Creating a Compliance Item, Baseline and Example

  • Article

I’ve been working on a few request related to Compliance Settings with some of my clients and one of those was to create a Default IE Browser Compliance Baseline. Since this may be needed by some of you, I decided to provide an example on my blog. If you are trying to create a compliance item in a similar manner, or just creating one for the first time: you can use this example as a guide to create a compliance item to check for a registry key> This key will be monitored as a Configuration Item; therefore, if the registry key is changed we will use the remediation mechanism to fix it. Let’s start by creating a simple Configuration Item that will check for a specific registry key.

 

The Compliance Item

We must first create the configuration item in Configuration Manager. Once you create this item, you must specify the registry key.

For a detail steps on how to create this Configuration Item, Go to the following article: https://technet.microsoft.com/en-us/library/gg712331.aspx

clip_image002

As you can see on my Configuration Item, I have 3 different registry keys that I look for.

To be more specific on the registry, take a closer look at the settings.

clip_image004

We are looking here at HKEY_CURRENT_USER, then Key Name \Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice the Value name is “ProgID”

On my configuration item, if the registry key doesn’t match the following value will return a non- compliance.

Let’s take a look at the compliance rule:

clip_image006

If the registry value is not = IE.FTP, then the target system will be non-compliant. Now we are ready to create a compliance baseline and remediate those machines that are non- compliant.

In a new example, we will be creating a configuration item, but instead of using a registry key let’s try to use a PowerShell script.

clip_image008

For this configuration item, we will be creating two types of scripts. The first script will be a discovery script and will check for a specific value. The second script will be a remediation script.

clip_image010

Now that you have finish creating your Configuration Items, its time to create a configuration Baseline. To do this you must follow the instructions on this link: https://technet.microsoft.com/en-us/library/gg712268.aspx

I have attach a copy of both examples as .cab files and you can import those cab files into your ConfigMgr 2012 environment.

You can download these examples from the following link: https://gallery.technet.microsoft.com/Default-IE-Compliance-a2fd020f

Once downloaded you can follow the steps on this link to import the Configuration Baseline, into the system:

https://technet.microsoft.com/en-us/library/hh691016.aspx

This was more of a quick post, reminder of how to use a Compliance Item and Baselines for a specific task.

Do this example works for you?

 

Santos Martinez - Premier Field Engineer – ConfigMgr and Databases

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use