Configuring Compliance in ConfigMgr 2012

One of the new features of ConfigMgr 2012 is the ability to auto remediate a computer’s baseline that does not match a desired configuration. I have listed the steps to configure auto remediation and apply the baseline to a collection. This functionality is very useful to maintain "Gold Build" configurations, (local security policies, registry keys and installed programs) and to correct any drifting of your production computer baselines. After the Compliance task runs there are several ConfigMgr 2012 reports that can be run to demonstrate the changes that were made to the baseline of the target computer.

 

1. Launch ConfigMgr 2012 > Click on Assets and Compliance in the WonderBar

    

   

    

2. Right Click Configuration Items > Create Configuration Item

   

    

3. Enter the name for this Configuration Item. In this case we want to check on the Windows Firewall setting registry key > Click Next

    

   

    

4. Select the version of Windows you want this Configuration Item to be applied to > Click Next

1. On the Specify settings for this operating system page > Click New

    

   

    

2. Enter the name for this setting

   

   1. Setting type Registry
   2. Data type integer
   3. Hive HKEY_LOCAL_MACHINE > Click Browse
3. Browse the Windows Registry to the key that must exist for this Compliance Setting

    

   

    

   1. Highlight the Registry key in the Name field
   2. Check the "Select the rule that defies compliance for the selected registry value" checkbox
   3. Select "The selected registry value must exist on client devices" radio button
   4. Check the "This registry value must satisfy the following rule if present" checkbox > Click OK > Click OK

   

4. Click Next

   

    

5. Highlight the setting condition > Click Edit

   

    

   1. Check Remediate noncompliant rules when supported
   2. Check Report noncompliance if this setting is not found
   3. Click OK > Click Next
6. Review the Summary Page > Click Next

   

    

7. Click Close
8. Add the Configuration Item to a Configuration Baseline > Right Click Configuration Baselines > Select Create Configuration Baseline

 

1. Type the name for the Configuration Baseline > Click Add Configuration Item

   

    

    

    

2. Select the Configuration Item > Click Add >Click OK

   

    

3. Click OK

   

    

4. Right Click the Configuration Baseline > Deploy

    

   

    

    

5. Add the Configuration Baseline

   

    

   1. Select the Remediate noncompliant rules when supported
   2. Select Generate Alert
   3. Click Browse to Select the Collection you want this Baseline applied to
   4. Configure the schedule to suit your environments needs

   

   1. Click OK
   2. Click OK

"The postings on this site are my own and don’t necessarily represent Microsoft’s or my employer’s positions, strategies or opinions"