Installing Windows Features via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Installing Windows Features via Compliance Settings. In most cases the normal route for installing Windows Features will be the application model But what if checking for the installation of a Windows Feature is part of a Configuration Baseline, is it than possible to make the installation of a Windows Feature also part of the baseline? The answer to this question is, yes.

In my case, I have a Windows 8.1 Configuration Baseline and one of the Configuration Items in the baseline checks for the installation of the Telnet Client. When the Telnet Client is not installed a script will start to remediate that by installing the Telnet Client. This way I get the complete compliance of a device, to my Windows 8.1 baseline, in one overview.

The rest of this post will describe in three steps, how to create the Configuration Item, how to create the Configuration Baseline and how to deploy the Configuration Baseline.

Step 1: Create the Configuration Item

Now lets start with the first step of creating a Configuration Item that will check and remediate the installation of the Telnet Client. Both, the check and the remediation will be done by firing a PowerShell script.

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items.
  • On the Home tab, in the Create group, click Create Configuration Item and the Create Configuration Item Wizard will popup.
  • On the General page, fill in with Name <aCIName> and click Next.
  • On the Supported Platforms page, select Windows 8.1 and click Next.
  • TelnetClientSettingOn the Settings page, click New, fill in the following information and click Next.
    • On the General tab, fill in the following information and click OK.
      • Fill in as Name <aSName>.
      • Select as Setting Type Script.
      • Select as Data Type String.
      • Click with Discovery script Edit Script… and in the Edit Discovery Script popup add the following script and click Ok.
        $FeatureName = "TelnetClient" If (Get-WindowsOptionalFeature -Online | Where {$_.State ` -eq "Enabled" -and $_.FeatureName -eq $FeatureName}) { $Compliance = "Compliant" } Else { $Compliance = "NonCompliant" } Return $Compliance

      • Click with Remediation script (optional) Edit Script… and in the Edit Discovery Script popup add the following script and click OK.
        $FeatureName = "TelnetClient" Enable-WindowsOptionalFeature -Online -FeatureName $FeatureName

    • TelnetClientRuleOn the Compliance Rules tab, click New, fill in the following information and click OK.
      • Fill in as Name <aRName>.
      • Select as Rule Type Value.
      • Select with The settings must comply with the following rule: Equals.
      • Fill in with the following values Compliant.
        • Note: This value is important for it to function, as it is “hardcoded” in the script.
      • Select Run the specified remediation script when this setting is noncompliant.
      • Select with Noncompliance severity for reports: Information.
  • On the Compliance Rules page click Next.
  • On the Summary page click Next.
  • On the Completion page click Close.

Step 2: Create the Configuration Baseline

The second step is to create a Configuration Baseline that will allow the new Configuration Item to be evaluated for compliance.

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines.
  • TelnetClientBaselineOn the Home tab, in the Create group, click Create Configuration Baseline and the Create Configuration Baseline popup will show.
  • On the Create Configuration Baseline popup, fill in with Name <aCBName> and click Add > Configuration Item and the Add Configuration Items popup will show.
  • On the Add Configuration Items popup select the new Configuration Item <aCIName>, click Add, click OK and back on the Create Configuration Baseline popup click OK.

Step 3: Deploy the Configuration Baseline

The third and final step is to deliver the Configuration Baseline to the client devices by deploying it.

  • TelnetClientDeploymentIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines.
  • Select the new Configuration Baseline <aCBName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Configuration Baselines popup will show.
  • On the Deploy Configuration Baselines popup, select Remediate noncompliant rules when supported, Browse to <aCollection> and click OK.

Conclusion

Even though a Configuration Baseline is not the most conventional way for installing Windows Features, it’s a good possibility for specific use cases. In case the check for existence of a feature is part of the baseline, then it would be an option to put the remediation in the same baseline. That way there is one view to check for the baseline compliance and not a specific view with deployment states. In most cases a normal application deployment, or task sequence deployment, will fit the needs. Don’t use this because it’s possible, but because it fits the needs.

4 thoughts on “Installing Windows Features via Compliance Settings in ConfigMgr 2012

  1. Great article! Thank you!

    Everything above applies to 2012+.
    For 2008/2008R2 it should be modified to:
    Discovery:
    Get-WindowsFeature | Where {$_.State `
    -eq “Enabled” -and $_.Name -eq $FeatureName}

    Remediation:
    Enable-WindowsFeature -Name $FeatureName

Leave a Comment