The Configuration Manager community is great! Many tools, scripts, and tips out there help the everyday SCCM administrator get the job done in an efficient way, saving time and money.
I still configuration baselines are a very underused feature in Configuration Manager and always have been. Baselines are powerful, simple, and return information we can act on, and automatically act on as well. Automation is key!
If you haven't tried this out before, you can create a collection based on the compliance state of a configuration baseline. Right-clicking on the deployment provides an option to create a collection based on the compliance state.
I want to highlight four tools:
- Registry to PowerShell converter (Reg2CI) by Roger Zander
- PowerShell Policy Editor by Roger Zander
- Configuration Manager Remote Compliance by Trevor Jones
- Create ConfigMgr Configuration Items from Group Policy Object by Sam Roberts
Reg2CI by Roger Zander ^
You can just drop your .reg or. pol file into the tool, and you can create both a discovery and a remediation script for that registry setting as well. My example below shows the registry key that makes sure SCCM Remote Tools logs to the primary site server even if executed standalone.
Then we can simply paste the result to our CI in the SCCM admin console.
PowerShell Policy Editor by Roger Zander ^
More and more devices in organizations don't support Group Policy. Thus, the PowerShell Policy Editor is extremely useful. It's basically a web-based Group Policy editor that gives you the result in PowerShell. We also get all the benefits of the reports in SCCM whether we're applying the settings or not.
Convert-GPOtoCI by Sam Roberts ^
I have used ConfigMgr Configuration Items from Group Policy Object (Convert-GPOtoCI) a number of times. It can export a Group Policy or Resultant Set of Policy (RSOP) result either directly to a configuration item or to a .cab file that we can import in SCCM, which is great!
It does not create a PowerShell script like the tool I described earlier, but registry-based CIs instead. This fills a gap that the retired Security Compliance Manager has created. We can simply export our important Group Policies to CIs and baselines so we can make sure we've applied them.
The script can also add remediation to registry-based Group Policy settings so we can check them with a CI. I have used the tool to export the Microsoft Security Compliance Group Policies and import the settings that SCCM supports. This allowed me to make sure I configured them according to the Security Baseline.
Here is a sample command:
.\Convert-GPOtoCI.ps1 -GpoTarget "Windows 10 1709" -DomainTarget ccmexec.com -SiteCode 060 -ExportOnly
The screenshot below shows an example of the of the .cab files.
I strongly recommend that you check it out!
ConfigMgr Remote Compliance by Trevor Jones ^
ConfigMgr Remote Compliance is a great troubleshooting tool. It allows you actually to see the display from the SCCM control panel applet and the Configuration tab. You can trigger evaluations, view reports, and refresh the view.
These are the requirements for running it against a remote computer:
Subscribe to 4sysops newsletter!
- At least PowerShell 5 on the host computer
- At least PowerShell 3 on the target computer
- PowerShell remoting enabled
- Local administrator privilege on the target computer
if you aren't using CIs and baselines, I urge you to work with SCCM community tools. Many great solutions out there can help you in administering Configuration Manager.