SCCM Configuration Baseline

published: April 27, 2019 author: Tinu tags: PowerShell categories: Configuration-Management

---

Automate the System Center Configuration Manager with PowerShell.

Table of Contents

• Table of Contents
• Connect to the SCCM Server
• Configuration Baseline
  • Create a Configuration Baseline
  • Create Configuration Item
  • Add RegistryKeyValue Settings to Configuration Item
  • Add PowerShell Script Settings to Configuration Item
  • Add ExistentialRule to Configuration Item
  • Add ValueRule to Configuration Item
  • Add Configuration Item to Baseline
• See also

Connect to the SCCM Server

Importing the Configuration Manager PowerShell Module and connect to the CMServer and CMSite:

cd 'C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin'
if(-not(Get-Module -Name ConfigurationManager)){
    Import-Module \ConfigurationManager.psd1
}

New-PSDrive -Name $SiteCode -PSProvider "AdminUI.PS.Provider\CMSite" -Root $SiteServer -Description $SiteCode

Configuration Baseline

To create a Configuration Baseline, you need a Baseline, and one or more ConfigurationItems with settings to test and rules.

1) Create a Configuration Baseline
2) Create a Configuration Item
3) Add Configuration Setting without a Rule
4) Add Configuration Rule to the Setting
5) Add Configuration Item to the Baseline

Create a Configuration Baseline

Create a new Baseline (remove it before adding new Configuration Items):

$baseline = @{
    Name         = 'CB_Test-Base'
    Description  = 'This is a Test-Baseline'
}
$cb = Get-CMBaseline -Name $baseline.Name
if($cb){
    $cb | Remove-CMBaseline -Force
}
$cb = New-CMBaseline @baseline

Create Configuration Item

Create a new empty Configuration Item:

$ci = Get-CMConfigurationItem -Name 'Test-OS-ReleaseId' -Fast
if($ci){
    $ci | Remove-CMConfigurationItem -Force
}
$properties = @{
    Name         = 'Test-OS-ReleaseId'
    Description  = 'The OS ReleaseId should be 1703'
    CreationType = 'WindowsOS'
}
$ci = New-CMConfigurationItem @properties
if($ci){
    Write-Host "SCCM ConfigurationItem $($ci.LocalizedDisplayName) successfully created" -ForegroundColor Green
}

Add RegistryKeyValue Settings to Configuration Item

Add a new CMComplianceSettingRegistryKeyValue to an existent Configuration Item.

DataType:

• String, Integer

Hive:

• ClassesRoot, CurrentConfig, CurrentUser, LocalMachine, Users

$settings = @{
    #Settings to test
    SettingName           = 'ReleaseId must exist'
    DataType              = 'String'
    Hive                  = 'LocalMachine'
    KeyName               = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    ValueName             = 'ReleaseId'
    NoRule                = $true
}
$temp = $ci | Add-CMComplianceSettingRegistryKeyValue @settings
if($ci){
    Write-Host "SCCM ConfigurationItem $($ci.LocalizedDisplayName) successfully created" -ForegroundColor Green
    $setting = $ci | Get-CMComplianceSetting -SettingName $($settings.SettingName)
    Write-Host "SCCM ConfigurationItem $($settings.SettingName) successfully created" -ForegroundColor Green
}

Add PowerShell Script Settings to Configuration Item

Add a new CMComplianceSettingScript to an existent Configuration Item:

DataType:

• String, DateTime, Integer, FloatingPoint, Version, Boolean

DiscoveryLanguage:

• PowerShell, VBScript, JScript, ShellScript

Is64Bit:

• True (using the 64bit-scripting host), False (using the 32bit-scripting host)

$ScriptText = @"
`$(Get-ItemPropertyValue -Path HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion -Name ReleaseId)
"@

$settings = @{
    #Settings to test
    SettingName             = 'ReleaseId must exist'
    DataType                = 'String'
    DiscoveryScriptLanguage = 'PowerShell'
    DiscoveryScriptText     = $ScriptText
    #DiscoveryScriptFile    = 'C:\Scripts\Get-ReleaseId.ps1'
    Is64Bit                 = $true
    NoRule                  = $true
}
$temp = $ci | Add-CMComplianceSettingScript  @settings
if($ci){
    Write-Host "SCCM ConfigurationItem $($ci.LocalizedDisplayName) successfully created" -ForegroundColor Green
    $setting = $ci | Get-CMComplianceSetting -SettingName $($settings.SettingName)
    Write-Host "SCCM ConfigurationItem $($settings.SettingName) successfully created" -ForegroundColor Green
}

Add ExistentialRule to Configuration Item

Existence:

• IsEquals, NotEquals, BeginsWith, NotBeginsWith, EndsWith, NotEndsWith, Contains, NotContains, OneOf, NoneOf

$ExistentialRule = @{
    #Compliance Rule
    RuleName              = 'Should be MustNotExist'
    Existence             = 'MustNotExist'
    NoncomplianceSeverity = 'Warning'
}
$rule = $setting | New-CMComplianceRuleExistential @ExistentialRule
Write-Host "SCCM ConfigurationItem $($rule.Name) successfully created" -ForegroundColor Green
$temp = $ci | Add-CMComplianceSettingRule -Rule $rule

Add ValueRule to Configuration Item

ExpressionOperator:

• And, Or, Other, IsEquals, NotEquals, GreaterThan, LessThan, Between, NotBetween, GreaterEquals, LessEquals, BeginsWith, NotBeginsWith, EndsWith, NotEndsWith, Contains, NotContains, AllOf, OneOf, NoneOf, SetEquals, SubsetOf, ExcludesAll

$ValueRule = @{
    #Compliance Rule
    ValueRule             = $true
    RuleName              = 'The ReleaseId must be 1703'
    ExpressionOperator    = 'IsEqual'
    ExpectedValue         = '1703'
    ReportNoncompliance   = $true
    NoncomplianceSeverity = 'Warning'
}
$rule = $setting | New-CMComplianceRuleValue @ValueRule
Write-Host "SCCM ConfigurationItem $($rule.Name) successfully created" -ForegroundColor Green
$temp = $ci | Add-CMComplianceSettingRule -Rule $rule

Add Configuration Item to Baseline

Add each ConfigurationItem to a Baseline.

if($cb){
    Set-CMBaseline -Name $baseline.Name -AddOSConfigurationItem $ci.CI_ID
}

See also

ConfigurationManager on Microsoft Docs

Create ConfigurationItems and Baselines without killing your mouse on CTGlobal

---

← Previous Post ◇ [ Top ] ◇ Copyright © 2024 by tinuwalther ◇ [ Blog ] ◇ Next Post →