Compliance to Validate GPO Settings

Here, I covered using ConfigMgr and Compliance to check that Windows Defender Service, Real Time Protection and the latest definition updates are monitored and to remediate if they become out of date. This demonstrated a fraction of ConfigMgr's Compliance's capabilities. The example was targeted to Windows Defender and created manually, however creating potentially hundreds of items to represent GPO settings would be slow and laborious. There is any easy means of backing up GPO settings, exporting from the Domain and importing into ConfigMgr. Security Compliance Manager (SCM) will be required, its being deprecated by Microsoft with no current alternative for exporting to ConfigMgr. For now its still available.

I'm going to assume SCM and RSAT have been installed.

Open Group Policy Management and browse to 'Group Policy Objects' select the GPO that is applied against the Windows 10 Workstations.

Right click the GPO and 'Backup...'

Open SCM and on the right hand side under Import click on 'GPO Backup (Folder)'

Browse to the GPO backup, the root folder will be a guid, select that folder.

Provide a meaningful name

Select the newly imported Baseline, on the right hand side under 'Export' click on 'SCCM DCM 2007 (cab)'

Associate with the Product with the highest unique settings to minimise loss of settings.

Save the cab file

Open the ConfigMgr console and under 'Assets and Compliance' right click on 'Configuration Items' and either create a folder or proceed and select 'Import Configuration Data'

Click 'Add' and select the cab file

'Yes' to the warning message

Complete the import wizard.

The GPO settings will have been imported and is also creates the 'Configuration Baseline'

As you can see 

Taking a look at the 'Settings' tab for Windows Defender you can interrogate the items being validated.

The configuration items are imported with a specified OS, not compatible with my current version of Windows, so for each and every item the 'Supported Platforms' requires updating to .....

Right click on the baseline and 'Deploy'

Browse to the target collection, in my case 'All Workstations'

Don't check the 'Remediate noncompliant rules when supported' its GPO and they will end up fighting each other.

Set the number of days to something more suitable

Logon to the client and run 'Machine Policy Retrieval & Evaluation Cycle'

Select the 'Configurations' tab and click on the new Baseline and then 'Evaluate'

Review the report and fix any issues.

As an example the settings were not updated for the correct OS producing a 'Not Detected' error

To check compliance across the enterprise run 'Summary Compliance by Configuration Items for a Configuration Baseline' ConfigMgr report.