Posted on 周五 22 十月 2021

Compliance Setting in SCCM



Summary

Compliance Baseline Deployment for Internet Explorer File Version

Compliance Baseline Against a Registry Key

Auto Remediation of Non-Compliant Computers

Summary

We can use SCCM to check if a computer is compliant or not. For example, we can use it to check whether a registry key exists or not, or whether antivirus software is installed or not. To do this, we deal with Configuration Items and Configuration Baseline.

A Configuration Baseline in SCCM is a collection of one or more conditional checks called Configuration Items. Each of these configuration items are evaluated upon a defined schedule for the purpose of reporting on compliance and for auditing purposes.

Compliance Baseline Deployment for Internet Explorer File Version

Suppose I’ll check Internet Explorer’s version, if it’s equal to or greater than a specific version, then I deem it’s compliant, otherwise it’s non-compliant.

SCCM client will scan and report to server to see if it meets the baseline.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

Wait for a couple of hours and we’ll get the compliance count and non-compliance count in SCCM console.

To see the effect immediately, on client, run machine policy, and in Configuration tab, we can see it gets the policy. Run Evaluate to evaluate the baseline on this client now.

18

19

Compliance Baseline Against a Registry Key

Just choose Registry Value in Configuration item settings and specify the specific value.

Scenario:

For example, you get a requirement to find a registry key in ten thousand computers. So imagine if you have to find out manually in all these computers, it will take ages. So rather, what we are going to do is we will create the registry key setting in SCCM and deploy the baseline. SCCM client, which is present in all the computers, will scan all the computers and will give us the report whether the registry is present or not. If it is present, computer will be considered as compliant. If not, then non-compliant.

20

21

22

Auto Remediation of Non-Compliant Computers

Steps: take registry key type in configuration item for example:

  1. In configuration item settings, you need to check the box of “create the registry value as a REG_DWORD data type if remediated for noncompliant rules” so that it will create the registry automatically.

  2. Then go to Compliance Rules page and edit the rule, check the box of “remediate noncompliant rules when supported”; also, you can choose the “report noncompliance…” under it.

  3. Finally, when deploying configuration baseline, also check the box of “remediate noncompliant rules when supported”. You can also choose to “allow the remediation outside the maintenance window”.

Scenario:

For example, you deployed a baseline, and that baseline is deployed on ten thousand computers, and almost all computers are compliant, except a few of them. We will forcedly make these computers compliant. We don't have to manually log into these computers. What we are going to do is the moment these computers are non-compliant confirmed by SCCM, SCCM is going to send one policy forcedly which is going to be deployed to all these computers. And then it is going to apply the policy and these computers will become compliant.

This is called auto remediation.

23

Links

Stuff and credits

Proudly powered by Pelican, which takes great advantage of Python.

Enjoy!

Tags

Categories