Maurice Daly April 9, If you are new to ConfigMgr you might be fooled into thinking that the product is used only for deployment of operating systems and applications. So lets take a look at the role of the Configuration Baseline. Each of these configuration items are evaluated upon a defined schedule for the purpose of reporting on compliance and for auditing purposes.
The scope of what you monitor and re-mediate is far ranging, if you consider the range of possible values returned from using one or many of the above methods you will understand the power of this feature. For the purpose of this post we are going to take the example of implementing a script driven client cache folder CB.
So before we look at implementing a configuration baseline we must ensure that clients have the prerequisite client settings enabled covered below. In order for your clients to run your compliance baselines you will need to enable the compliance evaluation feature. To do so simply edit your client settings by going to Administration — Client Settings within the console, selecting your deployed client settings and viewing its Properties. The PowerShell script used in this CI returns an numerical integer value, the value in question here is the number of items stored within the client cache folder which are beyond 14 days old.
Create configuration baselines in Configuration Manager
The remediation process contains an action to run in the event of the client falling outside of compliance. As you will see from the below screenshots, there is no real configuration to the CB when editing it, other than the items evaluated and the collections the CB is deployed to.
Obviously for remediation to take place, you must have a remediation task set where the method you are using in the CI supports it. Your database admin might just come knocking on your door if you do!. If you take note of the Scope ID listed in the log you can quickly find the matching CB by running a PowerShell from the ConfigMgr console and running the following command. In this example I have taken the log file from a ConfigMgr distribution point which has a CB to keep its IIS log files down to a set retention period, you will see that the ID matches, providing confirmation that the CB has been applied to the server in question.
I hope this has given you a high level overview of what can be achieved with this powerful feature in ConfigMgr. As I mentioned to get the most out of this feature I would recommend using the script CI approach, so I would encourage you to learn PowerShell scripting if you are not already familiar with it.
Maurice has been working in the IT industry for the past 18 years and currently working in the role of Senior Cloud Architect with CloudWay. Great article! Are you aware of anything like that? I am not aware of a public repository of configuration items and baselines, but it is something we could look at doing. Notify me of follow-up comments by email. Notify me of new posts by email. This site uses Akismet to reduce spam. Learn how your comment data is processed.The Configuration Manager community is great!
Many tools, scripts, and tips out there help the everyday SCCM administrator get the job done in an efficient way, saving time and money. I still configuration baselines are a very underused feature in Configuration Manager and always have been.
Baselines are powerful, simple, and return information we can act on, and automatically act on as well. Automation is key! If you haven't tried this out before, you can create a collection based on the compliance state of a configuration baseline. Right-clicking on the deployment provides an option to create a collection based on the compliance state.
I want to highlight four tools:. You can just drop your. My example below shows the registry key that makes sure SCCM Remote Tools logs to the primary site server even if executed standalone. More and more devices in organizations don't support Group Policy. Thus, the PowerShell Policy Editor is extremely useful. It's basically a web-based Group Policy editor that gives you the result in PowerShell.
We also get all the benefits of the reports in SCCM whether we're applying the settings or not. It does not create a PowerShell script like the tool I described earlier, but registry-based CIs instead. This fills a gap that the retired Security Compliance Manager has created.
We can simply export our important Group Policies to CIs and baselines so we can make sure we've applied them. The script can also add remediation to registry-based Group Policy settings so we can check them with a CI. This allowed me to make sure I configured them according to the Security Baseline. ConfigMgr Remote Compliance is a great troubleshooting tool.
It allows you actually to see the display from the SCCM control panel applet and the Configuration tab. You can trigger evaluations, view reports, and refresh the view. Many great solutions out there can help you in administering Configuration Manager.
Read 4sysops without ads by becoming a member! Your question was not answered? Ask in the forum! Your email address will not be published. Notify me of followup comments via e-mail.
Receive new post notifications. Member Leaderboard — Month. Author Leaderboard — 30 Days. Luke Zautke changed their profile picture 1 hour, 16 minutes ago. Luke Zautke 's profile was updated 1 hour, 24 minutes ago. Roland Eich wrote a new post, Microsoft Exchange: repair broken calendar items 5 hours ago.
