Export (0) Print
Expand All

How to Remediate Non-Compliant Computers Using Software Distribution

Updated: November 1, 2012

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

You can use the compliance results from a Configuration Manager 2007 configuration item or configuration baseline to populate a collection of computers dynamically that report a specific compliance state or a specific non-compliance severity level.

You can then use Configuration Manager 2007 software distribution to assign a package or script to this collection which could, for example, either remediate the non-compliance condition, or to send a notification to an administrator that this condition requires attention.

For example, an application configuration item that checks for a specific version of Microsoft Office could be configured to report as non-compliant if the version number is not the standard release version. The configuration item to report a specific non-compliance level such as Error in this case. If you create a collection that dynamically populates with computers that report a non-compliance severity level of Error for this application item, you can then assign to that collection a software distribution package to install the correct version of Office. When the application configuration item is next assessed for compliance, the client computer reports a compliance status, and the non-compliant computer is dynamically removed from the collection.

The query that you use to specify the collection membership defines the non-compliance severity level as a number. These non-compliance severity levels map to the following numbers in the query.

 

Non-Compliance Severity Level Number Mapping

Information - no Windows event messages

0

Information

1

Warning

2

Error

3

You can build your collection query based on the non-compliance severity level of a configuration item or a configuration baseline.

You must specify the unique ID associated with the configuration item or configuration baseline, in addition to the display name. To find the unique ID values, add the column CI Unique ID to the display columns on the home pages for the Configuration Baselines node, or the Configuration Items node. For more information, see How to Distinguish Configuration Data with the Same Name in Desired Configuration Management.

You can use the query builder to create your collection query, or you can use the query example in the following procedures.

After using these procedures, perform the following steps:

  • Ensure that you have created a Configuration Manager 2007 package containing software or scripts to remediate the non-compliant configuration item or configuration baseline.

  • Create a mandatory advertisement by using standard software distribution methods to distribute this package to computers in the collection that you have created.

noteNote
Applies only to Configuration Manager 2007 R3.

If you have installed Configuration Manager 2007 R3, click Create New Collection on the Configuration Baselines home page or the Configuration Items home page to automatically create collections of compliant or non-compliant computers. For more information, see Configuration Baselines Home Page and Configuration Items Home Page.

To remediate non-compliant computers by compliance state using software distribution

  1. Copy the following query and paste it into a text editor, such as Notepad.

    select SMS_R_System.ResourceId,
    SMS_R_System.ResourceType,
    SMS_R_System.Name,
    SMS_R_System.SMSUniqueIdentifier,
    SMS_R_System.ResourceDomainORWorkgroup,
    SMS_R_System.Client
    from
    SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId
    Where
    SMS_G_System_CI_ComplianceState.ComplianceStateName = "<ComplianceState>"
    and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>"
    and SMS_G_System_CI_ComplianceState.CI_UniqueID = "<CI Unique ID>"
    
  2. In the query, change <ComplianceState> to the compliance state of the configuration item or configuration baseline. This can be one of the following states:

    • compliant

    • non-compliant

  3. In the query, change <BaselineName> to the name of the configuration baseline or the configuration item as it appears in the Configuration Manager console.

  4. In the query, change <CI Unique ID> to the unique ID associated with the configuration item or configuration baseline.

  5. To create the collection, right-click the Collections node, and then click New Collection to start the New Collection Wizard.

  6. On the General page, specify the collection name and, optionally, specify a description.

  7. On the Membership Rules page, click the second Membership rules icon to open the Query Rules Properties dialog box.

  8. In the Query Rules Properties dialog box, ensure System Resource is selected as the Resource class, and then click Edit Query Statement.

  9. In the Query Statement Properties dialog box, click Show Query Language.

  10. In the Query Statement Properties dialog box, paste the modified query into the Query Statement box.

  11. Click OK to save the query, and then click Close to close the Query Statement Properties dialog box.

  12. In the Query Rule Properties dialog box, optionally select Limit to collection, and then click OK.

  13. On the Membership Rules page of the New Collection Wizard, optionally click Schedule if you want to define a collection membership update schedule that is shorter than the default of every day.

  14. If you are defining an alternative schedule, specify your alternative in the Custom Schedule dialog box, and then click OK.

  15. Complete the wizard.

To remediate non-compliant computers by non-compliance severity using software distribution

  1. Copy the following query and paste it into a text editor, such as Notepad.

    select SMS_R_System.ResourceId,
    SMS_R_System.ResourceType,
    SMS_R_System.Name,
    SMS_R_System.SMSUniqueIdentifier,
    SMS_R_System.ResourceDomainORWorkgroup,
    SMS_R_System.Client
    from
    SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId
    Where
    SMS_G_System_CI_ComplianceState.ComplianceStateName = "non-compliant"
    And SMS_G_System_CI_ComplianceState.MaxNoncomplianceCriticality = "<Severity>"
    and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>"
    and SMS_G_System_CI_ComplianceState.CI_UniqueID = "<CI Unique ID>"
    
  2. In the query, change <Severity> to the non-compliance severity level of the configuration item or configuration baseline. This can be one of the following:

    • 0 (Information - no Windows event messages)

    • 1 (Information)

    • 2 (Warning)

    • 3 (Error)

  3. In the query, change <BaselineName> to the name of the configuration baseline or the configuration item as it appears in the Configuration Manager console.

  4. In the query, change <CI Unique ID> to the unique ID associated with the configuration item or configuration baseline.

  5. To create the collection, right-click the Collections node, and then click New Collection to start the New Collection Wizard.

  6. On the General page, enter the collection name and, optionally, type a description.

  7. On the Membership Rules page, click the second Membership rules icon to display the Query Rules Properties dialog box.

  8. Ensure System Resource is selected as the Resource class, and then click Edit Query Statement.

  9. In the Query Statement Properties dialog box, click Show Query Language.

  10. In the Query Statement Properties dialog box, paste the modified query into the Query Statement box.

  11. Click OK to save the query and click Close to close the Query Statement Properties dialog box.

  12. In the Query Rule Properties dialog box, optionally select Limit to collection, and then click OK.

  13. On the Membership Rules page of the New Collection Wizard, optionally click Schedule if you want to define a collection membership update schedule that is shorter than the default of every day.

  14. If you are defining an alternative schedule, specify your alternative in the Custom Schedule dialog box, and then click OK.

  15. Complete the wizard.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft