SCCM Compliance Settings Scripts to Alter Service State

Previously I showed how I used SCCM Compliance Settings and Boundary Groups to apply BITS settings. This time I have a discovery and remediation script that can be used with enforce a specific state on a service. If you want to make sure a client’s App-V service stays up or Windows Defender is disabled because you are using another security suite, this could be of help. The script uses variables so someone could easily set the state of the service and start type to what they want.

I am just going to go over the scripts and not how to do the Compliance Settings stuff Microsoft has documentation explaining that better than I can.

There are four variables that need to be set:

$name = Name of the service. I typically get it by running the get-service cmdlet on a box I know has the service and use the Name field to get the proper name
$dsrdstrt = The desired start type which can be Automatic, Manual, or Disabled
$dsrdstt = The desired state for the service which can be Running, Stopped, Paused
$logfile = The path and name of the log file

That is all there is to them. Set the variables for each script and have fun.

Discovery Script

#set variables
$name = "AppVClient" #name of service
$dsrdstrt = "Automatic" #desired start type: Automatic, Manual, Disabled
$dsrdstt = "Running" #desired state: Running, Stopped, Paused

#Get service info
$srv = get-service $name -ErrorAction SilentlyContinue

if ($srv -ne $null)
{
$srvstat = $srv.status
$srvstart = $srv.StartType

if ($srvstat -eq "$dsrdstt")
{
if ($srv.StartType -eq "$dsrdstrt")
{
$compliance = "true"
}

else
{
$compliance = "false"
}
}
else
{
$compliance = "false"
}
}

else
{
$compliance = "true" #This is built on the basis of not existing is compliant. Can be changed to false to set not existing as not compliant.
}

$compliance

Remediation Script

#set variables
$name = "AppVClient" #name of service
$dsrdstrt = "Automatic" #desired start type: Automatic, Manual, Disabled
$dsrdstt = "Running" #desired state: Running, Stopped, Paused

#Get service info
$srv = get-service $name -ErrorAction SilentlyContinue

if ($srv)
{
$srvstat = $srv.status
$srvstart = $srv.StartType

#set service startup type if it doesn't match the set variable
if ($srvstart -ne "$dsrdstrt")
{
Set-Service -Name $name -StartupType $dsrdstrt
}

#set service state type if it doesn't match the set variable
if ($srvstat -ne "$dsrdstt")
{
Set-Service -Name $name -Status $dsrdstt

}

}