Microsoft Endpoint Configuration Manager (MECM), formerly System Center Configuration Manager (SCCM) is systems management software that comes with several compliance-related features, including the ability to deploy configuration baselines (CBs) and configuration items (CIs) to ensure that the endpoints in your environment remain compliant with your organization's security policies. In this guide, I will show you how to create CIs and BIs, run compliance reports, and, if applicable, remediation scripts.

Launch the MECM console. You can install the MECM console using the MECM installer, which is available for download from the Microsoft Developer Network (MSDN) or the Volume Licensing Service Center (VLSC).

MECM Console

MECM Console

Under Assets and Compliance, navigate to Compliance Settings > Configuration Items. Let's start by creating a CI. Click the Create Configuration Item button in the top left-hand corner.

Create Configuration Item

Create Configuration Item

Give your CI a name. I am going to create a CI that checks the value of a registry setting and applies an auto-remediation action to set the value to 1 if it is something else. For this guide, I am going to name the CI Enable Client Always on Internet. Leave the default settings as they are, and click Next.

Enable Client Always on Internet

Enable Client Always on Internet

Select the versions of Windows that will assess the configuration item for compliance. If your CI is operating system-specific, you should scope the CI accordingly. Otherwise, click Next.

Client operating systems to assess compliance

Client operating systems to assess compliance

Now, you're going to specify the actual compliance setting to check. Click New.

Specify settings for this operating system

Specify settings for this operating system

Specify a name for your compliance setting. For registry settings, I typically use the name of the registry key itself. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet.

For the Setting type, select Registry value.

For the Data type, select the option that applies to your registry key. For this guide, I am going to select Integer. Click the Browse button, and navigate to the registry key with the value you want to check compliance for. For this guide, I am going to navigate to HKLM\SOFTWARE\Microsoft\CCM\Security\ClientAlwaysOnInternet. Leave the other default settings as they are. Click the Compliance Rules tab.

Create Compliance Setting – General

Create Compliance Setting – General

By default, a compliance rule is created that specifies that the registry key itself must exist. However, we need to create an additional compliance rule to specify the registry key value and remediate it when noncompliant (does not equal the specified value). Click New.

Specify a name for your compliance setting. For registry value settings, I typically put the registry name followed by the word "is" and the required value. For this guide, I am going to name the compliance setting ClientAlwaysOnInternet is 1.

For the Operator, select Equals, and enter 1 for the For the following values setting. Check the box next to Remediate noncompliant rules when supported.

Optionally, for the Noncompliant severity for reports option, select a severity. For this guide, I am not going to select a severity.

Click OK, Apply, OK, and then Next.

Create Compliance Setting – Compliance Rules

Create Compliance Setting – Compliance Rules

You will see an overview of the compliance rules you just created.

Compliance Rules overview

Compliance Rules overview

Click Next twice and then Close.

Now, we need to create a CB. Under Assets and Compliance, navigate to Compliance Settings > Configuration Baselines. Click the Create Configuration Baseline button in the top left-hand corner.

Create Configuration Baseline

Create Configuration Baseline

Give your CB a name. I am going to create a CB for workgroup computers only. For this guide, I am going to name the CB Workgroup Computers. Click Add and select the CI you created earlier. Leave all other settings as they are, and click OK.

Creating Configuration Baseline

Creating Configuration Baseline

Now, we need to deploy the CB. As you would with other MECM objects, right-click your newly created CB, and click Deploy.

Deploying Configuration Baseline

Deploying Configuration Baseline

Check the boxes next to Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. When allowing remediation outside maintenance windows, make sure your remediation action does not trigger a system reboot.

Specify the collection for the configuration baseline deployment. For this guide, I am going to select All Systems; however, it is recommended that you scope your CBs to a less impactful device collection.

Specify the compliance evaluation schedule for this configuration baseline. For this guide, I am going to specify a Simple schedule of every 1 day.

Deploying Configuration Baselines options

Deploying Configuration Baselines options

Click OK. Your CB will now start to deploy to the endpoints in the device collection you specified.

To report on CI and CB compliance, under Monitoring, navigate to Overview > Reporting > Reports > Compliance and Settings Management. (Note that running reports in MECM requires the Reporting Services site role to be installed.)

Find and run the report Summary compliance by configuration items for configuration baseline.

Summary compliance report

Summary compliance report

For the Configuration Baseline Name parameter, select the CB you created earlier. This is the only required parameter; however, you can specify others. Click Run.

From this report, you can see a list of all CIs in the CB, the configuration type, compliance %, and multiple compliance statuses. This, in my opinion, is the most holistic report for reporting endpoint compliance.

Subscribe to 4sysops newsletter!

Summary of Compliance sample output

Summary of Compliance sample output

Are you working with configuration baselines and configuration items in MECM (SCCM)?

avatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account