Creating a Compliance Item, Baseline and Example

First published on TECHNET on Jul 31, 2013

Authored by Santos Martinez

Been working on a few topics related to Compliance Setting, one of those was to create a Default IE Browser Compliance Baseline. As this may not be needed for many of you, I wanted to bring the example on my blog. Whether you are trying to create a compliance item with a related subject, or just creating one for the first time. Here is an example on create a compliance item to check for a registry key, this key will be monitored with the Compliance Item, once changed we will use the remediation mechanism to get it fix. Let's start creating a simple Compliance Item, which will check for a specific registry key.

The Compliance Item

We must first create the compliance item in Configuration Manager, once you are creating this item you must specify the registry key. For example.

For a detail steps on create this Configuration Item, Go to the following article:


As you can see on my Configuration Item, I have 3 different registry keys to look for.

To be more specific on the registry, take a closer look at the settings.


We are looking here at HKEY_CURRENT_USER, then Key Name SoftwareMicrosoftWindowsShellAssociationsUrlAssociationsftpUserChoice the Value name is “ProgID”

On my compliance item, if the registry don't match the following value will return a non compliance.

Let's take a look at the compliance rule:


If that registry value, is not = IE.FTP then will be non compliance. Now we are ready to create a compliance baseline and remediate those machines that are non compliance.

In this example we will be creating a compliance item, but instead of using a registry let's try to use a PowerShell script.


For this configuration item, we will be having 2 types of . The first script will be a discovery script, and will check for a specific value and the second script will be a remediation script.


Now that you have finish creating your Configuration Items, its time to create a configuration Baseline. To do this you must follow the instructions on this link:

I have attach a copy of both examples as .cab files, you can import those cab files into your ConfigMgr 2012.

You can download this examples from the following link:

Once downloaded you can follow the steps on this link to import the Configuration Baseline, into the system:

This was more of a quick post, reminder of use a Compliance Item and Baselines for a specific task.

Do this example works for you?


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.