Why Cloud Management Gateway Is So Important Now

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.

Benefits of Being Able to View Hardware Inventory in MEM

In July 2020, Microsoft announced the release of update 2007 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager (MECM). And with that, came a feature that now allows you to view hardware inventory for a tenant-attached Configuration Manager device in the admin center. With most pieces of hardware in offices today being connected to the internet, being able to view hardware inventory is extremely important. Microsoft Endpoint Manager (MEM) now offers that capability and thus gives your business several advantages.

Getting set up

Before you can use this feature, there are several requirements that you will need to meet:

  • You need to have an environment that’s tenant attached with uploaded devices,
  • You need either Microsoft Edge (version 77 and later) or Google Chrome,
  • You need a user account that has been discovered with both Active Directory user discovery and Azure Active Directory (Azure AD) user discovery. Simply put, this means that the user account should be a synced user object in Azure.

In addition, the user account will require the following permissions:

  • Admin User role for the Configuration Manager Microservice application in Azure AD. This role will be added in Azure AD from:

Enterprise applications  >  Configuration Manager Microservice  >  Users and groups  >  Add user.

If you have Azure AD premium, groups will be supported.

Network security

The security of your network should be something of great concern. Especially in a world where cybercrime is increasing at an alarming rate. Having said that, we can begin to see why a hardware inventory in MEM feature could come in very handy.

Keeping track of all the hardware in your organization is no mean feat. Particularly for businesses that have also employed bring-your-own-device (BYOD) policies.

You need to have a system that can readily provide you with the necessary information on all devices. This helps your IT team to maintain high levels of network security, prevent breaches, and manage any potential issues that may arise.

Optimize productivity

By leveraging the hardware inventory feature in Microsoft Endpoint Manager, you can keep track of how devices are performing. The last thing your organization needs is to have computers worth tens of thousands of dollars operating at subpar levels.

With accurate information on hardware inventory, you can easily see how the devices in your organization are performing. You can then address any issues that may arise to ensure that productivity is optimized from top to bottom. If you are going to invest in expensive, high-tech devices, you need them to operate as they should.

Reduce overhead costs

Well-managed IT infrastructure can help your organization to reduce overhead costs. The ability to view hardware inventory in MEM is going to give IT a bird’s eye view of all your IT infrastructure. And this enables you to effectively manage all hardware from procurement till retirement.

Doing this will cut your costs by doing away with issues such as IT overspend and non-compliance. Working in this manner will fully optimize your productivity, as mentioned above, which all businesses will be happy with.

Lifecycle management

MEM’s view hardware inventory feature helps you to keep track of hardware from purchase, how it is used, and finally to its retirement. With this kind of actionable data readily available, it simplifies the decisions that you will need to make in the future such as new purchases, upgrades, and so on.

Moreover, you can easily keep track of contracts with vendors and thus know when to renew those contracts or make purchase orders. All these things add significant benefits to your business by increasing operational efficiency while minimizing risks.

Enhance IT efficiency

If there is anything that is abundantly clear from what your organization will gain from MEM’s view hardware feature it’s that it will simplify life for IT teams. Significantly. With the data available to them, it makes it far less likely for any issues to arise during audits. Also, it creates less workload by eliminating the need for manual tracking and scanning of devices. Your IT department will inevitably operate more efficiently by being able to easily keep tabs on all hardware.

Asset protection

Another key advantage that comes with being able to keep track of your organization’s hardware is increased asset protection. Keeping track of devices allows you to not only get performance-related data but location data as well.

And having this information will help to mitigate the risk of loss or theft of devices. Therefore, utilizing the view hardware inventory in MEM tool helps your organization to easily stay on top of the work status of an asset, its physical location, and disposition.

Better overall governance

Viewing hardware inventory is going to give you an increased degree of visibility. Because of the accurate data at your disposal concerning your IT infrastructure, you’ll have a better handle of key assets. Therefore, they are less likely to be misplaced, misused, or underutilized.

