27 March 2019

Initiating an SCCM Compliance Check via PowerShell

Recently, I have been working on Configuration Baselines for security purposes. While doing so, two of my baselines required remediation that takes longer than 1 minute. I do not recall where I read it, but I believe the timeout for a compliance check is 1 minute. If the compliance remediation takes longer than 1 minute, then the baseline is designated as non-compliant until the next compliance check is run. This snippet of code can also be used in any other instance where the configuration manager client is installed.

To expedite this process, I tracked down how to execute a compliance check through PowerShell so that it can be executed at the end of the remediation script. Thanks to Trevor Sullivan's blog post, I was able to grab and modify the code from it to make into an easy to use code snippet within a Baseline remediation PowerShell script.

To make this easier, I wrote the script as two lines. The first line is where you specify the name of the baseline. As you can see in the pic below of a partial list of baseline configurations, the names of those baselines are what you need to specify for the variable $Name. The code snippet at the bottom shows using the Pending Reboot name to trigger a compliance check for that baseline. 

Once you have specified the name of the baseline, you can then copy and paste both lines at the bottom of the PowerShell remediation script so that a baseline configuration is triggered at the end of the remediation. Here is the code snippet: 

 $Name='Pending Reboot'  
 ([wmiclass]"root\ccm\dcm:SMS_DesiredConfiguration").TriggerEvaluation(((Get-WmiObject -Namespace root\ccm\dcm -class SMS_DesiredConfiguration | Where-Object {$_.DisplayName -eq $Name}).Name), ((Get-WmiObject -Namespace root\ccm\dcm -class SMS_DesiredConfiguration | Where-Object {$_.DisplayName -eq $Name}).Version))  


Post a Comment