- Configuration Items in Configuration Manager (SCCM, MECM) - Mon, Aug 22 2022
- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
Launch the MECM console. You can install the MECM console using the MECM installer, which is available for download from the Microsoft Developer Network (MSDN) or the Volume Licensing Service Center (VLSC).
Under Assets and Compliance, navigate to Compliance Settings > Configuration Items. Let's start by creating a CI. Click the Create Configuration Item button in the top left-hand corner.
Give your CI a name. I am going to create a CI that checks the value of a registry setting and applies an auto-remediation action to set the value to 1 if it is something else. For this guide, I am going to name the CI Enable Client Always on Internet. Leave the default settings as they are, and click Next.
Select the versions of Windows that will assess the configuration item for compliance. If your CI is operating system-specific, you should scope the CI accordingly. Otherwise, click Next.
Now, you're going to specify the actual compliance setting to check. Click New.
Specify a name for your compliance setting. For registry settings, I typically use the name of the registry key itself. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet.
For the Setting type, select Registry value.
For the Data type, select the option that applies to your registry key. For this guide, I am going to select Integer. Click the Browse button, and navigate to the registry key with the value you want to check compliance for. For this guide, I am going to navigate to HKLM\SOFTWARE\Microsoft\CCM\Security\ClientAlwaysOnInternet. Leave the other default settings as they are. Click the Compliance Rules tab.
By default, a compliance rule is created that specifies that the registry key itself must exist. However, we need to create an additional compliance rule to specify the registry key value and remediate it when noncompliant (does not equal the specified value). Click New.
Specify a name for your compliance setting. For registry value settings, I typically put the registry name followed by the word "is" and the required value. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet is 1.
For the Operator, select Equals, and enter 1 for the For the following values setting. Check the box next to Remediate noncompliant rules when supported.
Optionally, for the Noncompliant severity for reports option, select a severity. For this guide, I am not going to select a severity.
Click OK, Apply, OK, and then Next.
You will see an overview of the compliance rules you just created.
Click Next twice and then Close.
Now, we need to create a CB. Under Assets and Compliance, navigate to Compliance Settings > Configuration Baselines. Click the Create Configuration Baseline button in the top left-hand corner.
Give your CB a name. I am going to create a CB for workgroup computers only. For this guide, I am going to name the CB Workgroup Computers. Click Add and select the CI you created earlier. Leave all other settings as they are, and click OK.
Now, we need to deploy the CB. As you would with other MECM objects, right-click your newly created CB, and click Deploy.
Check the boxes next to Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. When allowing remediation outside maintenance windows, make sure your remediation action does not trigger a system reboot.
Specify the collection for the configuration baseline deployment. For this guide, I am going to select All Systems; however, it is recommended that you scope your CBs to a less impactful device collection.
Specify the compliance evaluation schedule for this configuration baseline. For this guide, I am going to specify a Simple schedule of every 1 day.
Click OK. Your CB will now start to deploy to the endpoints in the device collection you specified.
To report on CI and CB compliance, under Monitoring, navigate to Overview > Reporting > Reports > Compliance and Settings Management. (Note that running reports in MECM requires the Reporting Services site role to be installed.)
Find and run the report Summary compliance by configuration items for configuration baseline.
For the Configuration Baseline Name parameter, select the CB you created earlier. This is the only required parameter; however, you can specify others. Click Run.
From this report, you can see a list of all CIs in the CB, the configuration type, compliance %, and multiple compliance statuses. This, in my opinion, is the most holistic report for reporting endpoint compliance.
Subscribe to 4sysops newsletter!
Are you working with configuration baselines and configuration items in MECM (SCCM)?