SCCM – Assets & Compliance – Compliance settings – Configuration Item

Compliance Settings

Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.

If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an Email alert to specified receivers. One could also configure auto remediation for the setting.

Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.

Configuration Item 

Is the actual setting we want to check the compliance state off, here we will configure the what setting it is, how to determine if its compliant or not and what SCCM should do about it.

First thing we need to do is configure an item so go to Assets & Compliance – Compliance Settings and expand the menu.

Configuration Items - 01

Click on “Configuration item” in the menu to the left and then right-click and choose “Create Configuration Item”

Configuration Items - 02

Give the specific Item a name and click “next”, I´m just naming it Test-setting but you should name it so its pretty obvious what the Item is so can keep track of them later when you have a lot of them and every Item can be used multiple times and be included in several baselines but more on that later.

Configuration Items - 03

If the setting you have only exist on certain Windows versions you can filter it here so the item only will assess the specified OS, if the settings is OS independent then you can just have it to “select all” and click “next”

NOTE                                                                                                                                                                      This does not mean the item will get deployed to the selected OS´s, deployment will come later.

Configuration Items - 04

Under Settings click “New” to create a new setting

Configuration Items - 05

First name the setting then write a description about if you want and for this exercise choose Setting type “Registry Value”

Configuration Items - 07

And under “Data type” choose “String”

Configuration Items - 08

After that you need to specify  “Hive Name”, “Key Name” and “Value Name”. If you don´t know the specific path in your head you can use the “Browse” button and you will be able to browse to the specified Key and value and you can connect to remote computers.

When done lets continue and press “ok”

Configuration Items - 06

Click “next”

Configuration Items - 09

under “Compliance Rule” click “New”

Configuration Items - 10

Name the Rule and click “Browse” and choose the Setting you just created

Configuration Items - 10.5

Now you can either choose “Value” or “Existential”.

Configuration Items - 13

If you choose value you can determine if the registry value should comply with a specific value or not and Existential is if the key are compliant if it exist or not on the node.

Configuration Items - 12

Under “Noncompliance severity for reports” you can choose between

Configuration Items - 14

So if the node is non compliant what should happen regarding to reports.I´m going to choose “Critical” so that will generate a Critical Alert under Monitoring – Alerts.

Click “Ok”

Configuration Items - 15

Click “Next”

Configuration Items - 16

Click “next” until the wizard is completed and then “Close”

Configuration Items - 17

And now you have created your first Configuration Item and it should show up here:

Configuration Items - 18

There´s still some steps to go through before we can test our Configuration Item, In the next part I will be talking about Configuration Baseline and deployment.

If there´s any questions don´t hesitate to post them in the comment section below.

 

Cheers,

Timmy