ConfigMgr 2012: Service Configuration Baseline

ConfigMgr Configuration Baselines allow administrators to report or enforce particular settings on machines. These settings, with remediation, will allow you ensure that your devices meet a specific configuration. In this post, we look at services and how to configure a baseline that will ensure particular services are started.

Configuration Item

The first part to any baseline is a configuration item. I will use a detection and remediation PowerShell script for this part. To create the item, go to Assets and Compliance > Compliance Settings > Compliance Items and click “Create Configuration Item” in the ribbon. Give your item a name. I am building this item for the ConfigMgr client, to ensure that a user does not turn it off or disabled it.


We can leave all versions of Windows selected on the next screen, or you can exclude Embedded if you want. For the Settings page of the wizard, give the setting a name, change the setting type to Script, and data type to String:


Now click “Add Script” under the “Discovery Script” section. Leave the language as PowerShell, and paste this command:

(get-wmiobject -namespace root\CIMv2 -class Win32_Service | where-object -filterscript {$_.Name -eq “CcmExec”}).started

Change the CcmExec part to your service name and click OK.

Now, click the “Add Script” button under “Remediation script”. Paste this code into the box, changing the service name once again:

$service = get-wmiobject -namespace root\cimv2 -class Win32_Service | where-object -filterscript {$_.Name -eq “CcmExec”}



The first piece of code checks if the service is started. The “started” property of the Win32_Service class returns a value of true. This will be important shortly. Next, the remediation part will change the start mode of the service to automatic, then start the service.

After both scripts are in place, you can click the “Compliance Rules” tab and click New. Configure the wizard like this:


The value of the “started” parameter comes into play here, where we tell the rule what the script will return. You also need to check the remediation box so that the remediation script will run. That’s it for the configuration item.

Configuration Baseline

Now that we have our configuration item, you can either add it to an existing baseline and deploy it, or create a new one. The only key is to remember that when you create the deployment, be sure the remediation boxes are checked:




Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.