If you are new to ConfigMgr you might be fooled into thinking that the product is used only for deployment of operating systems and applications. Where as the primary function of the product is deployment & update based, there are featured under the hood which provide functionality that some might think is only available in the likes of Systems Center Operations Manager.
The truth is that ConfigMgr can undertake various monitoring and remediation actions, automating various aspects of your IT infrastructure. So lets take a look at the role of the Configuration Baseline.
What is a Configuration Baseline?
A Configuration Baseline in ConfigMgr is a collection of one or more conditional checks called Configuration Items. Each of these configuration items are evaluated upon a defined schedule for the purpose of reporting on compliance and for auditing purposes.
For the remainder of this post I will now refer to Configuration Items as CI’s and Configuration Baselines as CB’s.
The individual CI contained within a CB can consist of any combination of the following types, more often than not these days though a PowerShell Script will be used due to its flexibility.
Active Directory | Script |
Assembly | SQL Query |
File System | WQL Query |
IIS Metabase | XPath Query |
Registry Key |
Once the CB has been evaluated you have the option of automatically running remediation tasks contained within each of the contained CI’s in order to achieve a desired state and compliance level. As CB’s can contain more than a single CI, a number of remediation tasks can take place where the client falls outside of compliance.
The scope of what you monitor and re-mediate is far ranging, if you consider the range of possible values returned from using one or many of the above methods you will understand the power of this feature.
Implementing Configuration Baselines
Implementing CB’s is straight is a straight forward process, especially if you are using a CI based on non script related checks, otherwise some understanding of scripting (PowerShell, T-SQL etc) is required. For the purpose of this post we are going to take the example of implementing a script driven client cache folder CB.
Like many other ConfigMgr admins, you have probably all experienced issues with client cache directories being too full to accommodate that new package you have just pushed, so then you will appreciate that having an automatic means of purging items within the cache is invaluable piece of automation.
Prerequisites
So before we look at implementing a configuration baseline we must ensure that clients have the prerequisite client settings enabled (covered below). For reporting, the Reporting Services Point role must also be installed, I am going to assume you have this role installed already as reporting is a core requirement in the majority of installations.
Client Settings
In order for your clients to run your compliance baselines you will need to enable the compliance evaluation feature.
To do so simply edit your client settings by going to Administration – Client Settings within the console, selecting your deployed client settings and viewing its Properties.
With the settings properties window open, click on Compliance Settings and enable the “Enable compliance evaluation on clients” setting as per the below screenshot;
Configuration Items
The first step to implementing a CB is to create individual CI’s to evaluate set conditions and apply remediation steps where required. In this post we will focus on the high level overview of the feature, step by step guides as to how to create CI’s are contained in some of our other blogs posts listed in the “Examples” section of this post.
As you will see from the see from the below screenshots, the method we are using in our cache cleaner example is “script”. In fact the majority of CI’s you will see posted online by members of the community will use the script option as it provides the most flexibility, allowing for combined evaluation methods contained within a single CI.
The PowerShell script used in this CI returns an numerical (integer) value, the value in question here is the number of items stored within the client cache folder which are beyond 14 days old. For compliance purposes we would like this value to be “zero” and if this is not the case a set of remediation actions put into place to ensure that the device is compliant, helping to ensure that your clients have room for new packages.
Remediation Action
The remediation process contains an action to run in the event of the client falling outside of compliance. In this example, the process is basically the same as the detection script with the addition of lines of code to cater for purging the unwanted content in the client cache directory;
# Create List Of Applications To Purge From Cache $PurgeApps = $SCCMClient.GetCacheInfo().GetCacheElements() | Where-Object { ($_.ContentID -notin $PendingApps.PackageID) -and $((Test-Path -Path $_.Location) -eq $true) -and ($_.LastReferenceTime -lt (Get-Date).AddDays(- $MaxRetention)) } # Purge Apps No Longer Required foreach ($App in $PurgeApps) { $SCCMClient.GetCacheInfo().DeleteCacheElement($App.CacheElementID) } # Clean Up Misc Directories $ActiveDirs = $SCCMClient.GetCacheInfo().GetCacheElements() | ForEach-Object { Write-Output $_.Location } Get-ChildItem -Path $SCCMCacheDir | Where-Object { (($_.PsIsContainer -eq $true) -and ($_.FullName -notin $ActiveDirs)) } | Remove-Item -Recurse -Force }
Configuration Baseline
The CB’s purpose is purely to wrap up the contained CI’s and deploy them to a collection. As you will see from the below screenshots, there is no real configuration to the CB when editing it, other than the items evaluated and the collections the CB is deployed to;
Deployments
When deploying your CB you are presented with the options to allow automatic remediation where supported and set the schedule. Obviously for remediation to take place, you must have a remediation task set where the method you are using in the CI supports it.
