Running SFC.EXE from within Powershell script deployed via SCCM

I'm trying to create a Powershell script that will be deployed to any node that is showing bad update health to automate some of the simple tasks without having to interrupt users during their workday. The Powershell script works perfectly if ran from an elevated PS prompt. It also runs fine when the same script is deployed to a test machine via SCCM with one exception: it won't call SFC.EXE /SCANNOW.

I've tried using:

Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -Wait -NoNewWindow
Start-Process -FilePath "sfc.exe" -ArgumentList '/scannow' -Wait -NoNewWindow
Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -RedirectStandardOutput "C:\SFC-Out.log" -RedirectStandardError "C:\SFC-Err.log" -Wait -NoNewWindow
& "sfc.exe" "/scannow"
Invoke-Command -ScriptBlock { sfc.exe /scannow }

Again, all of these examples work exactly as intended when run from an elevated PS prompt, but fail when run from the deployed PowerShell script. When I used the -RedirectStandardOutput, I checked the file SFC-Out.log and it read:

"Windows Resource Protection could not start the repair service"

I think this is because SCCM runs programs/scripts in the SYSTEM context instead of a user context (or even an elevated user context, but SYSTEM is supposed to be higher than an elevated session).

Is there a way to accomplish this? Sorry for the bad formatting, this is my first post on this site.

A bit late but I encountered the same issue. Not sure if this is the case for you but the cause was configuring the deployment of the script with SCCM to run as a 32 bit process. The script was being deployed to 64 bit systems. When I unchecked "run as 32 bit process" in the deployment configuration SFC worked without an issue under the context of a System account.

Sccm package powershell command line, Mar 17, 2016 � How To Deploy & Run PowerShell Scripts via SCCM CB Posted 0 in SCCM. exe command downloads needed files to install the client from a� Beginning with SCCM 1706, you can now run and deploy Powershell script from the SCCM console.In addition, all directly from the SCCM console you can: edit your scripts, import existing scripts, approved or deny scripts, run script on specific collections and examine the scripts results.

I created a package (not an application) in SCCM and had to use the redirect using the elusive sysnative folder for x64 machines:

https://www.thewindowsclub.com/sysnative-folder-in-windows-64-bit

So it would be:

C:\Windows\Sysnative\SFC.EXE /SCANNOW

Sccm package powershell command line, Jul 10, 2018 � In this scenario I'd definitely would use a package. exe the same script is deployed to a test machine via SCCM with one exception: it won't call SFC. Mar 17, 2016 � How To Deploy & Run PowerShell Scripts via SCCM CB� Create and deploy SCCM PowerShell Script using the script method. SCCM PowerShell Script Deployment without Creating Package is explained in this post. There is an ability to run PowerShell scripts (SCCM run script) on Client devices using SCCM administrator console. The script can run either to a specific device or to the specific collection.

What you have will work, just missing "-Verb RunAs" to elevate permissions. So your cmdlet should read:-

Start-Process -FilePath "${env:Windir}\System32\SFC.EXE" -ArgumentList '/scannow' -Wait -Verb RunAs

Deploying Powershell scripts via SCCM, If i run the command remotly from my machine it works fine. But deploying from SCCM isnt.. I have tried changing the execution policy in the� We powershell scripts for nearly every SCCM software deployment. Every app command line looks like . "powershell.exe -command .\install.ps1" We have a internal CA, sign all our code and have those code signing certs pushed out via AD and in our image so are station builds can use our ps1 files.

Dism log, To learn more about using DISM with PowerShell, see Deployment Imaging Log” when running the sfc /scannow command in Windows 10 then you can try the deployments is preferred through Microsoft Deployment Tools [SCCM, MDT ]. Deploy a PowerShell Script as a SCCM Application or Program This is just a quick post to help those who are struggling to find the correct syntax to place into the program (CMD line) field when deploying a PowerShell Script as an application or program for that matter using SCCM.

Replacing default wallpaper in Windows 10 using Script/MDT/SCCM , When deploying Windows 10 one of the most common things you To be able to replace them using a script either in MDT or SCCM we either a “Run Command Line” step or “Run Powershell Script” step in the task sequence. Sorry for all the comments, just trying to get how Microsoft is working I think. How to Use a Run Script on a Device. Select the device that you are going to run a script on by right-clicking on it and then selecting Run Script. Select the script and click Next. Confirm the summary and click Next. Wait for the script to run. Generally, it takes less than 30-seconds. Once the script is completed, click Close.

This is a dumb question but I've searched and searched the web and gone thru my SCCM book without finding the answer. I want to use SCCM to run a powershell script on the user's PC that will uninstall all but the current versions of java. I have a powershell script from the web that does this. I tested it manually and it works great.

Comments
  • Just try to set ProcessStartInfo.Verb to RunAs. You can run your proces with admins privileges using this option. Unfortunately, you cannot use Verb and RedirectStandardOutput together, see
  • Wouldn't that pop-up a window asking for credentials then? I'm OK with not using RedirectStandardOutput, it was a troubleshooting step anyway to find out why SFC wasn't launching.
  • You can set credential to ProcessStartInfo.Password and ProcessStartInfo.UserName, so it wouldn't ask you for credential, but it can ask you to confirm start process with admin privileges. If you want to run process as admin without confirmation you can to lower UAC permissions
  • I tried sfc scannow with the system account using psexec and it worked so in general it should be possible despite the system account. Some other posts regarding this topic suggest enabling the trusted installer service "net start trustedinstaller" did you already try that? Are users logged in on the systems where you tried this or not?
  • I don't think lowering UAC permissions is the right way to go. Yes, users will be logged into these systems. The idea is to run these common remediation steps to fix update health while they're in the office without having to interrupt their day and take 30+ minutes to fix. Thanks for the info about it being possible and confirming this should work with the System account. I'll script in starting the trusted installer service before calling SFC /scannow and see how that goes. Thanks!