Are you one of the few remaining administrators who double checks that the Configuration Manager client has been completely deployed to all endpoints?

Despite there being fewer hours in the day (at least it feels that way), I still make time to assess the health of each agent and remediate issues as efficiently as I can. It’s time I’d rather invest elsewhere, but I believe it’s that important.

As you can imagine, when Martins Kurtis at UonCloud ( gave me a demonstration of his new product, SupTool, I was impressed by its innovative approach to this time-consuming problem. Now that I’ve been evaluating it for a few months, I thought it was time to share some of its strong points with you.

One of Martin’s goals with SupTool is to simplify endpoint health assessment and remediation as well as add value to existing solutions. It was not designed to replace the Configuration Manager Client Health feature but complement it.

While Configuration Manager Client Health checks have evolved considerably over the years, in my experience, they cannot maintain a healthy environment. The Configuration Manager Client Health mechanism only works for systems that already have the client installed, which for large organizations, still leaves a lot of machines in limbo.

What impresses me about SupTool is that UonCloud opted to build an agentless server architecture hosted in Azure. Using an agentless solution ensures that there is less of a dependency on the machine state, which makes the solution more resistant to issues with the operating system health of the endpoint. Moreover, an agentless solution directly tackles the issue of time-consuming endpoint assessment because it can rapidly be implemented and begin reporting valuable insights right away.

Both the Endpoint scanner and the System Scanner backend components reside almost entirely within Azure (see diagram below). As a result, SupTool’s architecture and technical requirements leave a relatively small footprint within your local environment, which translates into minimal on-premises infrastructure.

The Endpoint Scanner usually resides on a common network share and runs through a scheduled task set up through either Group Policy or a login script. The System Scanner can reside on a desktop or a dedicated server.

For those of you concerned about data security and transmitting data back and forth from the cloud, information sent to Azure can be hashed using a custom key. SupTool also allows you to customize your tenant name, which you can use to keep your organization’s identity anonymous.

In keeping with UonCloud’s philosophy of simplifying Endpoint health assessment, SupTool has a very simple setup process. There are only three implementation steps to get the system up and running.

  • Scan environment with system scanner – scan Active Directory and SCCM
  • Scan environment with endpoint scanner – scan Endpoints directly
  • Analyze results in report and tune your settings – enable Automation

Once SupTool is operational, each health check can potentially trigger up to three levels of actions if a particular remediation fails at one level. Each level escalates the degree of remediation applied to an agent. If the first level fails, SupTool escalates to the next level, and so on.

The three levels of actions that supTool executes are controlled and configured through Policy Settings on a per organization basis.

  • Basic Checks (Endpoint Scanner only) – most common known problems are remediated
  • Client Reinstall (Endpoint Scanner only) – if critical misconfiguration was detected then client reinstall is executed
  • WMI repair + Client Reinstall (Endpoint Scanner only) – if WMI misconfiguration or corruption was detected then WMI repair and client reinstall is executed

The tool has a four-step process to assess and remediate the environment. As I already mentioned above, the first step just collects information about your Endpoints, Configuration Manager, and Active Directory.

Collecting information about your endpoints from multiple sources is not a new approach because each source of information has their view own of the environment that needs to be combined to put together the big picture regarding what exists in the environment and their health.

The advantage of their approach is combining the different sources of information, especially with the Endpoint Scanner, is the information being recently gathered and collected outside of Configuration Manager. The issue SupTool solves by taking this approach is that it avoids distortions in the data caused by misconfigurations of the Configuration Manager infrastructure and client issues, which can distort the completeness of the data when assessing the health of the client environment.

While it is important to know whether a device has the Configuration Manager client installed, that isn’t the end of the story because the update source (i.e., WSUS or Microsoft Update) can dramatically affect whether further complications occur. With SupTool, you can verify the path compliance of those devices with old Windows Update and proceed accordingly.

The next step is a round of basic checks on the Endpoint to apply simple fixes, for example, start SMSAgent service, forced to check policies. There is another valuable feature that happens with the automated basic checks that verify whether a device is a Lost Computer and immediately sends an Email to the Administrator with pertinent information to begin locating the machine.

