Introduction

When moving to new Windows 10 (Windows as a Service), you are sometimes required to upgrade drivers and applications before the upgrade process.

Monitoring driver and application versions can be accomplished using Configuration Items and Configuration Baselines in SCCM.

Driver requirements differ between different models, and there is no built-in functionality to control compliance checks for a specific model.

Again, Powershell comes to the rescue.

In this blog post, I will explain what configuration items and configuration baselines are and provide an example of an SCCM configuration baseline.

What are Configuration Items in SCCM?

Configuration Items can be any of the following:

  • Software Updates
  • Registry Values
  • Files
  • Custom scripts

Configuration Items are not deployed but are deployed using Configuration Baselines, which I cover below.

Configuration Items are a more modern approach to handling settings.

Even Group Policy settings can be converted to Configuration Items. Kaido Järvemts has created a solution for this: https://kaidojarvemets.com/convert-group-policies-into-configuration-items-using-powershell/

What is a configuration baseline?

Configuration Baselines include at least one Configuration Item and are deployed to a collection of clients or users.

The following items can be part of a Configuration Baseline:

SCCM can deploy Configuration Baselines to users and devices.

Device deployments are not strange.

User deployment works as well. The Configuration Item should be evaluated as part of the login process, similar to a login script. I have, however, had some issues with this.

The solution

The solution I have created consists of the following components:

  • A script to be used in the Configuration Item
  • A Configuration Item
  • A Configuration Baseline

How to create a Configuration Item in SCCM

Create a custom configuration item

Start by opening the Configuration Manager console. Go to Assets and Compliance -> Compliance Settings -> Configuration Items and press Create Configuration Item.

Create SCCM Configuration Item

Give the Configuration Item a name and select the options below.

Create SCCM Configuration Items

Select the Operating Systems for which the Configuration Item should apply for.

Select Operating System SCCM Configuration Item

Press New to create a new Setting.

SCCM Configuration Item

Give the setting a Name and press Add Script.

SCCM Configuration Item

Paste either the Registry or File Version script. Find these below.

Add Powershell script SCCM Configuration Item

CHECK REGISTRY VALUE

$ComputerModels = 'HP EliteBook 820 G3','HP EliteBook 840 G3'
$RegistryVersion = "24.20.100.628"
$ComputerModelWMI = (Get-WmiObject Win32_ComputerSystem).Model
if ($ComputerModels -match $ComputerModelWMI) {
    $ActualRegistryVersion = (Get-ItemProperty HKLM:\Software\WOW6432Node\Intel\GFX).Version
    if ($ActualRegistryVersion -ge $RegistryVersion) {
        Write-Output $true
    }
    else {
        Write-Output $false
    }
}
else {
   Write-Output $true
}

CHECK FILE VERSION

$ComputerModels = 'HP EliteBook 820 G3','HP EliteBook 840 G3'
$FilePath = "C:\Program Files\Lenovo\HOTKEY\kbdmgr.exe"
$FileVersion = "1.0.0.11"
$ComputerModelWMI = (Get-WmiObject Win32_ComputerSystem).Model
if ($ComputerModels -match $ComputerModelWMI) {
    $ActualFileVersion = (Get-ChildItem $FilePath).VersionInfo
    $ActualFileVersion = $ActualFileVersion.FileVersion
    if ($ActualFileVersion -eq $FileVersion) {
        Write-Output $true
    }
    else {
        Write-Output $false
    }
}
else {
   Write-Output $true
}

Press OK to finalize.

Select the Compliance tab.

Give the Compliance condition a Name.

Configure the compliance conditions according to the following settings:

OptionSetting
Rule TypeValue
The value returned by the specified scriptEquals True
Noncompliance severity for reportsCritical

Press OK.

Finalize the Wizard.

Create the Configuration Baseline

Now we need to create the Configuration Baseline, to be deployed.

Go to Assets and Compliance and select Create Configuration Baseline.

Give the Configuration Baseline a Name.

Press Add and select Configuration Items.

Select the Configuration Item created earlier.

Press OK to close the window.

Press OK to Finalize.

DEPLOY CONFIGURATION BASELINE

Select the Configuration Baseline you just created. Right-click and press Deploy.

Press Browse to find the collection to deploy to.

Press OK.

Conclusion

Creating Configuration Items in SCCM and deploying them via a Configuration Baseline is a great way to check compliance and remediate any required changes.

Do you use Configuration Items in your environment? Please leave a comment below!

Related posts

6 COMMENTS

  1. Hello,
    In all the examples I read so far it seems the DCM & DCI are working only on a unique value for the parameter. e.g: FileVersion = “1.0.0.11” is checking is the version has this value or not.
    What is the best way to check what is the value(collect all the existing values for the parameter)? and then test each value by itself to create its own collection

    Thanks,
    Dom

  2. It is really nice article for better understanding CBs and CIs in SCCM, Other posts also well explained and helpful.

  3. Thanks a lot Daniel, really appreciate sharing the knowledge on CI/CB & many other great articles on SCCM/MECM of which a lot of folks like myself have learnt a lot from over the years.

LEAVE A REPLY

Please enter your comment!
Please enter your name here