I am attempting to use the Microsoft Security Compliance Manager 3.0 (SCM), Group Policy Objects (GPO) and System Center Configuration Manager 2012 R2 (SCCM) to enforce security configuration compliance on devices. I have successfully
- Imported GPO Backups into SCM
- Exported the settings from SCM using the SCCM DCM 2007 (.cab) option
- Imported the resulting cab file into SCCM 2012 R2 configuration baselines
- Deployed the SCCM 2012 R2 configuration baselines, I made sure to select Remediate when supported
- Verified the devices are getting the assigned configuration baselines by reviewing compliance reports
- On the Configuration Item “Settings” tab, each setting has a Setting Type of Script
- On the Configuration Item “Compliance Rules” tab, each rule has a “Remediate” value of “No”
What I have not been able to accomplish is having SCCM 2012 R2 automatically remediate the non-compliant findings. Delving deeper into the SCCM 2012 R2 settings I found that
- The selection to “Run the specified remediation script when this setting is noncompliant” is not visible.
- When I check the properties of the compliance rules, the Discovery script is created, but the Remediation script is not.
I’ve noticed the same thing on configuration baselines based on the Microsoft Baselines as well as custom baselines created from GPO backups.
I assumed everything required to configure automatic remediation were included in the baselines (from the Microsoft Baselines and any custom baselines created in SCM).
Is that incorrect? Do I need to perform a different step to get the remediation scripts?
Do I have to manually create all the remediation scripts?
Did I make a mistake in the process of getting the settings transferred from GPOs to SCM, or from SCM to SCCM 2012 R2?