Next step with the endpoint remediation process is to run some SCCM client and the operating system common health checks occur to make sure that the client is operating and that the Group Policy configuration of the client is up to date.

The third step consists of more sophisticated health checks and an escalation of fixes to ensure that the Configuration Manager client is operational. At this stage, SupTool verifies the health of the client by comparing the current client version to a pre-configured base version.

There are four scenarios where SupTool will force an install/reinstall of the Configuration Manager client:

  1. When the client version is lower than the base version or hasn’t been installed
  2. When one or more of the basic checks fail consecutively, an escalation occurs to perform more complicated fixes
  3. If the Windows Management Interface repository is corrupt, missing, or not found SupTool automatically resets the WMI state of the machine.
  4. If Configuration Manager client polices are missing or outdated the client is reinstalled

In the final step of the process, SupTool focuses exclusively on WMI and the Configuration Manager client. The final step of the process is designed to remedy deeper issues with the client and the operating system.

In those occasional circumstances where the Configuration Manager client health continues to fail the system will remove the Configuration Manager client, repair the WMI, and attempt to install a functioning version of the Configuration Manager client.

Now that we have looked at the scanner components let’s take a look at the administrator experience where data is collected and presented for analysis. The administrator logs into the web portal where a main dashboard of the environment displays key aspects of the environment such as the percentage of machines managed via SCCM and other metrics around fixes used to remediate client health.

The Identify page contains more specifics about the environment such as the total cont of machines with and without the Configuration Manager client. Other highlights include a breakdown of the operating systems deployed along with statistics about machines reporting hardware and software inventory. The data for each report can be exported using a variety of formats which include CSV, Excel, PDF, and Printer.

The Analyze dashboard contains more detailed statistics about endpoint health and activity. I like the statistical overview of what fixes are being used to fix Configuration Manager clients and further information on the Endpoint Scanner activity to know how many machines are reporting into the system. Another item I like is the Windows Update agent versions on the machines because this has caused me headaches in the past with systems not updating through Configuration Manager. Also, a nice addition is the ability to view where the device is getting its updates from because I have too often seen administrators make assumptions as to how many machines are updating from the desired update source for their organization.

The Stabilize dashboard is a great place to view some of the most problematic machines in the organization; this can help better understand where deeper problems exist in the organization. Maybe a bad image or package is causing havoc and needs to be addressed, and the endpoint remediation is only a symptom of a larger health issue.

As you can see these dashboards create a wealth of insight that isn’t easily accessible through the Configuration Manager console. Trusting Configuration Manager to assess the health of its agents is a dangerous proposition since it assumes that the server infrastructure is properly configured and healthy. I love Configuration Manager, but I find many organizations do not have a combination of manpower and expertise to keep it in a healthy state so they aren’t aware of misconfigurations or Configuration Manager server health issues that may be skewing the results seen through the Configuration Manager reports.

I’ve seen massive issues with patch compliance because nobody is taking the time to audit the health of the Configuration Manager clients or in one specific case, I had a customer that was over six months out of compliance on their Windows 7 patching because they forgot to publish Windows Update client updates to their devices.

Because the product is managed using modern application development techniques and hosted in the cloud, it comes very close to being a SaaS application for your infrastructure. This means that the product is continually evolving to deliver more value at a rapid pace when compared to traditional management products.

Currently, a new feature is in preview; you can host critical patches on a network share and have SupTool ensure that the .msu patch files are applied to the device. Being able to have a backup patch management tool can be critical for preventing or containing a zero-day exploit that is in your environment. Back in the late 90s, I worked for a telecommunications company that made an in-house backup management tool for this exact scenario, and because of more evolved threats, this backup patching capability seems to be something I am seeing more and more customers invest in.

In all I find the innovative approach of the product to be refreshing because I am a huge cloud proponent. I am glad to see yet another vendor trying to leverage the cloud to make an easy to implement and maintain solution that eliminates the need for many tedious hours of maintenance each month to ensure proper operation of key management infrastructure components. The product is subscription based, and the lack of upfront infrastructure and setup make for a very small upfront commitment of time and infrastructure to implement.

Until next time,

Kevin Kaminski – MVP