ConfigMgr Configuration Baselines allow administrators to report or enforce particular settings on machines. These settings, with remediation, will allow you ensure that your devices meet a specific configuration. In this post, we look at services and how to configure a baseline that will ensure particular services are started.
Configuration Item
The first part to any baseline is a configuration item. I will use a detection and remediation PowerShell script for this part. To create the item, go to Assets and Compliance > Compliance Settings > Compliance Items and click “Create Configuration Item” in the ribbon. Give your item a name. I am building this item for the ConfigMgr client, to ensure that a user does not turn it off or disabled it.
We can leave all versions of Windows selected on the next screen, or you can exclude Embedded if you want. For the Settings page of the wizard, give the setting a name, change the setting type to Script, and data type to String:
Now click “Add Script” under the “Discovery Script” section. Leave the language as PowerShell, and paste this command:
(get-wmiobject -namespace root\CIMv2 -class Win32_Service | where-object -filterscript {$_.Name -eq “CcmExec”}).started
Change the CcmExec part to your service name and click OK.
Now, click the “Add Script” button under “Remediation script”. Paste this code into the box, changing the service name once again:
$service = get-wmiobject -namespace root\cimv2 -class Win32_Service | where-object -filterscript {$_.Name -eq “CcmExec”}
$service.changestartmode(“automatic”)
$service.startservice()
The first piece of code checks if the service is started. The “started” property of the Win32_Service class returns a value of true. This will be important shortly. Next, the remediation part will change the start mode of the service to automatic, then start the service.
After both scripts are in place, you can click the “Compliance Rules” tab and click New. Configure the wizard like this:
The value of the “started” parameter comes into play here, where we tell the rule what the script will return. You also need to check the remediation box so that the remediation script will run. That’s it for the configuration item.
Configuration Baseline
Now that we have our configuration item, you can either add it to an existing baseline and deploy it, or create a new one. The only key is to remember that when you create the deployment, be sure the remediation boxes are checked:
