftwareTitle
|
|
Precondition |
Determine if device is running Windows Is Operating System type = Windows. Uses the Device.GetSummary method. |
No parameters |
|
|
Check |
Check that service "<ServiceName>" is <State> Uses the OperatingSystem.GetServiceInfo method to check the specified service is in the specified state. You specify the service by its short name. Service names are listed under registry HKLM\CurrentControlSet\Services. You can determine the short name of a service using the PowerShell cmdlet: Copy
The above example will return NlaSvc, whch is the short name you specify in the <ServiceName> parameter. Another example is WindDefend, which is the short name of the Microsoft Defender Antivirus Service. |
ServiceName
State
|
|
|
1E-GuaranteedState-WindowsClientHealth-Check-ApplicationCrashes |
Check |
Check that application <ApplicationName> has not suffered more than <MaxCrashCount> crashes for the last <Days> days <Days> is Days back from now. <ApplicationName> is case insensitive but is required to be the filename of the executable, for example unreliableapp.exe (without the path). This fragment queries the root\cimv2 WMI space with the query: "SELECT * FROM Win32_NTLogEvent WHERE (logfile='Application') AND (type='Error') AND (EventCode=1000) AND (Message LIKE '%name: %ApplicationName%,%')" in order to retrieve the event log entries relating to application crashes for a specific application. If the count of events exceeds the parameter <MaxCrashCount> then compliance failure is returned. |
ApplicationName
MaxCrashCount
Days
|
|
1E-GuaranteedState-WindowsClientHealth-Check-SystemDriveFreeSpace |
Check |
Check that system drive has at least <ThresholdGb> Gb of free space <ThresholdGb> is free space in gigabytes. This fragment runs the WMI query "Select DeviceId, FreeSpace from Win32_LogicalDisk" and filters the results to include just the system drive. It then determines whether the reported free space exceeds the <ThresholdGb> parameter and returns compliance failure if it does not. |
ThresholdGb
|
|
Check |
Check that Windows WMI repository is consistent and can process basic query This fragment first verifies repository integrity by issuing the command winmgmt /verifyrepository. If this reports that the repository is ok, the WMI query "Select Name from Win32_computerSystem" is issued against the root\cimv2 namespace. If this also succeeds, the fragment returns success, otherwise it returns failure, with the Data column containing one of the following depending on whether the consistent check or the subsequent query failed:
|
No parameters |
|
|
Fix |
Start the WMI service This fragment uses the OperatingSystem.ControlService method to set the action of the Winmgmt (WMI) service to Start. It then enumerates running services and if the service is now running, it returns compliance success otherwise failure. The data column in the response always contains the value winmgmt. |
No parameters |
Trigger templates
The following table shows the trigger templates included in the Windows Client Health Integrated Product Pack.
The Parameters column in the following table shows the ranges and default values for the parameters. The default values are used when you create custom rules using these templates, unless you select alternative values.
|
Name |
Readable Payload and summary |
Parameters |
|---|---|---|
|
TriggerTemplate-IntervalHours |
Every <intervalHours> hours Periodic (hours) |
Interval Hours
|
|
TriggerTemplate-IntervalMinutes |
Every <intervalMinutes> minutes Periodic (minutes) |
Interval Minutes
|
|
TriggerTemplate-IntervalSeconds |
Every <intervalSeconds> seconds Periodic (seconds) |
Interval Seconds
|
|
TriggerTemplate-ProcessCrash |
On crash of process "<executable>" When a process crashes (Windows only) Monitors the Windows Application Event Log for event 1000. Executable is case insensitive but is required to be the whole filename without the folder path, such as unreliableapp.exe A partial string such as unreliableapp will not trigger on a crash of unreliableapp.exe. |
Executable
|
|
TriggerTemplate-ServiceStatusChange |
On change of running state of the "<serviceName>" service When the state of the named Windows service changes. You can determine the short name of a service using the PowerShell cmdlet. Copy
This will return NlaSvc in the above example. It is this short name you specify in the <ServiceName> parameter. |
Service Name
|
|
TriggerTemplate-WindowsEventLog |
On Windows"<channel>"; event log entry matching "<query>" (debounce for <debounce> seconds) When an event log entry is created (Windows only). A channel is an event sink, example standard channel names are Application or Security. To determine the available event channels execute the following PowerShell command: Copy
Or to view the event channels on a remote computer: Copy
Similarly to view event log entries for a given channel either use Event Viewer or from PowerShell for example: Copy
Or: Copy
A query is used to filter the event log messages for a given channel. Examples can be found at Consuming Events (Windows Event Log). For example to query all OneNote application crashes error log messages: Copy
Debounce is a settling period to ensure that in the case of multiple events, only a single event is registered within the space of a given time period. |
Channel
Query
Debounce Time Seconds
|
|
TriggerTemplate-WindowsRegistryChange (added in 5.0) |
On change of registry values in "<hive>\<subkey>" (include subkeys=<includeSubkeys>) When the value of a Windows registry key changes. |
Hive, which must be one of:
Subkey : free text string, default empty. Include Sub Keys : 1/0 default 0. |