Category Archives: Guides

TimmyIT 10:00 am on March 13, 2017
Tags: Modify   

Hardware inventory – Add firmware property to WMI class Win32_Diskdrive in ConfigMgr

 

There was a question on the Tech konnect facebook group the other day if there was any way of collecting disk name and firmware version from your clients in ConfigMgr.

Yes you can do this with the help of Hardware inventory and the Win32_DiskDrive WMI Class and use the following properties Caption and Firmware Revision but the thing is that the property Firmware Revision isn’t available by default so we need to add this
to the Win32_DiskDrive class in ConfigMgr Hardware inventory and i’m going to show you how to do this with the help of Powershell.

 

Getting started

First of all lets have a look on a Win10 client pc just to show of the information we want to gather. Caption is a good way of finding out the name and model of the disk tho different manufactures has there own way of naming things and then Firmware Revision to find out what firmware its running.

 

Get-WmiObject -Class Win32_DiskDrive | Format-List -Property Caption, Firmwarerevision

 

 

 

If we turn to ConfigMgr and Hardware Inventory classes Administration – Client Settings – <Your Client Setting> – Properties – Hardware Inventory – Set Classes

We can see that under the Win32_DiskDrive class we already have Caption but there’s no Firmware Revision property to be found.

 

 

 

Adding Firmware Revision to the Win32_DiskDrive class in ConfigMgr

 

We are going to this with the help of Powershell and here’s the script

Note: Make sure to modify the $Namespace variable so that the Site_Code is correct for your environment

 

  

#Modify Namespace to your correct Site ID
$Namespace = "root\SMS\site_TS1"

$Win32_DiskDrive = (Get-WmiObject -Namespace $Namespace -Class SMS_InventoryClass -ComputerName localhost | Where-Object {$_.ClassName -like "Win32_DiskDrive"})
$Classprop = [wmiclass]"$($Namespace):SMS_InventoryClassProperty"

$Prop = $Classprop.CreateInstance()
$Prop.PropertyName = 'FirmwareRevision'
$Prop.IsKey = $false
$Prop.Type = 8
$Win32_DiskDrive.Properties += [System.Management.ManagementObject]$Prop
$Win32_DiskDrive.Put()

 

Run the script on your ConfigMgr Siteserver

 

 

Go back to ConfigMgr and Administration – Client Settings – <Your Client Setting> – Properties – Hardware Inventory – Set Classes

and under Win32_DiskDrive you will now find “FirmwareRevision” and lets mark that checkbox and press “ok”

 

 


 Now you need to wait for the next Hardware inventory data to get back in to ConfigMgr and onces thats done you can go to “Assets and Compliance – Devices – <Right click on a Client> – Start – Resource Explorer”

 

 

 

 And from here go to “Hardware – Disk Drives” and double click on the row to the right which indicates the different disk and you will get a list of all properties and there you also have Firmware Revision

 

 

 

Now when you have the data in ConfigMgr  you can make a report out of it or build collections and so on.

Post any question below or hit me up on twitter.

 

 

Until next time, cheers !

You can find me over at

#modify

TimmyIT 12:03 pm on December 30, 2016
Tags: cmrcviewer.exe, GUI, , Powershell Studio, SAPIEN   

Making a GUI with Powershell Studio to run cmrcviewer.exe with logging

 

 

I did a blog post few weeks back talking about how to do logging with Cmrcviewer and powershell (Here)

That works great but if you intend to give it to someone else for example help desk you might wanna consider to make GUI for it instead of having a powershell-prompt running all the time and that’s exactly what i want to showcase on how to do a simple GUI with the help of Powershell Studio 2016 from SAPIEN. I’ve been using Powershell studio for almost a year now when i need to make a GUI and i really like how simple it is as soon as you understand how its works. They have a 45-day trial version where you can try it out with some limitations but i highly recommend you try it out.

 

 

 

Until next time, cheers Timmy !

You can find me over at

#cmrcviewer-exe, #gui, #powershell, #powershell-studio, #sapien

TimmyIT 10:00 am on October 31, 2016  

Beginner Guide – How to populate device collection with the help of AD groups

 

I’ve wanted to try out and make guides in a video format for some time and mainly because some things is easier to show in a video and takes less time to prepare compared to writing a full blog post about it. So this is my first attempt and i will definitely changes some things for the next ones. It’s all trial and error and my first youtube video ever.

