SCCM has a great Compliance feature, formerly known as DCM, which can be used to ensure computers meet a certain baseline of configurations.  What’s even better is that it can auto-remediate any drifts from the baseline, which makes it very powerful.

I’ve recently had the need to implement a number of baselines, that contained configuration items that needed to auto-remediate, and I found it wasn’t quite as intuitive to do as just simply implementing a basic configuration check.  However, it wasn’t complicated either, after I figured out how it works, therefore I thought I would share what I found.

I will provide a working example in this post where the power configuration of a computer will be checked, and if not configured to High Performance, a remediation will be performed to set it to High Performance.

To create the Configuration Item that will be perform the check, open the SCCM console, and select Configuration Items under Compliance Settings, within the Assets and Compliance section.  Select Create Configuration Item from the ribbon and provide the general details.

ComplianceGeneral

Select the versions of Windows that will assess this configuration item… In my example, I’m only using Windows Server 2012 R2.

ComplianceWinVersion

.When on the Settings page, click New to create a new setting.  Provide a name and description for the new setting, and select a Setting type of Script and a Data type of String.  I’m using a string data type as I will be returning a string in the script, but a different type can be selected, such as Integer or Boolean, if required.

ComplianceSetting

 

Now, the discovery script is required to assess the configuration.  Select Add Script, and a Edit Discovery Script window will open and three different script languages are available to select:

  • Windows PowerShell
  • JScript
  • VBScript

For this configuration item, I will be using a Windows PowerShell script, which can be entered into the script field within the Edit Discovery Script window.

ComplianceScript

The script simply checks POWERCFG if High Performance has been set, and if it has it writes an output of Compliant, and if not it writes an output of NonCompliant.  It is important that Write-Output is used to return this data, as this is what SCCM will be looking for and will assess against.

$highPerformance = powercfg -l | %{ if($_.contains(“High performance”)) {$_.split()[3]} }

$currentPlan = $(powercfg -getactivescheme).split()[3]

if ($currentPlan -ne $highPerformance) {

Write-Output “NonCompliant”

}

else {

Write-Output “Compliant”

}

After the discovery script has been added, the remediation script needs to be added.  When Add Script is selected, the Edit Remediation Script will open, which is just the same as the Edit Discovery Script window, with the same options.  Select the script language of Windows PowerShell and add provide the remediation script.

ComplianceRemediation

This script takes the output from the discovery script and verifies it has a value of NonCompliant, then sets the power configuration to High Performance, and then provides the output of Compliant or NonCompliant, just as in the discovery script so SCCM knows whether it is now compliant.

I also added an a line to create an event in the Application log of the computer stating that remediation had been performed.  The reason for this is that I can collect and/or monitor these events using SCOM, so people can be notified of a remediation or simply report on it.

param($out)

If ($out -eq “NonCompliant”) {

$highPerformance = powercfg -l | %{ if($_.contains(“High performance”)) {$_.split()[3]} }

$currentPlan = $(powercfg -getactivescheme).split()[3]

if ($currentPlan -ne $highPerformance) {powercfg -setactive $highPerformance}

New-EventLog -LogName Application -Source CompliancePowerCfgRemediation

Write-EventLog -LogName Application -Source CompliancePowerCfgRemediation -EntryType Information -EventID 501 -Message “PowerCfg corrected by Auto-Remediation”

$currentPlan = $(powercfg -getactivescheme).split()[3]

if ($currentPlan -ne $highPerformance) {

Write-Output “NonCompliant”

}

else {

Write-Output “Compliant”

}

}

Once the remediation script has been added, the script status for both should be “Windows PowerShell is created”.

ComplianceCreated

With the discovery and remediation scripts configured, select the Compliance Rules tab to define how SCCM knows whether it is compliant or not.  Select New to create the rule and specify a name and description, and ensure Value is set as the Rule type.  Then the rule needs to be updated to “The value returned by the specified script: Equals the following values: Compliant”, and the “Run the specified remediation script when this setting is noncompliant” option needs to be checked.  Finally, set a severity for non-compliance, and the rule is complete!

ComplianceRule

Apply can now be selected on the Create Setting window and the Create Configuration Item Wizard wizard can be finished.

ComplianceFinished

 

With the Configuration Item completed, it can be added to a baseline, which can then be deployed to a collection.  Details on creating a baseline can be found here, http://technet.microsoft.com/en-gb/library/gg712268.aspx.

After a baseline containing the configuration item is deployed, the computers will have their configuration assessed and updated as necessary.  and the Compliance reports within SCCM can be used to check what is compliant and what’s not!!

Enjoy!

David