You may have noticed once in a while that calendar entries in Exchange are defective in some mailboxes, but Exchange isn't able to repair them with onboard tools. Although you can't fix the problem online, you can use tools for offline repair. Now the script is CopyDandI.This topic contains common scenarios to help you learn about how to create and deploy Configuration Manager configuration baselines.
If you are already familiar with compliance settings, you can find detailed documentation about all the features you use in the Create configuration baselines and Deploy configuration baselines topics.
Before you start, read Get started with compliance settings to learn some basics about compliance settings, and also read Plan for and configure compliance settings to implement any necessary prerequisites. In this example, you've created a configuration item for only Windows 10 PCs that run the Configuration Manager client. This configuration item enforces a required password of at least 6 characters on Windows 10 PCs. The configuration item is named Windows 10 Password Enforcement.
Use the following procedure to learn how to add this configuration item to a configuration baseline to prepare it for deployment. In the Create Configuration Baseline dialog box, configure the following settings:. In the Add Configuration Items dialog box, select the Windows 10 Password Enforcement configuration item that you previously created, then click Add.
You can now see the configuration baseline in the Configuration Baselines node of the Configuration Manager console. In this example, you deploy the configuration baseline you created in the previous procedure to a collection of computers.
On the Home tab, in the Deployment group, click Deploy. In the Deploy Configuration Baselines dialog box, configure the following settings:. Selected configuration baselines - Ensure that the Windows 10 Passwords configuration baseline was automatically added to this list. Remediate noncompliant rules when supported - Check this box to ensure that if the correct settings are not present on targeted devices, then they are remediated by Configuration Manager.
Collection - Click Browse to choose the collection of computers on which the configuration baseline is evaluated and remediated for compliance. In this example, the configuration baseline was deployed to the built-in All Desktop and Server Clients collection. Don't worry if the collection you choose contains computers or devices that don't run Windows As long as you configured supported platforms in the configuration item you created, only Windows 10 PCs are evaluated for compliance.
If necessary, configure the schedule by which the configuration baseline is evaluated. Otherwise, keep the default of 7 Days. If you want to take a quick look at compliance statistics for this deployment, in the Monitoring workspace, click Deployments.In Configuration Manager, baselines are used to define the configuration of a product or a system that is established at a specific point in time, capturing both structure and details.
Configuration baselines in Configuration Manager contain a defined set of desired configurations that are evaluated for compliance as a group. Configuration baselines contain one or more configuration items with associated rules, and they are assigned to computers through collections, together with a compliance evaluation schedule. Although you can assign configuration baselines to a collection that contains users, the configuration baselines will be evaluated only by computers in the collection, and not by users in the collection.
You can create your own configuration baselines with the Configuration Manager console, and you can import configuration baselines from the following sources:. Custom authored configuration baselines from within your own organization, but external to Configuration Manager. When configuration baselines are imported, unless they were originally created in the same Configuration Manager site, you will not be able to directly modify them in the Configuration Manager console.
If you need to refine the configuration items to meet your business requirements, the recommended path is:. Edit the duplicated baseline, and replace the configuration items with your edited child configuration items. Configuration baselines rules are used to specify how the configuration items that are included in the configuration baseline are to be assessed for compliance on client computers.
There are fixed types of configuration baseline rules that cannot be changed in Configuration Manager.
Configuration items can be added to the following configuration baseline rules:. One of the following operating system configuration items must be present and properly configured. These applications and general configuration items are required and must be properly configured.
If these optional application configuration items are detected, they must be properly configured. About authoring configuration baselines and items. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. Note Although you can assign configuration baselines to a collection that contains users, the configuration baselines will be evaluated only by computers in the collection, and not by users in the collection.
Is this page helpful? Yes No. Any additional feedback? Skip Submit.Configuration baselines in Configuration Manager must be deployed to one or more collections of users or devices before client devices in those collections can assess their compliance with the configuration baseline.
Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which includes adding or removing configuration baselines from deployments in addition to specifying the evaluation schedule.
In the Configuration Baselines list, select the configuration baseline that you want to deploy, and then in the Home tab, in the Deployment group, click Deploy. In the Deploy Configuration Baselines dialog box, select the configuration baselines that you want to deploy in the Available configuration baselines list.
Click Add to add these to the Selected configuration baselines list. If you change a configuration item that has been added to a deployed configuration baseline, the revised configuration item is not evaluated for compliance until its next scheduled evaluation time.
