Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.
If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an Email alert to specified receivers. One could also configure auto remediation for the setting.
Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.
Is the actual setting we want to check the compliance state off, here we will configure the what setting it is, how to determine if its compliant or not and what SCCM should do about it.
First thing we need to do is configure an item so go to Assets & Compliance – Compliance Settings and expand the menu.
Click on “Configuration item” in the menu to the left and then right-click and choose “Create Configuration Item”
Give the specific Item a name and click “next”, I´m just naming it Test-setting but you should name it so its pretty obvious what the Item is so can keep track of them later when you have a lot of them and every Item can be used multiple times and be included in several baselines but more on that later.
If the setting you have only exist on certain Windows versions you can filter it here so the item only will assess the specified OS, if the settings is OS independent then you can just have it to “select all” and click “next”
NOTE This does not mean the item will get deployed to the selected OS´s, deployment will come later.
Under Settings click “New” to create a new setting
First name the setting then write a description about if you want and for this exercise choose Setting type “Registry Value”
And under “Data type” choose “String”
After that you need to specify “Hive Name”, “Key Name” and “Value Name”. If you don´t know the specific path in your head you can use the “Browse” button and you will be able to browse to the specified Key and value and you can connect to remote computers.
When done lets continue and press “ok”
under “Compliance Rule” click “New”
Name the Rule and click “Browse” and choose the Setting you just created
Now you can either choose “Value” or “Existential”.
If you choose value you can determine if the registry value should comply with a specific value or not and Existential is if the key are compliant if it exist or not on the node.
Under “Noncompliance severity for reports” you can choose between
So if the node is non compliant what should happen regarding to reports.I´m going to choose “Critical” so that will generate a Critical Alert under Monitoring – Alerts.
Click “next” until the wizard is completed and then “Close”
And now you have created your first Configuration Item and it should show up here:
There´s still some steps to go through before we can test our Configuration Item, In the next part I will be talking about Configuration Baseline and deployment.
If there´s any questions don´t hesitate to post them in the comment section below.
Thank you for the information. It was very helpful. Is there anyway to take the non-compliant systems and automatically put them into a collection using WQL so they would get an application deployed to them?