Compliance Settings
Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.
If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an email alert to specified receivers. One could also configure auto remediation for the setting.
Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.
If you haven´t read the first part that goes through Configuration Items i recommend you doing so.
https://timmyit.com/2016/05/02/sccm-assets-compliance-compliance-settings-configuration-item/
Configuration Baseline
Is simply explained a collection of one or more Configuration Items that creates a baseline for the specific group you would like to deploy it to, it can be for example a baseline that only is for the service desk and their computers. In other words you create one or more items, put that in to a baseline and then deploy that baseline to the device collection of your choice (If you don´t know what a device collection is or need help creating one then check out my blog post about it Here).
Create a baseline
First of all just make sure that “Compliance evaluation on clients” are set to “Yes”, it’s set to “Yes” by default but it will save you a lot of headache to ensure that it actually is activated. Do so by clicking on “Administration” in the lower left and then on “client settings” in the upper left. Then right-click on the “Default Client settings” and go to “Compliance Settings”.
Then go to Assets and Compliance, click on the drop down menu “Compliance Settings” and click on “Configuration Baseline”
Then right-click and choose “Create Configuration Baseline”
Input the name and description and then click on “add” and choose “Configuration Items” and continue with “ok”
Here you will select the Configuration Items you want to add in to this Baseline but in this example we just got one. Click “add ” and then “ok”
The Configuration Baseline should now appear in the configuration menu as showed here
If you want to see which Items are in the baseline you can simply select the baseline and “right-click” on it and click on “show members”
This will show you which Items are in the specified baseline.
Navigate back to the baseline and the next step is to deploy it to the device collection for your choice and to that you can either select the baseline and”right-click” and choose “Deploy” or click on “deploy” in the upper center.
In this menu we will choose to “Generate an alert” and set the “When the compliance is below” 100% since this is a super-duper important setting and its crucial that every one has it and if any node doesn’t we have to know. We will set the start date for 2016-05-04 and time at 06:00 and then click on “browse” to select which device collection to deploy it to.
In the upper left menu choose “Device Collections” by default it will have chosen “User collections”
Located the device collection of your choice and press “ok”
Now we want to schedule the evaluation of this compliance to run every day since its super-duper important to have this setting, so this will schedule the evaluation to 06:00 AM every day so when the person in charge of following this up have the alert in SCCM if any computer wouldn’t be compliant the first thing in the morning when he gets in to work.
So chose “Simple schedule” “run every” “1” “days” and press “ok”
Back at the Baseline overview select the baseline we just created and in the bottom left corner you will click on “Deployments” and you will see the deployment we just made to the service desk device collection and that the compliance is 0% so far, that’s because the evaluation haven’t started yet.
So let´s say that the next day has come and your task is to see if there’s any Alerts in SCCM for the Baseline, click on “Monitoring” in the lower left corner and then click on “Alerts”. You will see a notification about the “Recent Alerts” in the center but i want you to click on “Active Alerts”
Here you will see the all the Alerts that are active right now
You can right-click on an alert and choose from a few options on what to do with it (Sadly you can’t choose to go directly to monitoring of the deployment to see which resources that aren’t compliant, why Microsoft why?)
Instead you can either go back to the configuration Baseline, select the baseline as we did before and click on “deployment” in the lower center and from there right-click on the deployment and click “View result” or you can click directly on Deployments under monitoring.
Here you will see all the deployments in your environment and not just Baselines, select the one you want to view and it will get some initial information in the lower half of the screen, you can see that we have 1 Compliant resource and 1 Non-compliant
Select the deployment and right-click and then click on “View Status”
This will give you information about which exact device is compliant
If you click on “non-compliant” you will see which devices who aren’t and you can from here take the actions needed to make the device compliant.
This is all for now and i hope this was helpful for you, if you have any questions don’t hesitate to either post them in comments below.
Cheers,
Timmy