Creating the Management Service Recovery Keys Using Compliance Settings

It is a well documented issue that the management service can stop responding when SQL drops out – you can read about it here https://support.microsoft.com/kb/2913046/en-us. The fix for this issue is also well documented – create a couple of registry keys on each management server.

For places where Configuration Manager is installed it is relatively simple to use compliance settings to remediate this issue. First I create a collection containing all the Service Manager management servers. In the example below I just used the Installed Programs class to find the machines with Service Manager installed. As my lab environment is quite small I haven’t tested this on other machines where say only a console is installed so ensure you get the correct servers!

First create a new Configuration item and give it a name.

It is not really required as we will target this to a specific collection but you can specify the OS level for the configuration item.

We need to create two settings – one for each registry key so I click on New. Fill out the setting as below, the registry key is listed in the KB article above.

Create a new rule to check the compliance of the item. I also select to remediate a non-compliant value.

After one setting is created you can just create another with a matching rule to set the value as required. What you end up with is a configuration item containing both registry values which will remediate if not correct. The best part is that if these values don’t exist Configuration Manager will create them for you.

Now we just add this configuration item to a new baseline so we can deploy it to our servers.

Finally I can deploy my configuration baseline to the collection containing my management servers. Highlight the baseline and select Deploy. The important setting is the “Remeidatre noncompliant rules when supported”. As both of the rules have been set up to remediate I need to select this option to actually perform the remediation. I have selected to allow this to occur outside a maintancne window so that it can happen at any time.

Once deployed I can wait for my management server to receive it’s new policy – it will contain the compliance baseline, when it evaluates the two registry values will be created.