Today I created a sccm2012 dcm rule for verifying if all services set to automatic are effectively started. Sound easy but there are some catches.
The interesting part is however :
-> As soon as you add a remediation script to your CI it will allways show up compliant.
Baseline 1 without remediation
Shows up as non compliant ( which is correct )
As you can see the output presented by the script is “Incompliant” and it needs to be “Compliant” so we’re in an error state.
Now if we add the remediation script.
And perform the exact same thing ( after policy refresh )
And you’ll see that the rule reports as compliant because it automatically assumes the remediated value is “Compliant”
Since there was logging attached to the ps we can see the following. First of all I use the scriptname as logfile and apparently the powershell script name is regenerated each time the dcm rule is evaluated so take a hardcoded log file.
Now the remediation script logs the same output : Incompliant
So my guess is the detection rule is not re-evaluated after repair so state is assumed compliant.
Solution could be to add the same rule twice :
-> Once with remediation reporting no issues when non compliant
-> Once without remediation reporting Critical severity
Hmm.. This is not working still Compliant after evaluation. So I added 2 settings and created a set of 2 Comliance Rules
Much better, now I have an incompliant state but my repair script has executed.
We can see the Rule1 is evaluated and remediated but has not made a change in compliancy state.
Wow, this should have been easier to do no ?