And so with all these advantages, it simplifies the process of coming up with more effective governance protocols. This is something that will hugely benefit the entire organization from top to bottom and not just your IT department.

Keeping track of assets

There’s no denying that keeping tabs on your hardware is just as important as the software management side of things. After all, technology is a huge investment for any business. And so how you keep track of your hardware will inevitably affect your bottom line.

Having real-time, accurate information about your assets goes a long way in the optimization of productivity. Not to mention enhancing the overall security of your business. Viewing hardware inventory in Microsoft Endpoint Manager is an incredible tool that should help your business become more efficient. The benefits are clear for us all to see.

Microsoft Endpoint Configuration Manager: Latest Improvements to the Product Lifestyle Dashboard

Information is key for any business to function optimally. That is why there has been such a massive increase in the use of big data during the last decade. But, this information is not only that which you can obtain externally, it’s also information concerning your internal operations. And this is where Microsoft’s Product Lifecycle Dashboard enters the fray.

It simplifies the way your organization functions by providing you with information concerning all the products that you have installed on devices that are managed by Microsoft Endpoint Configuration Manager. This is a fantastic feature that has had some improvements added to it and that is what we’ll be going over below.

Getting started

Microsoft has made a few changes over the years and from version 1806 you’ll now be able to use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. So what exactly does this ‘dashboard’ do?

The Product Lifecycle Dashboard is a tool that shows you the state of the Microsoft Lifecycle Policy for Microsoft products installed on devices managed with Microsoft Endpoint Configuration Manager.

Not only that, but you also receive data concerning the various Microsoft products in your environment, supportability state, and support end dates. Therefore by using both Asset Intelligence and the Asset Intelligence Synchronization Point, the dashboard can give you a clear overview of the lifecycle of each product.

By using the dashboard, you can easily find out what support is available for each product. With this information in hand, it will allow you to plan accordingly and update all products before their support expires. And then from version 1810, the dashboard also adds information for System Center 2012 Configuration Manager and later.

What are the requirements?

As a product continues to improve, the requirements to use that product will also expectedly change. For you to see data in the product lifecycle dashboard, you need the following:

  • Internet Explorer 9 or later
  • You need to install and configure a service connection point role. And the latter must be online or synchronized regularly if offline.
  • For hyperlink functionality in the dashboard, you need a reporting services point.
  • You need to configure and synchronize the asset intelligence synchronization point.

Using the dashboard

This tool is designed to make it easier for your organization to have access to up-to-date data about the products that you are using. And by leveraging the inventory data that the site collects from managed devices, the dashboard displays information about all current products. However, not all versions are supported. Only Windows Server 2008 and later, Windows XP and later, SQL Server 2008 and later, will have information displayed for OSs and SQL Server. To access the lifecycle dashboard in the Microsoft Endpoint Configuration Manager console:

1) Go to the Assets and Compliance workspace,

2) Expand Asset Intelligence,

3) Select the Product Lifecycle node.

What else do you get?

Clients will find that from the newer version of SCCM 1902, they’ll get information for installed versions of Office 2003 through Office 2016. And this data is available after the site runs the lifecycle summarization task, which is something that occurs every 24 hours. In addition, you can also benefit from using the dashboard even if you don’t have Configuration Manager. You can use Azure Monitor Logs to provide a Dashboard to help with managing the supportability of your environment.

Upgrading products

Taking a simple look at your dashboard will allow you to see any products that need to be updated urgently. When you have several computers to deal with and you need to know which ones need upgrades, all you need to do is click on the hyperlinks found in the Number in environment column and that will show you a report.

And doing this will direct you to the Lifecycle 01A – Computers with a specific software product report. This is a huge improvement when you consider that in the past you had to investigate problem clients individually to find out whether or not an upgrade was needed.

