Roberts Blog

The House of ConfigMgr and Intune on Endpoint Management Way

SCCM Configuration Baseline – Detect Microsoft Compatibility Appraiser DLL Version

Update: Microsoft have revised the article, the version numbers and logic have changed significantly as MS delved into the problem and got a better handle on it.

* Table taken from updated article here

Windows 10 Build 1507, 1511, 1607 and 1703 require 1799, and 1709 can use 1704 or 1752.

It looks like the problem is both the agent and build specific, with 1709 requiring a lower version of the client, and older builds requiring a newer version. Odd.

The only thing needing change with the below mechanism, is the PowerShell script. It just needs to get the current build version and check the client version against what it should be, will return and update at some point.

One of my customers is currently waiting for the results to come back, from a deployment of a Configuration Baseline which was pushed out to detect the Microsoft Compatibility Appraiser DLL problem.

The problem itself can cause chaos on the networks, due to excessive WSUS communications, and should be read up on here.

The problem seems to be due to specific versions of the Compatibility Appraiser, which version-wise can be described as:

  • No value = No problem (not installed)
  • Less than 1704 = Problem
  • Between 1704 and 1749 = No problem
  • Between 1750 and 1751 = Problem
  • Above 1751 = No Problem

And this can be defined using 3 conditions in a PowerShell script.

If you read the detail in the above link, you’d of recognised that there isn’t a fix for this issue, just an easing off of it. The appraiser will continue it would seem, to interfere with the WUA Scan Cache, causing some of it to vanish, and thus be downloaded from WSUS again, the best we can do is bring the appraiser up to a certain version to reduce the effect, or disable the Scheduled Task that runs the appraiser.


Let’s put a PowerShell script into a Configuration Baseline and trot it out the door, to detect if there is a build up of clients that need their Appraiser upgraded.

Create a new Configuration Item, call it what you want, but I used Appraiser DLL Check, then add a new Setting and call it DLL Check:

Make sure you have Setting type set to Script, and Data type set to String

For the Discovery script click Edit Script

Make sure Script language is set to Windows PowerShell

Add in the following, making sure its formatted correctly (paste and check it is okay in notepad!)

# Get DLL Appraiser compliance status

#Get registry value

$Compliant = $true

$val = (Get-ItemProperty -path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser’).LastAttemptedRunDataVersion

# Check if within ranges

if ($val -ne $null) # Not exist is compliant (not installed)
    if ($val -lt 1704)

    # Non-compliant

        $Compliant = $false


    if ($val -gt 1749 -And $val -lt 1752)
        $Compliant = $false

# Return compliance status ($false = non-compliant)

if ($Compliant -eq $false)

This script will nothing as a statement of compliance if the LastAttemptedRunDataVersion registry value does not exist, or if it is within bounds defined above, it will return False for non-compliance if not within the bounds.

Now switch to Compliance Rules and add a new Rule, call it DLL Check or whatever.

This is how you should configure it:


Rule type should be Value, the value returned by the specified script should be Equals, and the following values should be set to True

You can set Noncompliance severity for reports to anything other than None if you wish.

Now add this Configuration Item to a Configuration Baseline, and deploy the Baseline out to your estate, after piloting on a few devices.

I would recommend targeting your own machine, and creating\changing the registry value: HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser\LastAttemptedRunDataVersion so as to test the Compliant\Non-compliant results from the script.

And don’t forget, you can create Compliant\Non-compliant collections using the SCCM Console, just right click a Configuration Baseline Deployment, and choose what type of collection you want created from the pop-out menu.

Hey Q, Jo, figures looking good, low turn-out of the Appraiser problem it looks!


PatchMaster V1.4 released


CMTrace put out to pasture

1 Comment

  1. Q

    Yes, these figures are looking very good. Many thanks for your help on this one.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress & Theme by Anders Norén