ConfigMgr Compliance Settings to Check specific Windows Event ID

Compliance settings is one of the ConfigMgr feature to manage the configuration and compliance of clients in your organization. Compliance Settings can be used to ensure clients meet a pre-configured baseline. For instance, if we want to make sure that all clients machines have a particular windows Event ID in System Event viewer within last 7 days, we can do this through compliance settings. The below settings illustrate how to create a Configuration Item and Configuration Baseline for this requirement.

Prerequisites

So before we look at implementing a configuration baseline we must ensure that clients have the prerequisite client settings enabled as below.

For reporting, the Reporting Services Point role must also be installed

Create a Configuration Item

Configuration Items are the individual’s settings that you want to set for a particular client. You can simply check for compliance and report back or remediate these settings if they are non-compliant. These configuration items can be grouped into Configuration Baselines.The first step to implementing a CB (Configuration Baseline) is to create individual CI’s to evaluate set conditions.

In the ConfigMgr console, under the Assets and Compliance workspace, expand Compliance Settings and select Configuration Items. From the ribbon, click on Create Configuration Item and Mention name of the Configuration Item

Choose which operating systems you would like to assess for the configuration item.

Type Name of the Rule and Click Discovery Script

Enter your Power shell script, Here i have used script to check the specific windows System Event ID 5823 for the past 7 days.

Script,

$EventID = (Get-EventLog system -after (get-date).AddDays(-7) | where {$_.InstanceId -eq 5823})
 if ($EventID -eq $null)
{$Compliance = “No”}
Else
{$Compliance = “YES”}
 $Compliance

Specify the Compliance condition for this setting as per below,

Create a Configuration Baseline

We need to add it to a Configuration Baseline in order to deploy it to a client machine.

Give your new configuration baseline a name and click Add > Configuration Items to pick and choose the CIs that you would like to include in the configuration baseline, Here I have included Event ID configuration Item

Deployment

The configuration baseline you’ve created will not be effective until you’ve deployed it to your target collection. Here I have deployed to “test” Collections

Reporting

Once your compliance baseline has had time to run through its evaluation schedule, apart from viewing the compliance count in the Configuration Baseline section of the console, you can also use the Reporting node in the Monitoring section of the console or the Reporting Web Instance to pull down reports.

We can see the status from one of the ConfigMgr Default Report, Report Name: “Summary Compliance by Configuration baseline

The below machine has the specific Event ID and shows as “Compliance”

The below machine doesn’t have the specific Event ID and shows as “Non-Compliance”

Thank You!

Published by Tamilkovan

My name is Tamil Kovan and I work as a Technical Lead at PCCW Solutions. This is my blog where I will share tips and stuff for my own on System Center related topics.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: