The main ones...1) Local Group Members into WMI
http://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-20122)
A bunch of Nomad ones to keep nomadbranch healthy3) Although we do a lot of
settings via GPO ... we're so huge that not everyone who has control over their
GPOs... actually understands them. So a few things that would be best done in
GPOs but we have several ConfigItems that at least monitor for things we care
about; and a few that remediate. Things like... our Certificate for
SCUP-signed updates, and the WinRM configuration.
http://mnscug.org/blogs/sherry-kissinger/299-compliance-setting-to-enable-winrm4)
Adobe Products Information--especially useful with the recent Adobe DC product
releases, where you can't tell Pro vs. Std without reading the .xml locally,
and this does it for you.
http://mnscug.org/blogs/sherry-kissinger/419-gather-some-adobe-serial-numbers-and-version-using-configmgr-compliance-settings-and-hardware-inventory5)
Disable Inventory Throttling
http://www.mnscug.org/blogs/sherry-kissinger/287-cm12disableinventorythrottling6)
EventLog Parser for Windows Installer Installations (this one isn't my
favorite, but manager types love it. They are so weird sometimes.) MNSCUG -
Minnesota System Center User Group - Some Limited Windows Installer Event
Information via Compliance Setting7) The Annoying Client Retry Task:
http://mnscug.org/blogs/sherry-kissinger/409-configuration-manager-2012-the-client-reinstalls-daily8)
Keep our SUPs from tipping over: MNSCUG - Minnesota System Center User Group -
WSUS (SUP) Servers in ConfigMgr 2012 custom Configuration Settings9) A ton of
things imported from SCM (as Duncan mentioned) for monitoring our own servers
that they are getting the settings they are supposed to have.
Of course we have a lot more; but those are usually short term things;
sometimes up to 6 months; usually 2 weeks or less. People just want "a quick
count of..." something. and it's often easier to get that via a ConfigItem
than doing a mof edit.
On Thursday, January 21, 2016 2:05 PM, Duncan McAlynn
<[email protected]> wrote:
<!--#yiv5107216710 _filtered #yiv5107216710 {font-family:Wingdings;panose-1:5
0 0 0 0 0 0 0 0 0;} _filtered #yiv5107216710 {font-family:Wingdings;panose-1:5
0 0 0 0 0 0 0 0 0;} _filtered #yiv5107216710 {font-family:Calibri;panose-1:2 15
5 2 2 2 4 3 2 4;} _filtered #yiv5107216710 {font-family:Tahoma;panose-1:2 11 6
4 3 5 4 4 2 4;}#yiv5107216710 #yiv5107216710 p.yiv5107216710MsoNormal,
#yiv5107216710 li.yiv5107216710MsoNormal, #yiv5107216710
div.yiv5107216710MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri",
"sans-serif";}#yiv5107216710 a:link, #yiv5107216710
span.yiv5107216710MsoHyperlink
{color:#0563C1;text-decoration:underline;}#yiv5107216710 a:visited,
#yiv5107216710 span.yiv5107216710MsoHyperlinkFollowed
{color:#954F72;text-decoration:underline;}#yiv5107216710 p
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New
Roman", "serif";}#yiv5107216710 p.yiv5107216710MsoAcetate, #yiv5107216710
li.yiv5107216710MsoAcetate, #yiv5107216710 div.yiv5107216710MsoAcetate
{margin:0in;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma",
"sans-serif";}#yiv5107216710 p.yiv5107216710MsoListParagraph, #yiv5107216710
li.yiv5107216710MsoListParagraph, #yiv5107216710
div.yiv5107216710MsoListParagraph
{margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri",
"sans-serif";}#yiv5107216710 span.yiv5107216710BalloonTextChar
{font-family:"Tahoma", "sans-serif";}#yiv5107216710 p.yiv5107216710msonormal0,
#yiv5107216710 li.yiv5107216710msonormal0, #yiv5107216710
div.yiv5107216710msonormal0
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New
Roman", "serif";}#yiv5107216710 span.yiv5107216710EmailStyle22
{font-family:"Calibri", "sans-serif";color:windowtext;}#yiv5107216710
span.yiv5107216710EmailStyle23 {font-family:"Calibri",
"sans-serif";color:#1F497D;}#yiv5107216710 span.yiv5107216710EmailStyle24
{font-family:"Calibri", "sans-serif";color:#1F497D;}#yiv5107216710
span.yiv5107216710EmailStyle25 {font-family:"Calibri",
"sans-serif";color:windowtext;}#yiv5107216710 span.yiv5107216710EmailStyle26