 

What do we want achieve?

We want to be able to link Active directory groups directly to Device collections so if we add a computer to a Active Directory group it will sync and then be added to the Device collection we linked the AD group with. It’s very simple and here’s how its done:

 

 

here’s the WQL-query mentioned in the guide

 


select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client

from SMS_R_System

where SMS_R_System.SecurityGroupName = "COMPANY\\Special group"

 

 

Don’t forget to follow me on

Cheers,  Timmy

 

TimmyIT 10:00 am on October 17, 2016
Tags: Update   

Alternative workaround if SUP Endpoint definition deployment fails

 

There will come a day when something isn’t working as it should any more, when that day arrives  we have to be able to estimate the situation and also preparing to do the necessary action to solve it. A big part of our job as administrators is to solve problems and come up with solutions. One important thing to always consider when troubleshooting something is if there’s another way to achieve the same result but in a different way then what just broke, finding a temporary workaround until you figured out what the actual cause of the problem is and how to fix it.

In this scenario we are playing with the idea that ADR is broke or just that Endpoint protection definitions aren’t being deployed successfully any more and after some brief troubleshooting one realize that i will probably take some time until the cause of the problem is found. What do you do in the mean time?

 

Goal

We wan’t to have a alternative way of being able to get the latest Endpoint Protection definitions and deploy them to all the machines needed on a set schedule so we can get the same result as if the ordinary Definition deployment was working properly.  We will do this with the help of ConfigMgr, Powershell and Schedule Task’s.

 

In ConfigMgr we will make a package containing the latest definition being deploy and with Powershell we will get the latest definitions and then update the package source files when there’s new one and we will make a Schedule task for this Powershell script to 3 times a day, every 8 hours.

 

The Script


# Configuration and variables 

[String]$SourcePath = "D:\Packages\Endpoint Definitions"
$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")

[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule
# Creating folder structure 

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}

# Downloading Updates

$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])

#Update distrubution point with latest patches, don't forget to modify the Set-location to the correct Site code 

Set-Location TS1: 

Foreach ($Package in $DeploymentPackage)
{
Update-CMDistributionPoint -PackageName $Package
}

WordPress is messing with me and I’m not sure why. WP is adding what it looks like HTML characters to the variables containing URL’s “<a href=“but that’s only when i post the full script. Under the dissecting part it doesn’t. The characters does not appear in the in the Text editor at all. This is not the first time WP is adding unwanted characters in the code snippets but generally they appear while editing and can be removed manually but this time the chars doesn’t show up until its published and i cant remove it. If anyone have an idea how to fix this please let me know.

 

Here’s the code in plain text

 

$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

 

Dissecting the script

 

We start out with these 2 variable’s you need to modify-

$DeploymentPackage you need change to the name of the Package you created that will be deployed (but you need to download the files before you create your package. More on that in the examples section)

$SourcePath is the actual path the source files. You just need to create the root folder and the script will create the rest.

 


$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")
[String]$SourcePath = "D:\Packages\Endpoint Definitions"

 

Next section needs only 1 change and thats

$SCCMmodule and that’s the path where you have installed SCCM and point to the ConfigurationManager.psd1 file that contains all the SCCM 2012 Powershell cmdlets.

 


[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule

 

Next up is the creation of the sub folders in the source path you specified earlier in the $SourcePath variable and here’s no need for modification.

 


# Creating folder structure

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}

 

The following section downloads the definitions to the correct folder.

 


$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])

 

and the last step will update the distribution point with the latest files that’s been downloaded. Dont for get to modifie the Set-location to your sitecode.

 


Set-Location TS1:

Foreach ($Package in $DeploymentPackage)
{
Update-CMDistributionPoint -PackageName $Package
}

 

 

Example

 

Here i will go through all the steps necessary to setup and make this work.

 

Start with creating your empty source folder

2-3

 

Then Run this part of the script and modify the $SourcePath variable to the empty source folder you just created and dont forget to change the $SCCMmodule variable to the path where you have ConfigMgr installed

 

If you want to see which the latest definitions are you can do that here https://www.microsoft.com/security/portal/definitions/whatsnew.aspx

 

# Configuration and variables
$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")
[String]$SourcePath = "D:\Packages\Endpoint Definitions"

[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule



# Creating folder structure and downloading files 

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}
# Downloading Updates
$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])

 

When that’s done the source folder should me populated with the different Definitions

 

2-5

 

If you want both x86 and x64 definitions create 2 packages and in this example I’m just planing to deploy the delta definitions

 

1-4

 

Next step is to make a Custom interval under scheduling to this packages will run every 12 hours.

