This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.
For a detailed description of the feature, I suggest you read the What’s new article.
In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.
I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.
Using Configuration Manager in combination with Microsoft Intune for device compliance have been possible for some time now.
This is possible by configuring Require device compliance from Configuration Manager in your compliance policy in Intune. See below illustration.
Note #1: This is also required with this new option.
Note #2: I’m assigning this as a separate compliance policy to a group consisting of users.
The first required step is to create a Compliance Policy in Configuration Manager. This is done in the Microsoft Endpoint Configuration Manager console like shown below:
The important selection here is to choose the condition: Include configured baselines in compliance assessment.
And deploy that new compliance policy to your users. Preferably the same group of users, as with your compliance policy in Microsoft Intune.
As mentioned, this can be almost anything considering this can be any of the built-in options, but also Powershell scripts.
- Powershell scripts: This is the powerful part and where things gets really interesting. Think entire Powershell scripts, which does custom compliance checks against all sorts of things 🙂
For testing purposes, I suggest you go with something easy to configure and easy to use. Like compliance based on a registry value.
So what I did here, was to create a simple registry value, which is easy to modify and easy to configure with a Configuration Item.
Now, this Configuration Item needs to be included into a Configuration Baseline. All basic ConfigMgr I presume, but you need to make sure to enable following settings:
- Always apply this baseline even for co-managed clients
- Evaluate this baseline as part of compliance policy assessment
What this will look like on the client side of things, are 2 new configurations in the ConfigMgr applet in the control panel:
There are some timing involved in where the Configuration Baseline needs to be evaluated before the Compliance Policy, so I suggest that the deployments are configured like so.
- Configuration Baseline runs every 30 minutes
- Compliance Policy runs every 1 hour
If I go ahead a simulate a change to the device, which will make the device go non-compliant, like changing the registry value to False.
The Configuration Baseline will first go non-compliant, and the Compliance Policy will too.
Leaving the device non-compliant in the Software Center.
But also in the Company Portal, signaling non-compliance all the way into Azure AD.