none
Automatic Remediation using SCCM 2012 R2 RRS feed

  • Question

  • I am attempting to use the Microsoft Security Compliance Manager 3.0 (SCM), Group Policy Objects (GPO) and System Center Configuration Manager 2012 R2 (SCCM) to enforce security configuration compliance on devices. I have successfully

    • Imported GPO Backups into SCM
    • Exported the settings from SCM using  the SCCM DCM 2007 (.cab) option
    • Imported the resulting cab file into SCCM 2012 R2      configuration baselines
    • Deployed the SCCM 2012 R2 configuration baselines, I made      sure to select Remediate when supported
        • Verified the devices are      getting the assigned configuration baselines by reviewing compliance      reports

        What I have not been able to accomplish is having SCCM 2012 R2 automatically remediate the non-compliant findings. Delving deeper into the SCCM 2012 R2 settings I found that

        • On the Configuration Item “Settings” tab, each setting has      a Setting Type of Script
        • On the Configuration Item “Compliance Rules” tab, each      rule has a “Remediate” value of “No”
    • The selection to “Run the specified remediation script      when this setting is noncompliant” is not visible.
    • When I check the properties      of the compliance rules, the Discovery script is created, but the      Remediation script is not.

    I’ve noticed the same thing on configuration baselines based on the Microsoft Baselines as well as custom baselines created from GPO backups.

    I assumed everything required to configure automatic remediation were included in the baselines (from the Microsoft Baselines and any custom baselines created in SCM).

    Is that incorrect? Do I need to perform a different step to get the remediation scripts?

    Do I have to manually create all the remediation scripts?

    Did I make a mistake in the process of getting the settings transferred from GPOs to SCM, or from SCM to SCCM 2012 R2?

    Thursday, May 28, 2015 9:07 PM