 

1-5

 

Next up is to create a schedule task that will run the powershell script so we can get the latest definitions and update the package in SCCM, but before we do that we will create a .BAT script that we will let the schedule task trigger that will trigger the powershell script this is because in my own experience, trigger a powershell script directly from schedule task is a bit iffy and it’s just more reliable to trigger a bat script that triggers the powershell script.

 

I will create the BAT script in C:\temp where i aslo have my Powershell script and make it execute the following command

 


powershell.exe -ExecutionPolicy Bypass -Command "C:\temp\SCEPDef.ps1"

 

2-7

 

Now lets go to the Task scheduler and create an advanced task that will run every 8 hours so we always have the latest definitions since Microsoft releases new definitions 3 times a day.

 

2-9

 

Triggers will be

 

2-8

 

And Actions will trigger the .Bat script we created earlier


 3-0

 

after that we are pretty much set, don’t forget to point the source files on the package to the correct directory of the definition you want to deploy and you do this by right clicking on the package and choose properties.

 

3-2

 

3-1

 

After all of this you can just Run the schedule task for the first time and it will download the latest definitions and update the distribution points with the latest files and it will continue to do that every time the schedule task runs.  If you have the Configuration Manager R2 toolkit installed you can check this with the content library explorer as seen below and if you look at the Time modified column you can compare that date on the actual files in the Source folder and you can see which file is on the distribution point.

 

1-8 1-9

 

This is all for now and i hope this can come in handy for someone out there. If you liked this post or might now someone who might would then feel free to share this post.

Cheers Timmy.

 

You can find me over at

 

 

 

 

 

 

 

 

 

 

 

 

#update

TimmyIT 7:00 am on September 5, 2016  

Guide – Configuration Item with Powershell discovery and remediation – String Compliance

This is a guide for Configuration Item and Powershell, if you are new to Configuration Item and baselines i recommend you look at my previous blog post that’s more of a overview and in this post i will go more in to depth on Powershell discovery and remediation with String compliance rule.

SCCM – Assets & Compliance – Compliance settings – Configuration Item

SCCM – Assets & Compliance – Compliance settings – Configuration Baseline

 

Foreword

So I’m not really sure where to start but when i first learned about configuration baseline and that you could use script and specifically powershell i was totally stoked. I thought to my self omg there’s no limit to what one can do with this and that is probably the case there’s some caveats also. If you search for configuration baseline and powershell you will encounter a few post about how it doesn’t work or that it works in very odd ways sometimes and that is true, i have had my own problem with this but that was also part of my lack of knowledge until i started to investigate it further. But with these guides I’m planning to show you the ways that work and hopefully you can make your own script and remediation’s.

 

And this is directly taken from Microsoft and it shows what kind of outputs ConfigMgr is looking for when using scripts

 

stderr

 

Goal

So the goal is to make a Configuration item that has a discovery Powershell script looks for a certain folder and if it doesn’t exist we will trigger a Powershell remediation script that creates the said folder.

 

Let’s get started

as for the discovery script further down in this post i’m trying to find a specific folder and this could also be done with the File system setting type as well as shown below but i’m only doing this to show how it would work if you wanted to use Powershell.

 

13

Configuration Item properties

First of all we need to set the properties to “Setting Type – Script” and “Data type – String for this example and then we need to make a powershell script for both the Discovery Script and t he Remediation Script 

 

3

 

Discovery Script

 

 

12

 

 

Trying to find the folder TopSecret in C:\temp and puts the result in to the variable $TopSecret. Next step is the IF statement that asks if $Topsecrets contains any thing and if it does’t it will populate the $Compliance variable with the string No and if it do exist anything meaning that the folder exist it will populate $Compliance with the string Yes and at the end we output the result with just calling the $Compliance variable  so that ConfigMgr can get the result of our query.  

