Santos Martinez aka ConfigNinja, is back with a tip which illustrates how you can use compliance items to monitor – and optionally enforce – defined registry values. In this case, LegalNoticeText.
Hello All! ConfigNinja here writing about Legal Notices.
Yeah, this Is the first window many of us see when try to log into our systems, but what if you need to ensure every machine is using the same message and it hasn’t been deleted by the local user? I know your first thought will be to use Group Policy, and I agree – however, there are times we need to monitor or remediate this type of situation, not just replace the setting.
If you are looking to deploy a legal notice using GPO, take a look at this article:
Let’s begin with our compliance setting approach. Since most of my time is spent with ConfigMgr, I was trying to find a good way to deploy this Legal Notice without having to create a script, or use any existing one. So I decided to create a Compliance Baseline to monitor a Compliance Item: this item will validate the use of the Legal Notice, and match an existing text.
To do this I went and created a Configuration Item.
In the ConfigMgr Console, click on the Assets and Compliance workspace.
In the Asset and Compliance Workspace, expand Compliance Setting.
Right click Compliance item and click Create Configuration Item.
Enter a name of the configuration item and description then click Next.
The next section of the wizard will be supported platforms, just click next on this part.
Once you are at the Settings section, click New and the following screen will show up:
While you are at this Create Setting dialog, click on Browse to find the registry entry we want to modify.
Browse to the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Select this registry value must satisfy the following rule if present and enter the notice information (I recommend you to copy and paste it from Notepad).
Follow the same process again, this time for
If you performed these steps correctly, you should then have 2 settings (making 4 compliance items) as part of the configuration item:
Select each item and click edit, to modify the setting and ensure this Configuration Item is not just to monitor but also to remediate.
Each item should look like the screen above and below.
Once you finish both settings from the Configuration Item, click Next to finish and complete the item.
The next step will be to create a configuration baseline and deploy it to the collections.
Once you create the baseline, ensure to select the configuration item created earlier.
When you are performing the deployment, ensure to select Remediate noncompliance rules when supported, and select the correct collection.
Log on to your test Machine and ensure the Compliance Baseline is there.
In this case is already there but haven’t check for compliance, just click Evaluate and wait.
If the Compliance State comes back as Non-Compliant, you have it set up to monitor only.
Once you change it to remediation you will see the following.
Next time you log in to the machine, you will see the Legal Notice at the log on process:
Since I know this process can be a little difficult, I have uploaded this baseline to Gallery, and you can download it by clicking on this link!
Enjoy, and thanks for reading!
If this helped you, please leave a comment.
Posted by Tristan Kington, MSPFE Editor and fan of System Centaur Convict Manager, aka Neighsayer.