Services in SCCM Compliance Settings

Compliance Settings, formally Desired Configuration Manager, is a very powerful feature of SCCM. It allows you to set up configuration baselines, and then do something about them. You can create collections, or just have a report of clients that are not compliant. This post will focus on making sure services are installed and in a particular state. Visit this post for a more detailed introduction of Compliance Settings.

Configuration Items

We are going to start by building our configuration items. We will have two – one to monitor the service state, and one to ensure that the service is installed. Let’s start with ensuring that the service is started. Create a new item by clicking “Create Configuration Item” in the ribbon. Give it name and description. On the “Support Platforms” page, select the operating systems that this item should be targeted too. On the “Settings” page, click Give this setting a name and description. Change the “Setting Type” to WQL and the “Data Type” to string. In the “Class” box, type “Win32_Service” and “Started” in the Property box. Next, in the WHERE clause box, type Name=”<service name>”. Be sure to leave the quotes, and remember that this is the actual service name, not the display name. Double-clicking the service and looking at “Service Name” can find the actual service name.

Here is what your page would look like if we were ensuring that the SMS Agent Host were started:

Click OK, and proceed to the “Compliance Rules” screen. Create a new compliance rule, and select the setting we created in the previous step in the “Selected Setting” box. Type “True” in the “the following values” box and click OK.

Finish the wizard.

Now we need to create the configuration item to ensure that the service is installed. The service check that we just created will list the baseline as compliant even if the service isn’t present. It will list it has non-compliant if the service is not started. To check for the service, create another configuration item. Give it a name, description, and select the available operating systems. Create your new setting and give it a name and description. Change the “Setting Type” to script and the “Data Type” to string. Click the “Add Script” button and select “Windows PowerShell” as the language. Copy this into script box:

$a = get-wmiobject -class win32_service -namespace root\cimv2 | where-object -filterscript { $_.name -eq “” }

If ($a -eq $null) {write-host “false”} Else {write-host “true”}

This checks for the service, and if the value is null, it returns false, meaning that the service is not present. Don’t forget to insert the service name, leaving the surrounding quotes. After inserting the script, check the “Run Scripts by using the 32-bit scripting host on 64-bit devices” box. Your screen should like this:

Set the “Compliance Rule” up the same way as we did earlier, being sure to select the correct “Selected Setting”. Now that we have the configuration items set up, lets move onto creating our baseline.

Configuration Baseline

Create a baseline by selecting “Create Configuration Baseline” in the ribbon. Give it a name and description. Click the “Add” button in the “Configuration Data” box. Select the two configuration items that we previously created and click OK.

Now we need to deploy the baseline to a collection. To do that, click “Deploy” in the ribbon, select your collection and evaluation schedule, and press OK.

Create Non-Compliant Collection

Finally, we can create a collection of non-compliant machines. To do that, select the baseline and click the “Deployments” tab at the bottom of the console. Now select your deployment and in the ribbon an option appears to “Create New Collection”. From here, you can create a collection of compliant, error, non-compliant, or unknown devices. Take your pick and create your collection.

Once you have your collection, you can do whatever you want with that information. You can deploy an application or package to remediate the issue, or just have a running list of computers that don’t meet a baseline.

Disclaimer

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistant.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=