 

 


$Topsecret = (get-item C:\temp\TopSecret)

if ($Topsecret -eq $null)
{$Compliance = "No"}
Else
{$Compliance = "Yes"}

$Compliance

 

Compliance Setting

Here’s the compliance rule, so we have selected the Rule type as Value and then “The value returned by the specific script:” is set to “Equal” and the actual value it self “Yes”, if the result is any other then Yes it will trigger of the an alert and remediation.

 

6

 

You have to configure the deployment properties to “Remediate noncompliant rules when supported” forget to activate this and your remediation won’t trigger and also use “Allow remediation outside of maintenance window” if that’s suitable for your specific needs.

 

9

 

Remediation Script

 

 

2

 

 

Creates a new Folder called TopSecretRemediation


New-Item -Path C:\temp -ItemType Directory -Name TopSecretRemediation

 

Deployment

Once deployed you just need to wait for the evaluation to run which by default is set to every hour or check out my blog post on how to trigger baseline evaluation remotely here  . And you can ones the evaluation is done check the report on the client to see if its compliant or not. To access this report open up a cmd window and write control smscfgrc and go to “Configurations” and mark the baseline you want and click “View report”

 

14

15

 

And in the report you will see if it’s Compliant or not and also in the right down corner you can see remediation and what’s been done.

 

10

 

Thats all for now, Cheers Timmy

 

TimmyIT 8:30 am on May 5, 2016  

SCCM – Assets & Compliance – Compliance settings – Configuration Baseline

Compliance Settings

Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.

If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an email alert to specified receivers. One could also configure auto remediation for the setting.

Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.

If you haven´t read the first part that goes through Configuration Items i recommend you doing so. 

https://timmyit.com/2016/05/02/sccm-assets-compliance-compliance-settings-configuration-item/

 

Configuration Baseline

Is simply explained a collection of one or more Configuration Items that creates a baseline for the specific group you would like to deploy it to, it can be for example a baseline that only is for the service desk and their computers. In other words you create one or more items, put that in to a baseline and then deploy that baseline to the device collection of your choice (If you don´t know what a device collection is or need help creating one then check out my blog post about it Here).

Create a baseline

First of all just make sure that “Compliance evaluation on clients” are set to “Yes”, it’s set to “Yes” by default but it will save you a lot of headache to ensure that it actually is activated. Do so by clicking on “Administration” in the lower left and then on “client settings” in the upper left. Then right-click on the “Default Client settings” and go to “Compliance Settings”.

Configuration Baseline - 21

Then go to Assets and Compliance, click on the drop down menu “Compliance Settings” and click on “Configuration Baseline”

Configuration Baseline - 00

Then right-click and choose “Create Configuration Baseline”

Configuration Baseline - 01

Input the name and description and then click on “add” and choose “Configuration Items” and continue with “ok”

Configuration Baseline - 02

Here you will select the Configuration Items you want to add in to this Baseline but in this example we just got one. Click “add ” and then “ok”

Configuration Baseline - 03

The Configuration Baseline should now appear in the configuration menu as showed here

Configuration Baseline - 04

If you want to see which Items are in the baseline you can simply select the baseline and “right-click” on it and click on “show members”

Configuration Baseline - 05

This will show you which Items are in the specified baseline.

Configuration Baseline - 06

Navigate back to the baseline and the next step is to deploy it to the device collection for your choice and to that you can either select the baseline and”right-click” and choose “Deploy” or click on “deploy” in the upper center.

Configuration Baseline - 07

In this menu we will choose to “Generate an alert” and set the “When the compliance is below” 100% since this is a super-duper important setting and its crucial that every one has it and if any node doesn’t we have to know. We will set the start date for 2016-05-04 and time at 06:00 and then click on “browse” to select which device collection to deploy it to.

Configuration Baseline - 08

In the upper left menu choose “Device Collections” by default it will have chosen “User collections”

Configuration Baseline - 09

Located the device collection of your choice and press “ok”

Configuration Baseline - 10

Now we want to schedule the evaluation of this compliance to run every day since its super-duper important to have this setting, so this will schedule the evaluation to 06:00 AM every day so when the person in charge of following this up have the alert in SCCM if any computer wouldn’t be compliant the first thing in the morning when he gets in to work.

So chose “Simple schedule” “run every” “1” “days” and press “ok”

Configuration Baseline - 11

Back at the Baseline overview select the baseline we just created and in the bottom left corner you will click on “Deployments” and you will see the deployment we just made to the service desk device collection and that the compliance is 0% so far, that’s because the evaluation haven’t started yet.

