- Remote help for Intune and Microsoft Endpoint Manager - Tue, Jan 25 2022
- Windows 10/11 Azure AD/Intune Enterprise subscription is not valid - Mon, Nov 8 2021
- Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune - Wed, Sep 22 2021
The Configuration Manager community is great! Many tools, scripts, and tips out there help the everyday SCCM administrator get the job done in an efficient way, saving time and money.
I still configuration baselines are a very underused feature in Configuration Manager and always have been. Baselines are powerful, simple, and return information we can act on, and automatically act on as well. Automation is key!
If you haven't tried this out before, you can create a collection based on the compliance state of a configuration baseline. Right-clicking on the deployment provides an option to create a collection based on the compliance state.
Create a collection based on compliance
I want to highlight four tools:
- Registry to PowerShell converter (Reg2CI) by Roger Zander
- PowerShell Policy Editor by Roger Zander
- Configuration Manager Remote Compliance by Trevor Jones
- Create ConfigMgr Configuration Items from Group Policy Object by Sam Roberts
Reg2CI by Roger Zander
If you want to create a PowerShell script to use as a SCCM CI to check for a registry key and modify it, Roger Zander has created a cool web tool.
You can just drop your .reg or. pol file into the tool, and you can create both a discovery and a remediation script for that registry setting as well. My example below shows the registry key that makes sure SCCM Remote Tools logs to the primary site server even if executed standalone.
Registry to PowerShell converter
Then we can simply paste the result to our CI in the SCCM admin console.
PowerShell Policy Editor by Roger Zander
More and more devices in organizations don't support Group Policy. Thus, the PowerShell Policy Editor is extremely useful. It's basically a web-based Group Policy editor that gives you the result in PowerShell. We also get all the benefits of the reports in SCCM whether we're applying the settings or not.
PowerShell Policy Editor
Convert-GPOtoCI by Sam Roberts
I have used ConfigMgr Configuration Items from Group Policy Object (Convert-GPOtoCI) a number of times. It can export a Group Policy or Resultant Set of Policy (RSOP) result either directly to a configuration item or to a .cab file that we can import in SCCM, which is great!
It does not create a PowerShell script like the tool I described earlier, but registry-based CIs instead. This fills a gap that the retired Security Compliance Manager has created. We can simply export our important Group Policies to CIs and baselines so we can make sure we've applied them.
The script can also add remediation to registry-based Group Policy settings so we can check them with a CI. I have used the tool to export the Microsoft Security Compliance Group Policies and import the settings that SCCM supports. This allowed me to make sure I configured them according to the Security Baseline.
Here is a sample command:
.\Convert-GPOtoCI.ps1 -GpoTarget "Windows 10 1709" -DomainTarget ccmexec.com -SiteCode 060 -ExportOnly
The screenshot below shows an example of the of the .cab files.
CAB files created by Convert GPOtoCI
I strongly recommend that you check it out!
ConfigMgr Remote Compliance by Trevor Jones
ConfigMgr Remote Compliance is a great troubleshooting tool. It allows you actually to see the display from the SCCM control panel applet and the Configuration tab. You can trigger evaluations, view reports, and refresh the view.
ConfigMgr Remote Compliance
These are the requirements for running it against a remote computer:
Subscribe to 4sysops newsletter!
- At least PowerShell 5 on the host computer
- At least PowerShell 3 on the target computer
- PowerShell remoting enabled
- Local administrator privilege on the target computer
Conclusion
if you aren't using CIs and baselines, I urge you to work with SCCM community tools. Many great solutions out there can help you in administering Configuration Manager.
