ComputerManagementDsc icon indicating copy to clipboard operation
ComputerManagementDsc copied to clipboard
verified publisher icon dsccommunity

scheduled tasks is missing RestartOnFailure

Open davidbIQ opened this issue 7 months ago • 0 comments

Problem description

the autocertbinding uses a scheduled task that uses <RestartOnFailure>

<RestartOnFailure>
  <Interval>PT10M</Interval>
  <Count>3</Count>
</RestartOnFailure>

This currently does not appear to be settable. This is important to have it retry a few times on failure if the cert isn't fully ready or there was a odd binding issue with one of the iis sites.

Other values that arn't currently supported include: (pulled from an exported task) setting currently defaults to this

  <Principals>
    <Principal id="Author">
  <Actions Context="Author">

but there should be an option to set to System also

  <Principals>
    <Principal id="System">
  <Actions Context="System">

and allowstartondemand

and this line may need correcting AllowStartIfOnBatteries = -not $settings.DisallowStartIfOnBatteries DisallowStartIfOnBatteries doesn't exist anywhere else maybe should be AllowStartIfOnBatteries = $settings.allowStartIfOnBatteries

Verbose logs

no logs

DSC configuration

I'll post the working one, the above args would need to be added
$invokeParams = @{
Name       = 'ScheduledTask'
 ModuleName = 'ComputerManagementDsc'
 
Method     = 'test'
Property   = @{
'taskname' = 'IIS-AutoCertRebind';
'taskpath' = '\Microsoft\Windows\CertificateServicesClient';
'ensure' = 'present';
'description' = 'Automatically rebinds IIS to new certificates when issued';
'actionexecutable' = 'c:\windows\System32\inetsrv\appcmd.exe';
'scheduletype' = 'OnEvent';
'eventsubscription' = '<QueryList><Query Id="0" Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"><Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*[System[EventID=1001]]</Select></Query></QueryList>';
'runlevel' = 'Highest';
'user' = 'SYSTEM';
'actionarguments' = 'renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)';

'priority' = 7;
'startwhenavailable' = $false;
'runonlyifnetworkavailable' = $false;
'runonlyifidle' = $false;
'waketorun' = $false;
'hidden' = $false;
'EventValueQueries'               = @{ 
    "NewCertHash" = "Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint";
    "OldCertHash" = "Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint"
  }
}
}

Invoke-DscResource -Debug -Verbose @invokeParams

Suggested solution

I think it's just adding the new goodies.

Operating system the target node is running

win server 2016/2019

PowerShell version and build the target node is running

powershell 5.1
powershell 7 has an issue with Serialized XML is nested to deeply so I didn't use it for testing I think thats a different bug to be dealt with.

ComputerManagementDsc version

using 9.2.0 for this but the latest 10 didn't have it in its source code either so I don't think its fixed there either.

Ideal state

We could generate this in duplicate (this is what gets generated as a task if you export it if you enable autoiisbindings

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <URI>\Microsoft\Windows\CertificateServicesClient\IIS-AutoCertRebind</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id='0'&gt;&lt;Select Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'&gt;*[System[EventID=1001]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="NewCertHash">Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint</Value>
        <Value name="OldCertHash">Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="System">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT10M</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="System">
    <Exec>
      <Command>%SystemRoot%\System32\inetsrv\appcmd.exe</Command>
      <Arguments>renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)</Arguments>
    </Exec>
  </Actions>
</Task>

davidbIQ avatar Jul 04 '25 22:07 davidbIQ