Configuration Baseline - 12

So let´s say that the next day has come and your task is to see if there’s any Alerts in SCCM for the Baseline, click on “Monitoring” in the lower left corner and then click on “Alerts”. You will see a notification about the “Recent Alerts” in the center but i want you to click on “Active Alerts”

Configuration Baseline - 13

Here you will see the all the Alerts that are active right now

Configuration Baseline - 14

You can right-click on an alert and choose from a few options on what to do with it (Sadly you can’t choose  to go directly to monitoring of the deployment to see which resources that aren’t compliant, why Microsoft why?)

Configuration Baseline - 15

Instead you can either go back to the configuration Baseline, select the baseline as we did before and click on “deployment” in the lower center and from there right-click on the deployment and click “View result” or you can click directly on Deployments under monitoring.

Configuration Baseline - 16

Here you will see all the deployments in your environment and not just Baselines, select the one you want to view and it will get some initial information in the lower half of the screen, you can see that we have 1 Compliant resource and 1 Non-compliant

Configuration Baseline - 17

Select the deployment and right-click and then click on “View Status”

Configuration Baseline - 18

This will give you information about which exact device is compliant

Configuration Baseline - 19

If you click on “non-compliant” you will see which devices who aren’t and you can from here take the actions needed to make the device compliant.

Configuration Baseline - 20

 

This is all for now and i hope this was helpful for you, if you have any questions don’t hesitate to either post them in comments below.

 

Cheers,

Timmy

TimmyIT 2:37 pm on May 2, 2016  

SCCM – Assets & Compliance – Compliance settings – Configuration Item

Compliance Settings

Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.

If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an Email alert to specified receivers. One could also configure auto remediation for the setting.

Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.

Configuration Item 

Is the actual setting we want to check the compliance state off, here we will configure the what setting it is, how to determine if its compliant or not and what SCCM should do about it.

First thing we need to do is configure an item so go to Assets & Compliance – Compliance Settings and expand the menu.

Configuration Items - 01

Click on “Configuration item” in the menu to the left and then right-click and choose “Create Configuration Item”

Configuration Items - 02

Give the specific Item a name and click “next”, I´m just naming it Test-setting but you should name it so its pretty obvious what the Item is so can keep track of them later when you have a lot of them and every Item can be used multiple times and be included in several baselines but more on that later.

Configuration Items - 03

If the setting you have only exist on certain Windows versions you can filter it here so the item only will assess the specified OS, if the settings is OS independent then you can just have it to “select all” and click “next”

NOTE                                                                                                                                                                      This does not mean the item will get deployed to the selected OS´s, deployment will come later.

Configuration Items - 04

Under Settings click “New” to create a new setting

Configuration Items - 05

First name the setting then write a description about if you want and for this exercise choose Setting type “Registry Value”

Configuration Items - 07

And under “Data type” choose “String”

Configuration Items - 08

After that you need to specify  “Hive Name”, “Key Name” and “Value Name”. If you don´t know the specific path in your head you can use the “Browse” button and you will be able to browse to the specified Key and value and you can connect to remote computers.

When done lets continue and press “ok”

Configuration Items - 06

Click “next”

Configuration Items - 09

under “Compliance Rule” click “New”

Configuration Items - 10

Name the Rule and click “Browse” and choose the Setting you just created

Configuration Items - 10.5

Now you can either choose “Value” or “Existential”.

Configuration Items - 13

If you choose value you can determine if the registry value should comply with a specific value or not and Existential is if the key are compliant if it exist or not on the node.

Configuration Items - 12

Under “Noncompliance severity for reports” you can choose between

Configuration Items - 14

So if the node is non compliant what should happen regarding to reports.I´m going to choose “Critical” so that will generate a Critical Alert under Monitoring – Alerts.

Click “Ok”

Configuration Items - 15

Click “Next”

Configuration Items - 16

Click “next” until the wizard is completed and then “Close”

Configuration Items - 17

And now you have created your first Configuration Item and it should show up here:

Configuration Items - 18

There´s still some steps to go through before we can test our Configuration Item, In the next part I will be talking about Configuration Baseline and deployment.

If there´s any questions don´t hesitate to post them in the comment section below.

 

Cheers,

Timmy