Deploy a Configuration Baselinewith SCCM

Computer Uptime MPA Tools

How to deploy a SCCM Configuration Baseline

In this post, we will show you how to deploy a Configuration Baseline in SCCM (or as it is now known MECM). Configuration baselines in Configuration Manager contain a defined set of desired configurations that are evaluated for compliance as a group.

Following our earlier post on how to enable the WMI firewall rules for client accessibility in MPA Tools, we will demonstrate how to enable the WMI firewall rules using a PowerShell script-based configuration baseline. The benefit of which is, like the Intune Remediation method, the script package can automatically detect and fix the WMI firewall rules on a schedule.

What are Configuration Baselines?

In Configuration Manager, baselines are used to define the configuration of a system that is established at a specific point in time. Configuration baselines can contain one or more defined set of desired configurations, or Configuration Items. These configuration items are evaluated on a schedule and returned to the site system for reporting. Configuration items can also be set to automatically remediate missing or incorrect configurations. For more information, see About Configuration Baselines and Items | Microsoft Learn.

Pre-requisites for PowerShell script configuration baselines

First, we need to verify that compliance evaluation is enabled for the clients. In the SCCM Administrative console, navigate to Administration\Overview\Client Settings. Check that this is enabled under Compliance Settings in either the default client settings or the applicable client settings that are assigned to the relevant client devices.

A screenshot of a computer Description automatically generated

Next, we will need to confirm that PowerShell execution policy allows scripts to be executed by the SCCM clients. The PowerShell execution policy is under Computer Agent in either the default client settings or the applicable client settings that are assigned to the relevant client devices. In this example, we will set the execution policy to Bypass.

A screenshot of a computer Description automatically generated

Selecting a device collection

Next, we will need to ensure that we have an applicable device collection for the relevant Windows 10/11 devices. The device collection can be configured to use direct membership or query-based membership. In this example, we will be assigning the configuration baseline to our query-based Windows Client Devices collection.

A screenshot of a computer Description automatically generated

Creating the configuration item

First, we will start with creating a configuration item. In the SCCM Administrative console, navigate to Assets and Compliance\Compliance Settings\Configuration Items. Click the Create Configuration Item button on the ribbon toolbar.

A screenshot of a computer Description automatically generated

Specify a name for the configuration item. Select the Windows Desktops and Servers (custom) radio button and then click Next.

A screenshot of a computer Description automatically generated

Select the relevant windows platforms. In this example, we will be selecting both Windows 10 and Windows 11. Then click Next.

A screenshot of a computer Description automatically generated

On the Settings page in the wizard, click the New button.

Specify a name for the settings rule. Select Script for the setting type and Boolean for the data type. This means that the detection script should be configuration to return a Boolean result (i.e. true or false).

A screenshot of a computer screen Description automatically generated

Setting the detection script

Click on the Add Script button to enter the following detection script.

Try {

$NetFirewallRuleList = Get-NetFirewallRule -Direction Inbound -DisplayGroup “Windows Management Instrumentation (WMI)”
$Count = $NetFirewallRuleList.Count

ForEach ($NetFirewallRule in $NetFirewallRuleList) {

If ($NetFirewallRule.Enabled -eq “False”) { Return $false }

Else { $Count-=1 }

}

If ($Count -eq 0) { Return $true }

}

Catch {

Return $false

}

Then click OK.

A screenshot of a computer program Description automatically generated

Setting the remediation script

Next, we will specify the remediation script.

A screenshot of a computer Description automatically generated

Click on the Add Script button to enter the following remediation script.

$NetFirewallRuleList = Get-NetFirewallRule -Direction Inbound -DisplayGroup “Windows Management Instrumentation (WMI)”

ForEach ($NetFirewallRule in $NetFirewallRuleList) { Enable-NetFirewallRule -Name $NetFirewallRule.Name }

Then click OK.

A screenshot of a computer program Description automatically generated

Validate that all the required settings are defined then click OK.

A screenshot of a computer Description automatically generated

Click Next.

A screenshot of a computer Description automatically generated

On the Compliance Rules page in the wizard, click the New button.

A screenshot of a computer Description automatically generated

Specify a name for the compliance rule and then click the Browse button.

A screenshot of a computer Description automatically generated

Select the setting created in the previous step.

A screenshot of a computer setting Description automatically generated

Next, set the rule type to “Value”. Under the value returned by the specified script, set the rule to “Equals” and “True”. Select the checkbox to run the remediation script when the setting is noncompliant. And select the checkbox to report noncompliance. This means that, unless the detection rule returns true, the remediation script will be executed on the client to make it compliant with the setting. This will also be reported in the Monitoring node.

A screenshot of a computer screen Description automatically generated

Click Next.

A screenshot of a computer Description automatically generated

Verify the settings in the summary and then click Next.

A screenshot of a computer program Description automatically generated

Click Close.

A screenshot of a computer program Description automatically generated

Creating the configuration baseline

Next, we will create the configuration baseline. In the SCCM Administrative console, navigate to Assets and ComplianceCompliance SettingsConfiguration Baselines. Click the Create Configuration Baseline button on the ribbon toolbar.

A screenshot of a computer Description automatically generated

Specify a name for the configuration baseline. Click the Add button and select Configuration Items. Click OK.

A screenshot of a computer Description automatically generated

Select the configuration item that we had just created and then click the Add button.

A screenshot of a computer Description automatically generated

Click OK.

A screenshot of a computer Description automatically generated

The configuration item should now appear under the configuration data list. Click OK.

A screenshot of a computer Description automatically generated

Deploying the configuration baseline

Finally, we will deploy the configuration baseline. In the SCCM Administrative console, navigate to Assets and Compliance\Compliance Settings\Configuration Baselines. Select the configuration baseline that we had just created and then click the Deploy button on the ribbon toolbar.

A screenshot of a computer Description automatically generated

Verify that the correct configuration baseline has been selected. Then select the checkbox to remediate noncompliant rules. And then select whether the remediation can occur outside the maintenance window. Then click the Browse button.

Select the relevant device collection and then click OK.

A screenshot of a computer Description automatically generated

Lastly, specify the desired schedule. Then click OK.
A screenshot of a computer Description automatically generated

Monitoring & testing the deployment

To track the progress of the deployment, in the SCCM Administrative console, navigate to Monitoring\Deployments. Select the deployment for the configuration baseline. You will need to allow the deployment some time to run and then report back, which can only occur after the specified scheduled time. At which point, you can click Run Summarization and then click Refresh.

A screenshot of a computer Description automatically generated

Once the configuration baseline has been executed on the relevant devices, you should see the compliance status that is returned.

Finally, on the applicable clients, you can confirm in the Windows Defender Firewall with Advanced Security management console, that all the firewall rules within the group “Windows Management Instrumentation (WMI)” are enabled and have a green check icon next to them.

A screenshot of a computer Description automatically generated

Want to enable the WMI firewall rules using Intune instead? Then have a look at the deploying a remediation script using Intune post.

Or if you are looking to enable the WMI firewall rules using Group Policy, see the enable Windows firewall rules with Group Policy post.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This