May 20, 2015

SCCM 2012 R2 - IE11 Local Intranet Zone

Task: Get list of workstations with Internet Explorer 11 installed. Propagate Local Intranet web sites list to clients.

Configuration steps:
1. Enable Software Inventory. Go to "Administration - Client Settings", change policy by selecting "Software Inventory" check-box. Under Software Inventory tab specify "iexplore.exe" as a file type.

2. Create device collection. Specify query in membership rules tab with following criteria
Optionally you can edit query to select Operating System Version or specify "Limiting collection" on General tab of your collection. Also do not forget to enter product name because this query will  show all software with 11 version across production.

3. Create "Configuration Item". 
Setting type: Script
Data Type: String
Discovery script (PowerShell):

$Compliance = 'Non-Compliant'
$Check = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\*" | where {$_.http -eq "1" -and $_.https -eq "1"}
If ($Check) {$Compliance = 'Compliant'}

Remediation script (PowerShell):

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\*" /t REG_DWORD /v http /d 1
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\*" /t REG_DWORD /v https /d 1

Select "Run scripts by using the logged on user credentials"

Under "Compliance Rules" tab select Rule Type Value. The value returned by the specified script - Equals - Compliant.

Do not forget to select "Run the specified remediation script when this setting is noncompliant".

4. Create Configuration Baseline, select Configuration Item that we created. Deploy baseline to collection.

No comments:

Post a Comment