Use the output from Remediation to test and see if it was actually successful rather than assuming it was successful. Only way is to have a true non-compliance is to throw a non-zero exit code when using a script.14 votes
Right now if you use HKCU and try to create a DWORD value that does NOT exist, even though you set remediation up properly and select the box that says to create the value as a REG_DWORD, it still does not create the entry at all and the baseline reads as compliant. The creation of DWORD values using baselines has been a common post on forums for many years.3 votes
It happens (quite often) when I'm creating a CI in the console that I blaze thru the wizard (accepting defaults) and start building out all my settings, rules, etc. When I'm all done, I close out and then realize that I forgot to configure the CI as an APPLICATION CI with a detection method.
So now I have to delete my CI, and start all over from scratch. ANNOYING! I would love the ability to "convert" an Operating System CI type to an Application CI type and be able to go back in and add a detection method as appropriate.0 votes
Currently you cannot search 'All Subfolders' within Configuration Items or Configuration Baselines. You can only search the current node/folder.35 votes
report to show which compliance item is non compliant for a compliance baseline1 vote
At the dependencies tab in deployment type configuration, be able to select a configuration baseline to be evaluated/apply a remediation. Think is a powerful way to set some required settings5 votes
If you set "Configuration Baselines" of "Windows Defender Firewall Policy", the event "Invalid namespace" occur
If you set "Configuration Baselines" of "Windows Defender Firewall Policy", the event "Invalid namespace" occurs as "search configuration error".
This event only occurs in workgroup environments, but not in domain environments.
The workgroup client wishes that this function can be used because domain GPO can not be used.21 votes
The Set-CMComplianceSupportedPlatform does not seem to be finished. When I use it against a CI it states the following:
$CIRule | Set-CMComplianceSupportedPlatform
WARNING: The 'Set-CMComplianceSupportedPlatform' cmdlet is a beta-quality and is not yet complete. It may not be fully functi
onal, and may be changed or removed in a future release. It is provided for testing purposes and should not be used for produ
I don't have a way to set which OSes apply to a configuration item via powershell. See this forum post for more info.
The ability to run a configuration baseline on a collection that has the baseline applied to a parent collection.
Currently we have certain Baselines that are applied to our master collection of all computers in the organization. However, when we replace a lab we should be able to run that baseline without having to run it against the master collection.0 votes
Unlike Applications you cannot disable a compliance setting. Currently I have to change there name and add "Disabled" in the front so when they show on the baseline list people know that they are currently not in production.3 votes
Add a priory order option to Compliance Items 'settings'. Currently you can have multiple settings but you don;t know in which order they process. if you have 'setting 1' dependent on 'setting 2' you can't specify the order in which they process. Same might go for Baselines but that not my current need.0 votes
Right now you can deploy a base line to see if system have all the require local apps. Would be nice if you allow the system to have remediation for the missing application, that is specify by the company. As of now the only thing you can have baseline auto fix is Registry value & Script (by running remediation script) & WQL Query. If it could auto and manually fix application that would be outstanding. I would allow it in these two ways, if the system detects it missing an app it auto deploys that package ID to itself (Check box when setting up configuration item). You could also make when you make a right click on a baseline deployment and click create collection, during that process you pick what configuration item you want to re-mediate (where the red arrow is). I think both ways would be very helpful to get an environment corrected.
Right now you can deploy a base line to see if system have all the require local apps. Would be nice if you allow the system to have remediation for the missing application, that is specify by the company. As of now the only thing you can have baseline auto fix is Registry value & Script (by running remediation script) & WQL Query. If it could auto and manually fix application that would be outstanding. I would allow it in these two ways, if the system detects it missing an app it auto deploys that package ID to itself (Check…3 votes
When automating the creation of Configuration Items, every time a new setting is added the version increments. Depending on my input file, the revision could be in the upper hundreds, particularly when adding Windows Defender and Firewall exceptions.
It would be nice to check out a configuration item, make the necessary edits, and then check in the changes.7 votes
Currently when setting up a configuration item with application settings, you are able to point to an application in ConfigMgr to use for a detection method. The issue is that if you want to export and share the CI, the import fails is the application does not exist the COnfigMgr site. It would be better if it grabbed the detection method from the application but added that to the CI to be independent of the application. So instead of pointing to the application for the detection method, the method gets copied over (copy instead of pointer).2 votes
Currently, the only value option for string arrays in a compliance rule is to specify that it must contain "All of" the specified values. I would like to be able to say that it should contain "Any of." Similar to how regular strings have "One of."
Ideally, an "Any of" value would support any combination of any number of values in the list, but only values in the list.4 votes
I would like to turn off powershell transcripting in configuration item. If I run PS script in user mode (means "Run scripts by using the logged on user credentials" is enabled.) then it creates a folder under user's mydocuments folder. It is very annoying.3 votes
For many years now Microsoft has strongly recommended that Local Admin Rights be removed. Would it be possible to have SCCM report on the contents of the Local Administrators group? Also, could we maybe have a wizard under Compliance Settings to configure these settings. I know Sherry Kissenger from MNSCUG has done a lot of work with this. Maybe the product team could pattern the solution after her work.1 vote
on the software update dashboard I want to monitor and pursue the non-compliant machines - I cannot see a way, as in other pie charts and other graphs in the various dashboards around the console, of drilling into the list of devices4 votes
When creating compliance settings for new applications I often like to grab settings from a known machine. It works well and pre-fills a lot of the rules for me, unlike manually entering the value.
But I am fed up of having to re-navigate to the remote registry location I am grabbing these values from. Please please please can you get the console to remember the last registry location used when creating CIs?
The same would be useful for file/folder paths too1 vote
Configuration items has statuses of compliant, non-compliant, unknown, and error. It would be a nice expansion of the compliance settings feature to be able to act upon the individual CI status and not the just add to a collection based off baseline compliance.
Actions that would be of benefit are:
Add to collection
Install individual software update or software update group
Run task sequence
Run script11 votes
- Don't see your idea?