Baselines and auto remediation SCCM2012

With Baselines in ConfigMgr 2012, you have the ability to check whenever a client is compliant with the rules that you the IT-pro set in your environment.
This could for instance be if clients have the latest version of java installed (I’m going to show how you can check for this later on)
You have multiple options for what you can check, it could be

* Registry
* File check
* Active Directory Query
* SQL and WQL query
* Assembly
* Script (PowerShell, Jscript og VBscript)

But not every option has the ability to auto-remediate (meaning that it we can for instance run another script if a warning is issued)
And there are also other options as well, if we have configured a connection with SCSM we can get it to automatically open a incident ticket to the helpdesk for futher investigation.
More on that later.

Now a baseline in ConfigMgr consists of 1 or multiple Configuration Items. For instance, we can have a baseline that check for multiple configurations.

* What version of antivirus is the computer running ?
* Does the user have the latest update ofr Windows ?
* Does the computer have the latest firmware installed ?

All of these Configuration items make up a baseline (let’s call it corporate laptops )

I can start first with showing a easy baseline which consists of 2 Configuration items which check for
version of Internet explorer and what MP the CCM agent is the right one. (If these values that ConfigMgr finds are not the same as the one we define if will throw an alert)
You can find the Compliance Settings under à Assets and Compliance menu

NOTE: The User Data and Profiles settings is new from SP1

We start by right-clicking on Configuration Items and choose create new.
Here we enter the necessary information

Next we define which platform we want this CI to run on (Now if you don’t want HUGE amounts of data which are not relevant you should only pick those OSes which you need this running on.

Click next à here we define what we actually are looking for.

So from here we choose “New” now we are going to look for
Type = File and from here we can browse on a regular desktop computer in my case I am going to look on my SCCM server.

And here I choose that the file “iexplore.exe” must be file version = 10.00 to be compliant.
If we now press OK, we get back to the previous menu. So close this and go back to the ConfigMgr console since now we are going to create a new CI from scratch again.

Now we can add a new CI which does a registry check.

This will check the registry if the client has configmgr.demo.local as its FSP via registry.

Now we are done creating the two CI we can save it, go back to the configmgr console, and create a baseline.
We right click on baselines and choose create new à

From here add the CI we created earlier. Now we could also add multiple baselines now we could for instance have 3 baselines.
Where 1 is laptop, 1 is for security compliance, 1 is for CRM system version (which is going to be a baseline deployed to HR users which has laptops )
Now that we have added the CI press OK and go back to the console, now we have to deploy this baseline to some clients.

Right click on the baseline and press deploy, from here we define if we want the baseline deployed to users or computer and when we want it to be run.

We could also push this to SCOM if we wish to get some sort of message there.
So now, we just press OK. After the Baseline is deployed it might take some time before it appears on the clients (You could force it by running policy update on the clients)
To view the baselines assigned to a client, open control panel and configuration manager applet à Configurations

Here we can see that the baseline is Non-compliant, and we can view a HTML report to see why it is not-compliant.

Now what if we want an auto-remediate policy to trigger?
Instead of getting the alert, getting helpdesk to follow up to fix it we can make Configuration Manager to fix itself.

As I stated earlier, Configuration Manager can only remediate some CI’s

Remediate noncompliant rules when supported – Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types:

Registry value – The registry value is remediated if it is noncompliant, and created if it does not exist.
Script (by automatically running a remediation script).
WQL Query

Now we can alter the deployment since in some cases we want the baselines to report if non-compliant and in some cases we want the same baselines to auto remediate on specific clients.
So all we need to do it open the baseline deployment and alter this setting

Remediate noncompliant rules when supported

In other cases where you cannot auto-remediate for instance if you have a baseline that checks for java versions you can create a dynamic collection which installs the latest version of Java.

Leave a Reply

Scroll to Top