Table of Contents
Introduction
When moving to new Windows 10 (Windows as a Service), you are sometimes required to upgrade drivers and applications before the upgrade process.
Monitoring driver and application versions can be accomplished using Configuration Items and Configuration Baselines in SCCM.
Driver requirements differ between different models, and there is no built-in functionality to control compliance checks for a specific model.
Again, Powershell comes to the rescue.
In this blog post, I will explain what configuration items and configuration baselines are and provide an example of an SCCM configuration baseline.
What are Configuration Items in SCCM?
Configuration Items can be any of the following:
- Software Updates
- Registry Values
- Files
- Custom scripts
Configuration Items are not deployed but are deployed using Configuration Baselines, which I cover below.
Configuration Items are a more modern approach to handling settings.
Even Group Policy settings can be converted to Configuration Items. Kaido Järvemts has created a solution for this: https://kaidojarvemets.com/convert-group-policies-into-configuration-items-using-powershell/
What is a configuration baseline?
Configuration Baselines include at least one Configuration Item and are deployed to a collection of clients or users.
The following items can be part of a Configuration Baseline:
- Configuration Items
- Software Updates
- Configuration Baselines
SCCM can deploy Configuration Baselines to users and devices.
Device deployments are not strange.
User deployment works as well. The Configuration Item should be evaluated as part of the login process, similar to a login script. I have, however, had some issues with this.
The solution
The solution I have created consists of the following components:
- A script to be used in the Configuration Item
- A Configuration Item
- A Configuration Baseline
How to create a Configuration Item in SCCM
Create a custom configuration item
Start by opening the Configuration Manager console. Go to Assets and Compliance -> Compliance Settings -> Configuration Items and press Create Configuration Item.
Give the Configuration Item a name and select the options below.
Select the Operating Systems for which the Configuration Item should apply for.
Press New to create a new Setting.
Give the setting a Name and press Add Script.
Paste either the Registry or File Version script. Find these below.
CHECK REGISTRY VALUE
$ComputerModels = 'HP EliteBook 820 G3','HP EliteBook 840 G3'
$RegistryVersion = "24.20.100.628"
$ComputerModelWMI = (Get-WmiObject Win32_ComputerSystem).Model
if ($ComputerModels -match $ComputerModelWMI) {
$ActualRegistryVersion = (Get-ItemProperty HKLM:\Software\WOW6432Node\Intel\GFX).Version
if ($ActualRegistryVersion -ge $RegistryVersion) {
Write-Output $true
}
else {
Write-Output $false
}
}
else {
Write-Output $true
}
CHECK FILE VERSION
$ComputerModels = 'HP EliteBook 820 G3','HP EliteBook 840 G3'
$FilePath = "C:\Program Files\Lenovo\HOTKEY\kbdmgr.exe"
$FileVersion = "1.0.0.11"
$ComputerModelWMI = (Get-WmiObject Win32_ComputerSystem).Model
if ($ComputerModels -match $ComputerModelWMI) {
$ActualFileVersion = (Get-ChildItem $FilePath).VersionInfo
$ActualFileVersion = $ActualFileVersion.FileVersion
if ($ActualFileVersion -eq $FileVersion) {
Write-Output $true
}
else {
Write-Output $false
}
}
else {
Write-Output $true
}
Press OK to finalize.
Select the Compliance tab.
Give the Compliance condition a Name.
Configure the compliance conditions according to the following settings:
| Option | Setting |
|---|---|
| Rule Type | Value |
| The value returned by the specified script | Equals True |
| Noncompliance severity for reports | Critical |
Press OK.
Finalize the Wizard.
Create the Configuration Baseline
Now we need to create the Configuration Baseline, to be deployed.
Go to Assets and Compliance and select Create Configuration Baseline.
Give the Configuration Baseline a Name.
Press Add and select Configuration Items.
Select the Configuration Item created earlier.
Press OK to close the window.
Press OK to Finalize.
DEPLOY CONFIGURATION BASELINE
Select the Configuration Baseline you just created. Right-click and press Deploy.
Press Browse to find the collection to deploy to.
Press OK.
Conclusion
Creating Configuration Items in SCCM and deploying them via a Configuration Baseline is a great way to check compliance and remediate any required changes.
Do you use Configuration Items in your environment? Please leave a comment below!
Related posts
- SCCM Maintenance Windows based on Patch Tuesday
- The 15 most exciting news in SCCM 1906
- How to configure deadlines for Automatic Deployment Rules in SCCM
- How to manage Software Update Groups in SCCM using Powershell
- How to configure the collection update schedule in SCCM using Powershell
Hello,
In all the examples I read so far it seems the DCM & DCI are working only on a unique value for the parameter. e.g: FileVersion = “1.0.0.11” is checking is the version has this value or not.
What is the best way to check what is the value(collect all the existing values for the parameter)? and then test each value by itself to create its own collection
Thanks,
Dom
It was a nice article Daniel. It helps me to understand more about Baseline in SCCM
Thanks Sudheer!
/Daniel
It is really nice article for better understanding CBs and CIs in SCCM, Other posts also well explained and helpful.
It’s very nice and easy to use very good article
Thanks a lot Daniel, really appreciate sharing the knowledge on CI/CB & many other great articles on SCCM/MECM of which a lot of folks like myself have learnt a lot from over the years.