Home
%3CLINGO-SUB%20id%3D%22lingo-sub-884558%22%20slang%3D%22en-US%22%3ECreating%20a%20Compliance%20Item%2C%20Baseline%20and%20Example%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-884558%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Jul%2031%2C%202013%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3E%3CI%3E%20Authored%20by%20Santos%20Martinez%20%3C%2FI%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EBeen%20working%20on%20a%20few%20topics%20related%20to%20Compliance%20Setting%2C%20one%20of%20those%20was%20to%20create%20a%20Default%20IE%20Browser%20Compliance%20Baseline.%20As%20this%20may%20not%20be%20needed%20for%20many%20of%20you%2C%20I%20wanted%20to%20bring%20the%20example%20on%20my%20blog.%20Whether%20you%20are%20trying%20to%20create%20a%20compliance%20item%20with%20a%20related%20subject%2C%20or%20just%20creating%20one%20for%20the%20first%20time.%20Here%20is%20an%20example%20on%20how%20to%20create%20a%20compliance%20item%20to%20check%20for%20a%20registry%20key%2C%20this%20key%20will%20be%20monitored%20with%20the%20Compliance%20Item%2C%20once%20changed%20we%20will%20use%20the%20remediation%20mechanism%20to%20get%20it%20fix.%20Let%E2%80%99s%20start%20creating%20a%20simple%20Compliance%20Item%2C%20which%20will%20check%20for%20a%20specific%20registry%20key.%3C%2FP%3E%0A%20%20%3CH2%20id%3D%22toc-hId-1823871362%22%20id%3D%22toc-hId-1823926107%22%3EThe%20Compliance%20Item%3C%2FH2%3E%0A%20%20%3CP%3EWe%20must%20first%20create%20the%20compliance%20item%20in%20Configuration%20Manager%2C%20once%20you%20are%20creating%20this%20item%20you%20must%20specify%20the%20registry%20key.%20For%20example.%3C%2FP%3E%0A%20%20%3CP%3EFor%20a%20detail%20steps%20on%20how%20to%20create%20this%20Configuration%20Item%2C%20Go%20to%20the%20following%20article%3A%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fgg712331.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fgg712331.aspx%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20alt%3D%22clip_image002%22%20border%3D%220%22%20height%3D%22294%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134558i6417CEB90707C6B1%22%20title%3D%22clip_image002%22%20width%3D%22305%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EAs%20you%20can%20see%20on%20my%20Configuration%20Item%2C%20I%20have%203%20different%20registry%20keys%20to%20look%20for.%3C%2FP%3E%0A%20%20%3CP%3ETo%20be%20more%20specific%20on%20the%20registry%2C%20take%20a%20closer%20look%20at%20the%20settings.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20alt%3D%22clip_image004%22%20border%3D%220%22%20height%3D%22370%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134559iCD87C40E68D35FD6%22%20title%3D%22clip_image004%22%20width%3D%22393%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EWe%20are%20looking%20here%20at%20HKEY_CURRENT_USER%2C%20then%20Key%20Name%20%5CSoftware%5CMicrosoft%5CWindows%5CShell%5CAssociations%5CUrlAssociations%5Cftp%5CUserChoice%20the%20Value%20name%20is%20%E2%80%9CProgID%E2%80%9D%3C%2FP%3E%0A%20%20%3CP%3EOn%20my%20compliance%20item%2C%20if%20the%20registry%20don%E2%80%99t%20match%20the%20following%20value%20will%20return%20a%20non%20compliance.%3C%2FP%3E%0A%20%20%3CP%3ELet%E2%80%99s%20take%20a%20look%20at%20the%20compliance%20rule%3A%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20alt%3D%22clip_image006%22%20border%3D%220%22%20height%3D%22320%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134560i930D2CAD72D9F963%22%20title%3D%22clip_image006%22%20width%3D%22307%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EIf%20that%20registry%20value%2C%20is%20not%20%3D%20IE.FTP%20then%20will%20be%20non%20compliance.%20Now%20we%20are%20ready%20to%20create%20a%20compliance%20baseline%20and%20remediate%20those%20machines%20that%20are%20non%20compliance.%3C%2FP%3E%0A%20%20%3CP%3EIn%20this%20example%20we%20will%20be%20creating%20a%20compliance%20item%2C%20but%20instead%20of%20using%20a%20registry%20let%E2%80%99s%20try%20to%20use%20a%20PowerShell%20script.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20alt%3D%22clip_image008%22%20border%3D%220%22%20height%3D%22298%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134561i0B27F6237004722E%22%20title%3D%22clip_image008%22%20width%3D%22308%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EFor%20this%20configuration%20item%2C%20we%20will%20be%20having%202%20types%20of%20scripts.%20The%20first%20script%20will%20be%20a%20discovery%20script%2C%20and%20will%20check%20for%20a%20specific%20value%20and%20the%20second%20script%20will%20be%20a%20remediation%20script.%3C%2FP%3E%0A%20%20%3CP%3E%3CIMG%20alt%3D%22clip_image010%22%20border%3D%220%22%20height%3D%22298%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134562iB6B2B66B76D51227%22%20title%3D%22clip_image010%22%20width%3D%22313%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3ENow%20that%20you%20have%20finish%20creating%20your%20Configuration%20Items%2C%20its%20time%20to%20create%20a%20configuration%20Baseline.%20To%20do%20this%20you%20must%20follow%20the%20instructions%20on%20this%20link%3A%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fgg712268.aspx%22%20title%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fgg712268.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fgg712268.aspx%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3EI%20have%20attach%20a%20copy%20of%20both%20examples%20as%20.cab%20files%2C%20you%20can%20import%20those%20cab%20files%20into%20your%20ConfigMgr%202012.%3C%2FP%3E%0A%20%20%3CP%3E%3CSTRONG%3EYou%20can%20download%20this%20examples%20from%20the%20following%20link%3A%20%3C%2FSTRONG%3E%20%3CA%20href%3D%22http%3A%2F%2Fgallery.technet.microsoft.com%2FDefault-IE-Compliance-a2fd020f%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20%3CSTRONG%3E%20http%3A%2F%2Fgallery.technet.microsoft.com%2FDefault-IE-Compliance-a2fd020f%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3EOnce%20downloaded%20you%20can%20follow%20the%20steps%20on%20this%20link%20to%20import%20the%20Configuration%20Baseline%2C%20into%20the%20system%3A%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh691016.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh691016.aspx%20%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3EThis%20was%20more%20of%20a%20quick%20post%2C%20reminder%20of%20how%20to%20use%20a%20Compliance%20Item%20and%20Baselines%20for%20a%20specific%20task.%3C%2FP%3E%0A%20%20%3CH3%20id%3D%22toc-hId--924799104%22%20id%3D%22toc-hId--924744359%22%3EDo%20this%20example%20works%20for%20you%3F%3C%2FH3%3E%0A%20%20%3CDIV%20style%3D%22clear%3Aboth%22%3E%0A%20%20%3C%2FDIV%3E%0A%20%20%3CP%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-884558%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Jul%2031%2C%202013%20Authored%20by%20Santos%20MartinezBeen%20working%20on%20a%20few%20topics%20related%20to%20Compliance%20Setting%2C%20one%20of%20those%20was%20to%20create%20a%20Default%20IE%20Browser%20Compliance%20Baseline.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-884558%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecompliance%20setting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Econfigmgr%202012%20sp1%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

