Skip to content

scheduled tasks is missing RestartOnFailure #456

New issue
New issue
Open
Open
scheduled tasks is missing RestartOnFailure#456
@davidbIQ

Description

@davidbIQ
davidbIQ
opened on Jul 4, 2025

Problem description

the autocertbinding uses a scheduled task that uses 

<RestartOnFailure>
  <Interval>PT10M</Interval>
  <Count>3</Count>
</RestartOnFailure>

This currently does not appear to be settable. This is important to have it retry a few times on failure if the cert isn't fully ready or there was a odd binding issue with one of the iis sites.

Other values that arn't currently supported include: (pulled from an exported task)
setting currently defaults to this

  <Principals>
    <Principal id="Author">
  <Actions Context="Author">

but there should be an option to set to System also

  <Principals>
    <Principal id="System">
  <Actions Context="System">

and
allowstartondemand

and this line may need correcting
AllowStartIfOnBatteries = -not $settings.DisallowStartIfOnBatteries
DisallowStartIfOnBatteries doesn't exist anywhere else maybe should be
AllowStartIfOnBatteries = $settings.allowStartIfOnBatteries

Verbose logs

no logs

DSC configuration

I'll post the working one, the above args would need to be added
$invokeParams = @{
Name       = 'ScheduledTask'
 ModuleName = 'ComputerManagementDsc'
 
Method     = 'test'
Property   = @{
'taskname' = 'IIS-AutoCertRebind';
'taskpath' = '\Microsoft\Windows\CertificateServicesClient';
'ensure' = 'present';
'description' = 'Automatically rebinds IIS to new certificates when issued';
'actionexecutable' = 'c:\windows\System32\inetsrv\appcmd.exe';
'scheduletype' = 'OnEvent';
'eventsubscription' = '<QueryList><Query Id="0" Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"><Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*[System[EventID=1001]]</Select></Query></QueryList>';
'runlevel' = 'Highest';
'user' = 'SYSTEM';
'actionarguments' = 'renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)';

'priority' = 7;
'startwhenavailable' = $false;
'runonlyifnetworkavailable' = $false;
'runonlyifidle' = $false;
'waketorun' = $false;
'hidden' = $false;
'EventValueQueries'               = @{ 
    "NewCertHash" = "Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint";
    "OldCertHash" = "Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint"
  }
}
}

Invoke-DscResource -Debug -Verbose @invokeParams

Suggested solution

I think it's just adding the new goodies.

Operating system the target node is running

win server 2016/2019

PowerShell version and build the target node is running

powershell 5.1
powershell 7 has an issue with Serialized XML is nested to deeply so I didn't use it for testing I think thats a different bug to be dealt with.

ComputerManagementDsc version

using 9.2.0 for this but the latest 10 didn't have it in its source code either so I don't think its fixed there either.

Ideal state

We could generate this in duplicate (this is what gets generated as a task if you export it if you enable autoiisbindings

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <URI>\Microsoft\Windows\CertificateServicesClient\IIS-AutoCertRebind</URI>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id='0'&gt;&lt;Select Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'&gt;*[System[EventID=1001]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="NewCertHash">Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint</Value>
        <Value name="OldCertHash">Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="System">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT10M</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="System">
    <Exec>
      <Command>%SystemRoot%\System32\inetsrv\appcmd.exe</Command>
      <Arguments>renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)</Arguments>
    </Exec>
  </Actions>
</Task>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions