SCCM 2012 Compliance Settings

If you have worked on  SCCM 2007 then Configuration Manager 2007 desired configuration management is now called sccm 2012 compliance settings in System Center 2012 Configuration Manager. SCCM 2012 Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.

SCCM 2012 Compliance Settings

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. An Administrator can create new configuration items and configuration baselines. After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.

Configuration baselines : This is a grouping of multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.

Prerequisites for Compliance Settings in Configuration Manager

1) Clients must be enabled and configured for compliance evaluation – To enable it, In the CM console click on Administration, Client Settings. Right click custom client device settings and select properties. choose Compliance settings.

Note If you want to enable compliance on all the devices, then select Default Client Settings. In this example i have created a Custom Client Device settings and compliance settings is selected and set as true.

 

SCCM 2012 Compliance Settings Snap 1

On the left pane, select Compliance Settings and under device settings set Enable compliance evaluation on clients as True.

SCCM 2012 Compliance Settings Snap 2

2) Reporting point site system role must be installed and configured. To install the reporting point site role, Click on Administration, Site Configuration, Sites, Add Site System Roles, Choose Reporting services point.

SCCM 2012 Compliance Settings Snap 3

As an example we will download the Configuration manager packs from one of the vendors and import it our configuration manager. We will deploy the configuration baseline to a collection and test the compliance. In this example we will download the Configuration Pack for System Center 2012 Configuration Manager here. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points.

After you download the configuration pack, install the msi file on the SCCM machine. Also note the path where the files are installed.

SCCM 2012 Compliance Settings Snap 4

SCCM 2012 Compliance Settings Snap 5

On the CM console, Under Assets and compliance, Compliance Settings, Right Click Configuration Baselines and and select Import Configuration Data.

SCCM 2012 Compliance Settings Snap 6

Click on Add.

SCCM 2012 Compliance Settings Snap 7

Browse to the path where the Configuration pack was installed. Select the Configuration manager config pack (.cab file) and click on open. On the next screen click Next.

SCCM 2012 Compliance Settings Snap 8

Click on close.

SCCM 2012 Compliance Settings Snap 9

Once you have imported the config pack, click on Configuration Items. We see that there are four configuration items. Right click one of them and click properties.

SCCM 2012 Compliance Settings Snap 10

Every Configuration item has these properties. This configuration item evaluates the configuration of CM 2012 Management point role against Microsoft’s recommended best practices.

SCCM 2012 Compliance Settings Snap 11

In the next tab, Settings, there are few scripts which are executed to test the management point with Microsoft best practices.

SCCM 2012 Compliance Settings Snap 12

To deploy this Configuration Baseline, right on the configuration baseline and click Deploy.

SCCM 2012 Compliance Settings Snap 13

Click on Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. Choose the collection by clicking on Browse. In this example i have created a device collection called SCCM Server and my SCCM is added to it. Click Customize and Set the schedule of your choice.

SCCM 2012 Compliance Settings Snap 14

We see the change now. The configuration baseline has been deployed to a collection. After few minutes we see that under the Noncompliance Count the value is turned to 1 from 0. Lets find out the reason.

 SCCM 2012 Compliance Settings Snap 15

On the SCCM machine, click Control panel, Configuration manager, Configurations – we see there a baseline existing. This is the same configuration baseline that we had applied in the above steps. Click on Evaluate and then View Report.

SCCM 2012 Compliance Settings Snap 16

Out of the 4 configuration items, one item has reported that our SCCM server is non compliant.

SCCM 2012 Compliance Settings Snap 17

Lets see why exactly its non compliant. Under Non Compliant rules we see that BGB firewall port for Management point  is open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.

What is BGB (Big Green Button) – A way for administrators to push out urgent actions across a large number of clients to combat a particular infection through a quick or full scan for instance.

SCCM 2012 Compliance Settings Snap 18

Right click the configuration item Microsoft System Center 2012 Configuration Manager Management Point, select Properties, choose the Compliance Rules, select BGB firewall port and click Edit.

SCCM 2012 Compliance Settings Snap 19

This settings defined here checks whether the BGB port is open on the firewall. If its not open then a Warning is generated.

SCCM 2012 Compliance Settings Snap 20

In the next step we will modify compliance rule for BGB firewall port. As per the compliance conditions the BGB firewall port should be open on management point. In this lab we don’t need the BGB port to be open, so we will modify value returned by script from Equals  to “Not equal to“. This means a warning is not generated if the BGB port is cl0sed on management point.

SCCM 2012 Compliance Settings Snap 21

After few minutes we evaluate and run the compliance report on SCCM server, we see that our SCCM server is fully compliant with Microsoft’s  recommended best practices.

SCCM 2012 Compliance Settings Snap 22

The compliance count value is changed from 0 to 1 in the CM console.

SCCM 2012 Compliance Settings Snap 23

30 Comments

  1. i used some of the application for one day that is today when i restart the system it comes to the normal state is there any features in sccm

  2. Can you use compliance report to auto install a software package for a application. We have some default apps that need to be on the system and I am checking if there is a way to auto install application if it is missing.

  3. Prajwal,

    I wanted to start by telling you that you are a life saver for admins and engineers the world over.

    Now for my question. I have several compliance baselines running, each with several configuration items included. I work with a hierarchical domain, but in the deployment reports, domain is not an option to display, and we have devices with the same names in different domains do to a legacy software that requires this. I created a device collection from the non-compliant devices in one of the configuration baseline deployments, but SCCM does not show me which configuration item is the cause of the non-compliance. I have added the “compliance error detials” column to the collection view, but it is blank. Do you have any pointers that I may want to try to resolve this?

    Thanks in advance!

  4. Hi,
    I read that sccm adds by design a 2 hours random delay for the baseline evaluation schedule on clients. I can’t find any Microsoft document telling that, but I definitely witnessed this behavior. Do you have any official link where I can confirm this information ?

  5. Avatar photo Manjunath says:

    Hello Prajwal
    good morning .
    Could you please tell me why the % Compliance rate increases and come down suddenly in SCCM for collections ?

  6. Hi Prajwal/All,

    Can some help me on Client Compliance Evaluation. I am not seeing Configuration Tab and Compliance Policy tab ( in Configuration items page) on Windows Server (Client machine). Anything i missed to enable.

  7. Avatar photo Matthew Brahm says:

    Good morning Prajwal,

    Great informative post as always. One thing that I am scratching my head about and having trouble finding online is this – where do you look to find out why your remediation script isn’t working? I have successfully created a configuration Item/Baseline for computers without BitLocker enabled, and I have a quick PowerShell remediation script to turn on Bitlocker if it isn’t. It is reporting back the proper Compliance State but is not remediating non-compliant devices. Thanks in advance for your help!

  8. Avatar photo Deepak Rai says:

    This is very useful post. Please let me know where do i get it for CB 1806.

  9. Avatar photo Anil Kushwaha says:

    Hi Prajawal,
    Could you plz guide me that Can we create a Configuration Item(CI) with having more than setting. For example- i want my Configuration Item to read 3 registry key so do i have to create one CI or 3 CI.

    1. Avatar photo Adam Gloyd says:

      You can really do either. You can do one CI for each registry key, but it’s probably simpler to do a single CI with multiple settings. Each registry key would have a setting and a compliance rule with the CI.

  10. Such a wonderful post, Thanks for sharing

  11. I have a problem at evaluation stage, it keeps returning an error when I try to return an exit “0” signal to trigger remediation.

    Is there something silly which I am doing? Or should this not be done through Compliance?

    I’m trying to disable NetBIOS and need to do this over SCCM to multiple clients.

    I have the following in place (and they work when run locally)

    Discovery Script

    $adapter=(gwmi win32_networkadapterconfiguration | where {$_.ipenabled -eq “1”})
    Foreach ($nic in $adapter) {if ($adapter.TcpIPNetBiosOptions -ne “2”) {[System.Environment]::Exit(1)}} [System.Environment]::Exit(0)

    Remediation script

    $adapter=(gwmi win32_networkadapterconfiguration | where {$_.ipenabled -eq “1”})
    Foreach ($nic in $adapter) {
    $adapter.settcpipnetbios(2)
    }

    So running the script works on each machine locally and, if already compliant, SCCM is giving correct response

    BUT

    If the registry values returns as $adapter.TcpIPNetBiosOptions -ne “2” then the configuration compliance shows “error” when evaluated in Configuration Manager and the remediation does not trigger automatically. If I run the script myself then the configuration returns as compliant.

    I see the following error being reported

    Setting Discovery Error 0x80070001 Incorrect function. Windows

    PS great how to documents here and on TechNet

  12. on server 2016 and SCCM CB “1706” i get a Microsoft.updateservices.admindataaccessproxy.dll existence check and microsoft.updateservices.baseapi.dll existence check fail.

    is that normal?

  13. Avatar photo Pedro Roeseler says:

    Hi Prajwal. Great post!

    Is there a pack for the latest version of SCCM? I’ve been searching but only found this pack and I’m not sure if it’s compatible with the latest version…

    cheers,
    pedro

    1. Avatar photo Deepak Rai says:

      I am unable to attach the link for you. Yes there is for CB all versions.>
      If you notice even i had the same question and got it from SCCM Community.

  14. Avatar photo Barberouss says:

    Hello Prajwal,

    Please I have a question do we have always to click on evaluate on
    Configuration manager to execute a power script?
    I have a PS to install a network printer as default run via compliance sccm2012, but is not deployed on client side (laptops) I have to go to configuration manager and click on evaluate to install the printer.
    Thank you so much.
    Regards

    F

  15. Can’t find an updated pack for R2. Does anyone know if this baseline is this still valid for SCCM 2012 R2?

    1. No, it may not work for SCCM 2012 R2. I haven’t found any packs for SCCM 2012 R2.

  16. Avatar photo Martin Dufresne says:

    Nice article again Prajwal, configuration baseline is a powerfull tools that people often discard but it is helpfull in so many way’s. Thank’s again !

  17. Avatar photo Joshua Delaughter says:

    I know this is an old post, but the link to the pack is no longer valid. Do you have another source that it’s available at?

    1. @Joshua – Thanks for pointing out that.. You can download the SCCM 2012 configuration pack

  18. which log file do I refer if configuration items are not downloading in one of my servers? (sorry a newbie)

    1. You can check DCMAgent.log which records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications.

      Some more log files –

      CIAgent.log – Records details about the process of remediation and compliance for compliance settings, software updates, and application management.

      CITaskManager.log – Records information about configuration item task scheduling.

      DCMReporting.log – Records information about reporting policy platform results into state messages for configuration items.

      DcmWmiProvider.log – Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).

  19. Avatar photo Meganathan Kumar says:

    Hi Prajwal,

    Can you please add my e-mail ID to subscribers list?

    Thanks in advance!

  20. Avatar photo Hanumantharaju SP says:

    Thanks for your posts. Can u add me to your Distribution list?

  21. Avatar photo Jayavel.G says:

    HI bro ,

    can you please explain me some of the machines components are installed but not enabled,

Leave a Reply

Your email address will not be published. Required fields are marked *