It is also important that when scheduling your CB deployment, you take into consideration the impact on performance hit generated by the contained CI’s. This is especially true when running SQL queries or launching applications in scripts, I’m sure you do not want to get into a situation whereby a couple of hundred or thousands of clients all poll the same SQL instance at the same time. Your database admin might just come knocking on your door if you do!.
Reporting
Once your compliance baseline has had time to run through its evaluation schedule, apart from viewing the compliance count in the Configuration Baseline section of the console, you can also use the Reporting node in the Monitoring section of the console or the Reporting Web Instance to pull down reports.
ConfigMgr Console Reports
ConfigMgr Web Reports View
Monitoring Your CB Deployments
So you have deployed your CB’s, but how do you monitor clients to ensure that the baselines are being applied?.
To do so you can monitor the CIAgent log contained within the %SystemRoot%\CCM\Logs folder, I would recommend using the CMTrace tool for this for clarity – https://www.microsoft.com/en-us/download/details.aspx?id=50012.
You should see something similar to the below;
If you take note of the Scope ID listed in the log you can quickly find the matching CB by running a PowerShell from the ConfigMgr console and running the following command;
get-cmbaseline | fl LocalizedDisplayName, CI_UniqueID
In this example I have taken the log file from a ConfigMgr distribution point which has a CB to keep its IIS log files down to a set retention period, you will see that the ID matches, providing confirmation that the CB has been applied to the server in question;
Examples
Below are links to some of our CI/CB posts:
Configuration Baseline | Link |
Ransomware | https://msendpointmgr.com/2017/03/21/protect-file-servers-from-ransomware-with-sccm-cicb/ |
Drive Fragmentation | https://msendpointmgr.com/2017/01/10/automated-drive-optimisation-with-sccm-configuration-baseline/ |
Laptop Battery Health | https://msendpointmgr.com/2017/02/17/laptop-battery-health-monitor-configuration-item/ |
IIS Log Maintenance | https://msendpointmgr.com/2017/01/03/configuration-manager-iis-log-maintenance/ |
Client Cache Maintenance | https://msendpointmgr.com/2017/02/21/sccm-client-cache-maintenance-configuration-baseline/ |
Windows 10 Fast Startup | https://msendpointmgr.com/2017/03/31/manage-windows-10-fast-startup-with-sccm-compliance-baseline/ |
Windows Client Firewall | https://msendpointmgr.com/2014/05/02/use-compliance-settings-to-determine-if-windows-firewall-is-enabled/ |
Conclusion
I hope this has given you a high level overview of what can be achieved with this powerful feature in ConfigMgr. As I mentioned to get the most out of this feature I would recommend using the script CI approach, so I would encourage you to learn PowerShell scripting if you are not already familiar with it.
I will be following up with more in depth examples in a series on this feature.
[…] I don’t write details how to do compliance settings, there are lots of blogs about it, example: https://msendpointmgr.com/2017/04/09/configmgr-configuration-baselines-a-beginners-guide/ […]
A few would be
– A basic if this software exists\remover it.
– If this Registry key exists remove it
– If this Registry key exist replace it
– If this software version exists upgrade to X version
Great article! I have a few configuration baselines in use, but they are very minimal and I’d like to do more with them. I was thinking recently, there should be some public repository of Configuration Settings & Baselines, sort of a Cookbook style collection of recipes that are general enough to be of use in many environments. Users could pick and choose the settings/baselines they want to use, and customize them as needed to fit their environment. Are you aware of anything like that?
Hi Steve,
I am not aware of a public repository of configuration items and baselines, but it is something we could look at doing. If anyone has suggestions even on what type of CI/CB’s they would use then we could build up a library upon requests received.
Maurice