{font-family:"Calibri", "sans-serif";color:#1F497D;}#yiv5107216710
.yiv5107216710MsoChpDefault {font-size:10.0pt;} _filtered #yiv5107216710
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv5107216710 div.yiv5107216710WordSection1
{}#yiv5107216710 _filtered #yiv5107216710 {} _filtered #yiv5107216710
{font-family:Symbol;} _filtered #yiv5107216710 {font-family:"Courier New";}
_filtered #yiv5107216710 {font-family:Wingdings;} _filtered #yiv5107216710
{font-family:Symbol;} _filtered #yiv5107216710 {font-family:"Courier New";}
_filtered #yiv5107216710 {font-family:Wingdings;} _filtered #yiv5107216710
{font-family:Symbol;} _filtered #yiv5107216710 {font-family:"Courier New";}
_filtered #yiv5107216710 {font-family:Wingdings;}#yiv5107216710 ol
{margin-bottom:0in;}#yiv5107216710 ul {margin-bottom:0in;}-->Using Microsoft
Security Compliance Manager 3.0, I export modified baselines for
security-related visibility by operating system (Windows 7/8/Server 2012) or by
server function (i.e. AD, Exchange, Hyper-V, DNS, etc…). You can learn more
about SCM 3.0 at: https://technet.microsoft.com/en-us/library/cc677002.aspx
Duncan McAlynn, Sr. Solutions Specialist, Americas
HEAT Software
M: +1.512.391.9111 | [email protected]
HEAT Software | 490 N McCarthy Blvd. Suite 100 | Milpitas, CA 95035 From:
[email protected] [mailto:[email protected]]On Behalf
Of Daniel Ratliff
Sent: Thursday, January 21, 2016 1:01 PM
To: [email protected]
Subject: [mssms] RE: What are you using configuration baselines for?
Anything that needs enforced and forgotten about we use GPO. Anything that
requires running a script, or being reported on, we use a compliance script.
A few examples of our compliance scripts: · Setting BCDEdit settings for
all devices · Setting a lot of 1E settings for Nomad and PXE ·
Adding a lot of custom hardware inventory classes to WMI · Inventory
usage of a Host on Demand web app · Setting the local admin password
(will be using LAPS in the future) · Lots more Daniel Ratliff
From:[email protected] [mailto:[email protected]]On
Behalf Of John Aubrey
Sent: Thursday, January 21, 2016 1:45 PM
To: [email protected]
Subject: [mssms] RE: What are you using configuration baselines for? I would
be very interested in what everyone is using it for. It’s the part of
configmgr that we really don’t use. I have one that checks the default
browser, and one for the “Local Group Members into WMI with logging” From:
mailto:[email protected] [mailto:[email protected]]On
Behalf Of Linkey, Mike
Sent: Thursday, January 21, 2016 12:30 PM
To: [email protected]
Subject: [mssms] RE: What are you using configuration baselines for? We
Disable PST write/creation and disable USB write permissions. I am interested
in what you have done for Adobe if you are willing to share. Is there a list
of what folks have done that people can get them from? Mike L. From:
mailto:[email protected] [mailto:[email protected]]On
Behalf Of Chris Carbone
Sent: Thursday, January 21, 2016 11:08 AM
To: [email protected]
Subject: [mssms] What are you using configuration baselines for? Hello all,
I just recently gained access to configuration baselines in SCCM and so far
I’ve created one for Adobe Reader to turn off automatic updates. Then I created
another for verifying all our servers have all the printers installed in our
environment. I wanted to survey all of you wonderful people and find out
what baselines you are getting the most use out of? Thanks! This electronic
mail transmission may contain confidential information intended only for the
use of the individual(s) identified as addressee(s). If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution or the taking of any action in reliance on the contents of this
electronic mail transmission is strictly prohibited. If you have received this
transmission in error, please notify me by telephone immediately.
The information transmitted is intended only for the person or entity to which
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information
in error,
please contact the sender and delete or destroy the material/information.
