SCCM Configuration Baseline – Detect Microsoft Compatibility Appraiser DLL Version

One of my customers is currently waiting for the results to come back, from a deployment of a Configuration Baseline which was pushed out to detect the Microsoft Compatibility Appraiser DLL problem.

The problem itself can cause chaos on the networks, due to excessive WSUS communications, and should be read up on here.

The problem seems to be due to specific versions of the Compatibility Appraiser, which version-wise can be described as:

  • No value = No problem (not installed)
  • Less than 1704 = Problem
  • Between 1704 and 1749 = No problem
  • Between 1750 and 1751 = Problem
  • Above 1751 = No Problem

And this can be defined using 3 conditions in a PowerShell script.

If you read the detail in the above link, you’d of recognised that there isn’t a fix for this issue, just an easing off of it. The appraiser will continue it would seem, to interfere with the WUA Scan Cache, causing some of it to vanish, and thus be downloaded from WSUS again, the best we can do is bring the appraiser up to a certain version to reduce the effect, or disable the Scheduled Task that runs the appraiser.

image

Let’s put a PowerShell script into a Configuration Baseline and trot it out the door, to detect if there is a build up of clients that need their Appraiser upgraded.

Create a new Configuration Item, call it what you want, but I used Appraiser DLL Check, then add a new Setting and call it DLL Check:

Make sure you have Setting type set to Script, and Data type set to String

For the Discovery script click Edit Script

Make sure Script language is set to Windows PowerShell

Add in the following, making sure its formatted correctly (paste and check it is okay in notepad!)

# Get DLL Appraiser compliance status

#Get registry value

$Compliant = $true

$val = (Get-ItemProperty -path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser’).LastAttemptedRunDataVersion

# Check if within ranges

if ($val -ne $null) # Not exist is compliant (not installed)
{
    if ($val -lt 1704)
    {

    # Non-compliant

        $Compliant = $false

    }

    if ($val -gt 1749 -And $val -lt 1752)
    {
        $Compliant = $false
    }
}

# Return compliance status ($false = non-compliant)

if ($Compliant -eq $false)
{
    $Compliant
}

This script will nothing as a statement of compliance if the LastAttemptedRunDataVersion registry value does not exist, or if it is within bounds defined above, it will return False for non-compliance if not within the bounds.

Now switch to Compliance Rules and add a new Rule, call it DLL Check or whatever.

This is how you should configure it:

image

Rule type should be Value, the value returned by the specified script should be Equals, and the following values should be set to True

You can set Noncompliance severity for reports to anything other than None if you wish.

Now add this Configuration Item to a Configuration Baseline, and deploy the Baseline out to your estate, after piloting on a few devices.

I would recommend targeting your own machine, and creating\changing the registry value: HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\LastAttemptedRunDataVersion so as to test the Compliant\Non-compliant results from the script.

And don’t forget, you can create Compliant\Non-compliant collections using the SCCM Console, just right click a Configuration Baseline Deployment, and choose what type of collection you want created from the pop-out menu.

Hey Q, Jo, figures looking good, low turn-out of the Appraiser problem it looks!