Net Start TrustedInstaller in SCCM?

[nhottinger]

We have an issue in our environment where the registry on many of our pc's has become corrupt due to a bad version of Trend Micro Encryption. Because of this we can not install software or update IE once the registry is corrupt. We have worked with Trend but the only fix for this is to re-image the device. We have come to terms with this, but would like a way to find out which pc's in our environment have a corrupt registry so we can proactively "fix" them before it's a huge fire.

 

To check the registry, we simply go to a command prompt and type: net start trustedinstaller. If it starts (or is already started) successfully the registry is fine. If it fails, the registry is corrupt.

 

Is there any way to run a report against all our pc's with SCCM 2012 to show the bad pc's?

[YPCC]

Services (whether started, stopped or dsiabled) are collected as part of Hardware Inventory i believe.

 

To check this, search for any device in sccm, right click, Resource Explorer, Services. Should see the services listed and the state they are in. Is this good enough or do you actively need to run "net start trustedinstaller" in order to verify if registry is bad or not

[nhottinger]

if we run "net start trustedinstaller" and it fails to start, that is our giveaway that the registry is corrupt. I'd like to run that command on each device somehow.

[Peter33]

Sounds like the perfect excuse to use the compliance settings once again, which will give you compliant and non compliant collections on the fly.

$result = $true
if ((Get-Service -Name TrustedInstaller ).Status -eq "Stopped"){
    Start-Service -Name TrustedInstaller -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
    if ((Get-Service -Name TrustedInstaller ).Status -ne "Running"){ $result = $false }
    else { Stop-Service -Name TrustedInstaller -ErrorAction SilentlyContinue -WarningAction SilentlyContinue }
}
return $result

[nhottinger]

Unfortunately I'm not familiar with how to set this up. Could you provide some assistance with that as well?

[Peter33]

No Problem. Open your SCCM Console and go to “Asset and Compliance“. Expand the Comliance Settings Folder and right click the Configuration Iems. Select “Create Configuration Item”, chose a proper name and click two times “Next”. Then click the “New” button and chose a name for the setting. As Setting Type chose “Script” and as data type “Boolean”.

Under Discovery Script hit the “Add Script” button and paste in the powershell script script. Switsh to the Compliance Rules tab in the settings dialog and and click the new button. Select a proper name again and confirm two times with the OK Buttons. Then hit 3 times the next buttons in the dialog window.

Switch to the Configuration Baseline Folder, right click it and chose “New Configuration Baseline”. Select a name and select your new configuration item by hitting the add button. Confirm with OK.

Now you can deploy the Configuration Baseline to a collection of your choice, which is similar to deploying an application. By right clicking the newly created deployment you can create your compliant/nonCompliant Collections.

[nhottinger]

Thanks for the walk through. I'll set this up and test.

[nhottinger]

Thanks Peter33. It seems to be working as expected. I appreciate your help!