- Configuration Items in Configuration Manager (SCCM, MECM) - Mon, Aug 22 2022
- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
Launch the MECM console. You can install the MECM console using the MECM installer, which is available for download from the Microsoft Developer Network (MSDN) or the Volume Licensing Service Center (VLSC).
MECM Console
Under Assets and Compliance, navigate to Compliance Settings > Configuration Items. Let's start by creating a CI. Click the Create Configuration Item button in the top left-hand corner.
Create Configuration Item
Give your CI a name. I am going to create a CI that checks the value of a registry setting and applies an auto-remediation action to set the value to 1 if it is something else. For this guide, I am going to name the CI Enable Client Always on Internet. Leave the default settings as they are, and click Next.
Enable Client Always on Internet
Select the versions of Windows that will assess the configuration item for compliance. If your CI is operating system-specific, you should scope the CI accordingly. Otherwise, click Next.
Client operating systems to assess compliance
Now, you're going to specify the actual compliance setting to check. Click New.
Specify settings for this operating system
Specify a name for your compliance setting. For registry settings, I typically use the name of the registry key itself. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet.
For the Setting type, select Registry value.
For the Data type, select the option that applies to your registry key. For this guide, I am going to select Integer. Click the Browse button, and navigate to the registry key with the value you want to check compliance for. For this guide, I am going to navigate to HKLM\SOFTWARE\Microsoft\CCM\Security\ClientAlwaysOnInternet. Leave the other default settings as they are. Click the Compliance Rules tab.
Create Compliance Setting – General
By default, a compliance rule is created that specifies that the registry key itself must exist. However, we need to create an additional compliance rule to specify the registry key value and remediate it when noncompliant (does not equal the specified value). Click New.
Specify a name for your compliance setting. For registry value settings, I typically put the registry name followed by the word "is" and the required value. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet is 1.
For the Operator, select Equals, and enter 1 for the For the following values setting. Check the box next to Remediate noncompliant rules when supported.
Optionally, for the Noncompliant severity for reports option, select a severity. For this guide, I am not going to select a severity.
Click OK, Apply, OK, and then Next.
Create Compliance Setting – Compliance Rules
You will see an overview of the compliance rules you just created.
Compliance Rules overview
Click Next twice and then Close.
Now, we need to create a CB. Under Assets and Compliance, navigate to Compliance Settings > Configuration Baselines. Click the Create Configuration Baseline button in the top left-hand corner.
Create Configuration Baseline
Give your CB a name. I am going to create a CB for workgroup computers only. For this guide, I am going to name the CB Workgroup Computers. Click Add and select the CI you created earlier. Leave all other settings as they are, and click OK.
Creating Configuration Baseline
Now, we need to deploy the CB. As you would with other MECM objects, right-click your newly created CB, and click Deploy.
Deploying Configuration Baseline
Check the boxes next to Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. When allowing remediation outside maintenance windows, make sure your remediation action does not trigger a system reboot.
Specify the collection for the configuration baseline deployment. For this guide, I am going to select All Systems; however, it is recommended that you scope your CBs to a less impactful device collection.
Specify the compliance evaluation schedule for this configuration baseline. For this guide, I am going to specify a Simple schedule of every 1 day.
Deploying Configuration Baselines options
Click OK. Your CB will now start to deploy to the endpoints in the device collection you specified.
To report on CI and CB compliance, under Monitoring, navigate to Overview > Reporting > Reports > Compliance and Settings Management. (Note that running reports in MECM requires the Reporting Services site role to be installed.)
Find and run the report Summary compliance by configuration items for configuration baseline.
Summary compliance report
For the Configuration Baseline Name parameter, select the CB you created earlier. This is the only required parameter; however, you can specify others. Click Run.
From this report, you can see a list of all CIs in the CB, the configuration type, compliance %, and multiple compliance statuses. This, in my opinion, is the most holistic report for reporting endpoint compliance.
Subscribe to 4sysops newsletter!
Summary of Compliance sample output
Are you working with configuration baselines and configuration items in MECM (SCCM)?
