Guide – Configuration Item with Powershell discovery and remediation – String Compliance

This is a guide for Configuration Item and Powershell, if you are new to Configuration Item and baselines i recommend you look at my previous blog post that’s more of a overview and in this post i will go more in to depth on Powershell discovery and remediation with String compliance rule.

SCCM – Assets & Compliance – Compliance settings – Configuration Item

SCCM – Assets & Compliance – Compliance settings – Configuration Baseline

 

Foreword

So I’m not really sure where to start but when i first learned about configuration baseline and that you could use script and specifically powershell i was totally stoked. I thought to my self omg there’s no limit to what one can do with this and that is probably the case there’s some caveats also. If you search for configuration baseline and powershell you will encounter a few post about how it doesn’t work or that it works in very odd ways sometimes and that is true, i have had my own problem with this but that was also part of my lack of knowledge until i started to investigate it further. But with these guides I’m planning to show you the ways that work and hopefully you can make your own script and remediation’s.

 

And this is directly taken from Microsoft and it shows what kind of outputs ConfigMgr is looking for when using scripts

 

stderr

 

Goal

So the goal is to make a Configuration item that has a discovery Powershell script looks for a certain folder and if it doesn’t exist we will trigger a Powershell remediation script that creates the said folder.

 

Let’s get started

as for the discovery script further down in this post i’m trying to find a specific folder and this could also be done with the File system setting type as well as shown below but i’m only doing this to show how it would work if you wanted to use Powershell.

 

13

Configuration Item properties

First of all we need to set the properties to “Setting Type – Script” and “Data type – String for this example and then we need to make a powershell script for both the Discovery Script and t he Remediation Script 

 

3

 

Discovery Script

 

 

12

 

 

Trying to find the folder TopSecret in C:\temp and puts the result in to the variable $TopSecret. Next step is the IF statement that asks if $Topsecrets contains any thing and if it does’t it will populate the $Compliance variable with the string No and if it do exist anything meaning that the folder exist it will populate $Compliance with the string Yes and at the end we output the result with just calling the $Compliance variable  so that ConfigMgr can get the result of our query.  

 

 


$Topsecret = (get-item C:\temp\TopSecret)

if ($Topsecret -eq $null)
{$Compliance = "No"}
Else
{$Compliance = "Yes"}

$Compliance

 

Compliance Setting

Here’s the compliance rule, so we have selected the Rule type as Value and then “The value returned by the specific script:” is set to “Equal” and the actual value it self “Yes”, if the result is any other then Yes it will trigger of the an alert and remediation.

 

6

 

You have to configure the deployment properties to “Remediate noncompliant rules when supported” forget to activate this and your remediation won’t trigger and also use “Allow remediation outside of maintenance window” if that’s suitable for your specific needs.

 

9

 

Remediation Script

 

 

2

 

 

Creates a new Folder called TopSecretRemediation


New-Item -Path C:\temp -ItemType Directory -Name TopSecretRemediation

 

Deployment

Once deployed you just need to wait for the evaluation to run which by default is set to every hour or check out my blog post on how to trigger baseline evaluation remotely here  . And you can ones the evaluation is done check the report on the client to see if its compliant or not. To access this report open up a cmd window and write control smscfgrc and go to “Configurations” and mark the baseline you want and click “View report”

 

14

15

 

And in the report you will see if it’s Compliant or not and also in the right down corner you can see remediation and what’s been done.

 

10

 

Thats all for now, Cheers Timmy

 

7 comments

  1. I do not recommend to use Discovery definition based on powershell-script deployed to user group because user can change his $Profile (for example add write-error “Always Error”) and Compliance engine does’t use -NoProfile 🙁

    1. This has been fixed with CM 1810… since then the -profile switch has ben added 🙂

  2. Hello,
    This is great, thank you for the detailed explanation. How would you modify the discovery PS to search not just in a specific location for a folder or file, but search the whole C: drive, and if it locates it anyway, return the compliance or non-compliance appropriately? I need to locate a file on a system, but it could be located in multiple locations on a system.

    Thanks!

Leave a Reply