First published on TECHNET on Jul 31, 2013

Authored by Santos Martinez

 

Been working on a few topics related to Compliance Setting, one of those was to create a Default IE Browser Compliance Baseline. As this may not be needed for many of you, I wanted to bring the example on my blog. Whether you are trying to create a compliance item with a related subject, or just creating one for the first time. Here is an example on how to create a compliance item to check for a registry key, this key will be monitored with the Compliance Item, once changed we will use the remediation mechanism to get it fix. Let’s start creating a simple Compliance Item, which will check for a specific registry key.

 

The Compliance Item

 

We must first create the compliance item in Configuration Manager, once you are creating this item you must specify the registry key.

 

For a detail steps on how to create this Configuration Item, Go to the following article:

https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/gg712331(v=te...

 

 

As you can see on my Configuration Item, I have 3 different registry keys to look for.

To be more specific on the registry, take a closer look at the settings.

 

 

We are looking here at HKEY_CURRENT_USER, then Key Name \Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice the Value name is “ProgID”

 

On my compliance item, if the registry don’t match the following value will return a non compliance.

Let’s take a look at the compliance rule:

 

 

If that registry value, is not = IE.FTP then will be non compliance. Now we are ready to create a compliance baseline and remediate those machines that are non compliance.

 

In this example we will be creating a compliance item, but instead of using a registry let’s try to use a PowerShell script.

 

 

For this configuration item, we will be having 2 types of scripts. The first script will be a discovery script, and will check for a specific value and the second script will be a remediation script.

 

 

Now that you have finish creating your Configuration Items, its time to create a configuration Baseline. To do this you must follow the instructions on this link: https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/gg712268(v=te...

 

I have attach a copy of both examples as .cab files, you can import those cab files into your ConfigMgr 2012.

 

You can download this examples from the following link:

http://gallery.technet.microsoft.com/Default-IE-Compliance-a2fd020f

 

Once downloaded you can follow the steps on this link to import the Configuration Baseline, into the system:

 

https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/hh691016(v=te...

 

This was more of a quick post, reminder of how to use a Compliance Item and Baselines for a specific task.

Do this example works for you?