Remediate noncompliant rules when supported — Automatically remediates any rules that are noncompliant for Windows Management Instrumentation WMIthe registry, scripts, and all settings for mobile devices that are enrolled by Configuration Manager. Allow remediation outside the maintenance window — If a maintenance window has been configured for the collection to which you are deploying the configuration baseline, enable this option to let compliance settings remediate the value outside of the maintenance window.
For more information about maintenance windows, see How to use maintenance windows. Generate an alert — Configures an alert that is generated if the configuration baseline compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. Collection - Click Browse to select the collection where you want to deploy the configuration baseline.
Specify the compliance evaluation schedule for this configuration baseline Specifies the schedule by which the deployed configuration baseline is evaluated on client computers. This can be either a simple or a custom schedule. If the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start time that you schedule.
If it is deployed to a user, it is evaluated for compliance when the user logs on. For more information about how to monitor the deployment, see Monitor compliance settings. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode.
Important If you change a configuration item that has been added to a deployed configuration baseline, the revised configuration item is not evaluated for compliance until its next scheduled evaluation time. Note If the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start time that you schedule.
Is this page helpful? Yes No. Any additional feedback?
Monitor compliance settings in Configuration Manager
Skip Submit. Send feedback about This product This page. This page. Submit feedback. There are no open issues. View on GitHub.During this process I wanted to automate collection memberships based on the results of the validation. All you need to do is navigate to Configuration Baselines to select the baseline you want to use.
Use the Create New Collection option to select what compliance state you want. This will create a new collection with a query that will contain members based on the compliance state of the baseline. The new collection will be limited to the target collection of the deployment and the query will look like this. If you want to create a collection for all devices that are not compliant, e. Your email address will not be published.
Common tasks for creating and deploying configuration baselines with Configuration Manager
After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it. Configuration baselines in Configuration Manager can contain specific revisions of configuration items or can be configured to always use the latest version of a configuration item.
For more information about configuration item revisions, see Management tasks for configuration data. Import configuration data from a file. For more information, see Import configuration data. Use the Create Configuration Baseline dialog box to create a new configuration baseline. To create a configuration baseline by using the Create Configuration Baseline dialog box, use the following procedure:.
In the Create Configuration Baseline dialog box, enter a unique name and a description for the configuration baseline. You can use a maximum of characters for the name and characters for the description. The Configuration data list displays all configuration items or configuration baselines that are included in this configuration baseline.
Click Add to add a new configuration item or configuration baseline to the list. You can choose from the following items:. Use the Change Purpose list to specify the behavior of a configuration item that you've selected in the Configuration data list. You can select from the following items:. Required : The configuration baseline is evaluated as noncompliant if the configuration item isn't detected on a client device. If it's detected, it's evaluated for compliance. Optional : The configuration item is only evaluated for compliance if the application it references is found on client computers.
If the application is not found, the configuration baseline isn't marked as noncompliant only applicable to application configuration items. Prohibited : The configuration baseline is evaluated as noncompliant if the configuration item is detected on client computers only applicable to application configuration items. The Change Purpose list is available only if you clicked the option This configuration item contains application settings on the General page of the Create Configuration Item Wizard.
Use the Change Revision list to select a specific or the latest revision of the configuration item to assess for compliance on client devices or select Always Use Latest to always use the latest revision. To remove a configuration item from the configuration baseline, select a configuration item, and then click Remove. Starting in versionselect if you want to Always apply this baseline for co-managed clients.
When checked, this baseline will apply even on clients that are managed by Intune. This exception might be used to configure settings that are required by your organization but not yet available in Intune.
Optionally, click on Categories to assign categories to the baseline for searching and filtering. Click OK to close the Create Configuration Baseline dialog box and to create the configuration baseline. Modifying an existing baseline, such as setting Always apply this baseline for co-managed clientswill increment the baseline content version.
Clients will need to evaluate the new version to update the baseline reporting. Starting in versionyou can add evaluation of custom configuration baselines as a compliance policy assessment rule.
When you create or edit a configuration baseline, you have an option to Evaluate this baseline as part of compliance policy assessment. When adding or editing a compliance policy rule, you have a condition called Include configured baselines in compliance policy assessment. For co-managed devices, and when you configure Intune to take Configuration Manager compliance assessment results as part of the overall compliance status, this information is sent to Azure AD.