This is a guide for Configuration Item and Powershell, if you are new to Configuration Item and baselines i recommend you look at my previous blog post that’s more of a overview and in this post i will go more in to depth on Powershell discovery and remediation with String compliance rule.
SCCM – Assets & Compliance – Compliance settings – Configuration Item
SCCM – Assets & Compliance – Compliance settings – Configuration Baseline
Foreword
So I’m not really sure where to start but when i first learned about configuration baseline and that you could use script and specifically powershell i was totally stoked. I thought to my self omg there’s no limit to what one can do with this and that is probably the case there’s some caveats also. If you search for configuration baseline and powershell you will encounter a few post about how it doesn’t work or that it works in very odd ways sometimes and that is true, i have had my own problem with this but that was also part of my lack of knowledge until i started to investigate it further. But with these guides I’m planning to show you the ways that work and hopefully you can make your own script and remediation’s.
And this is directly taken from Microsoft and it shows what kind of outputs ConfigMgr is looking for when using scripts
Goal
So the goal is to make a Configuration item that has a discovery Powershell script looks for a certain folder and if it doesn’t exist we will trigger a Powershell remediation script that creates the said folder.
Let’s get started
as for the discovery script further down in this post i’m trying to find a specific folder and this could also be done with the File system setting type as well as shown below but i’m only doing this to show how it would work if you wanted to use Powershell.
Configuration Item properties
First of all we need to set the properties to “Setting Type – Script” and “Data type – String“ for this example and then we need to make a powershell script for both the Discovery Script and t he Remediation Script
Discovery Script
Trying to find the folder TopSecret in C:\temp and puts the result in to the variable $TopSecret. Next step is the IF statement that asks if $Topsecrets contains any thing and if it does’t it will populate the $Compliance variable with the string No and if it do exist anything meaning that the folder exist it will populate $Compliance with the string Yes and at the end we output the result with just calling the $Compliance variable so that ConfigMgr can get the result of our query.
$Topsecret = (get-item C:\temp\TopSecret) if ($Topsecret -eq $null) {$Compliance = "No"} Else {$Compliance = "Yes"} $Compliance
Compliance Setting
Here’s the compliance rule, so we have selected the Rule type as Value and then “The value returned by the specific script:” is set to “Equal” and the actual value it self “Yes”, if the result is any other then Yes it will trigger of the an alert and remediation.
You have to configure the deployment properties to “Remediate noncompliant rules when supported” forget to activate this and your remediation won’t trigger and also use “Allow remediation outside of maintenance window” if that’s suitable for your specific needs.
Remediation Script
Creates a new Folder called TopSecretRemediation
New-Item -Path C:\temp -ItemType Directory -Name TopSecretRemediation
Deployment
Once deployed you just need to wait for the evaluation to run which by default is set to every hour or check out my blog post on how to trigger baseline evaluation remotely here . And you can ones the evaluation is done check the report on the client to see if its compliant or not. To access this report open up a cmd window and write control smscfgrc and go to “Configurations” and mark the baseline you want and click “View report”
And in the report you will see if it’s Compliant or not and also in the right down corner you can see remediation and what’s been done.
Thats all for now, Cheers Timmy
I do not recommend to use Discovery definition based on powershell-script deployed to user group because user can change his $Profile (for example add write-error “Always Error”) and Compliance engine does’t use -NoProfile 🙁
That is a really good point you make and there’s actually an uservoice for just that wanting to add a -Noprofile option
https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/8342922-compliance-settings
I have already voted for this and hopefully more people will.
Yep, already twice 🙂 Thanks!
This has been fixed with CM 1810… since then the -profile switch has ben added 🙂
.. continuation
add to $porfile
Write-Error “Always Error”; exit 1
Hello,
This is great, thank you for the detailed explanation. How would you modify the discovery PS to search not just in a specific location for a folder or file, but search the whole C: drive, and if it locates it anyway, return the compliance or non-compliance appropriately? I need to locate a file on a system, but it could be located in multiple locations on a system.
Thanks!