Reports in the product lifecycle set

In addition to the dashboard, you have additional reports that are available as well. These you’ll find in the Microsoft Endpoint Configuration Manager console, where you then go to Monitoring workspace and you expand Reporting. The new reports, which are found under the Asset Intelligence category are as follows:

  • Lifecycle 01A – Computers with a specific software product: You can see a list of computers on which a specified product is detected.
  • Lifecycle 02A – List of machines with expired products in the organization: This report, which you can filter by product name, shows you all the computers which have expired products on them.
  • Lifecycle 03A – List of expired products found in the organization: View details for products in your environment that have expired lifecycle dates.
  • Lifecycle 04A – General Product Lifecycle overview: Here you can see a list of product lifecycles and filter the list by product name and days to expiration.
  • Lifecycle 05A – Product lifecycle dashboard: From version 1810, this report will have similar information as the in-console dashboard. All you have to do is choose a category to view the count of products in your environment as well as the days of support remaining.

Wrap up

Every organization needs products that will help them to optimize their time. And as the number of available products increases, the choice of which product to go for becomes harder. Microsoft’s Product Lifecycle Dashboard gives your business many benefits that businesses have needed for a long time.

Reduce the time you spend trying to keep track of all the products you have installed on countless devices with a simple, easy to use dashboard. If you’re looking for a tool that gives you a more efficient way of device management, then the Product Lifecycle Dashboard is one that is certainly worth a look.

Automate Configuration Manager Application Creation

A simple example to automate the application creation process in ConfigMgr.

RebootBehavior set to NoAction, Accepted values: BasedOnExitCode, NoAction, ForceReboot, ProgramReboot
AutoInstall $true – indicates whether a task sequence action can install the application
Added Action to Distribute the Content to the DP Group at the end

Checklist:

  • Application Name
  • With a deployment type: Same application name
  • Content Location
  • Installation Program
  • Uninstall program
  • Repair Program
  • Detection method (a specific MSI Product code)
  • User expierence: Install for system if resource is device; otherwise install for user
  • Logon requirement: weather or not a user is logged on

    Published on Github:

https://github.com/ThomasMarcussen/assortedScripts/blob/master/Create_SCCMApplication_1.0.1.ps1

SMS_SITE_BACKUP failed. Please see previous errors.

I ran into this issue, where after sometime the SMS Build-in backup function would fail.
When running the SMS_SITE_BACKUP from Window Services (services.msc) it would fail with some of the following errors:

SMS_SITE_BACKUP failed. Please see previous errors.

Error: SMS Writer service either does not exist or is not running .

Error: GatherWriterMetadata failed.

SMS_SITE_BACKUP failed. Please see previous errors.

STATMSG: ID=5060 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SITE_BACKUP” SYS=Server001.domain.com SITE=PS1 PID=67372 TID=61212 GMTDATE=Thu Dec 10 01:20:41.530 2020 ISTR0=”Error: GatherWriterMetadata failed.” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS

Resolution:
List the VSS writers available with the following command: VSSADMIN list writers
If you find the SMS Writer to be missing run the following commands:

Net stop SMS_SITE_VSS_WRITER
Net start SMS_SITE_VSS_WRITER

This should add it back to the list as shown below. Now restart you SMS_SITE_BACKUP (can be done form services.msc) and review the logfile: smsbkup.log. it should now be running.

The issue here was caused by another backup solution using the Volume Shadow Copy Service (VSS). So fixing also required the other solution to be removed/reconfigured.

List Packages that run in user context (Run with user’s rights)

Introduction

After last weeks post with the script sample to list Packages that run in user context, there where some good feedback from people still using packages, and requiring a list of packages that install within the user context (Run with user’s rights / Execution mode as user)

It seemed that many was still using Packages, either as a result of legacy migration or to avoid some application re-packaging.

So here is the followup post, with a new script to list all packages and package with programs that run in user context.

From my point of view, its still the same; Using PSADT pretty much any package can be converted to be installed as system, and the needed stuff (registry keys, files etc) in the user context can be added in a structured and controlled way.

I do still come across some applications that i would prefer to have in MSI with all settings etc added, at least for simplicity, for those packages I still prefer to use Advanced Installer.
When talking Advanced Installer, they also have a great support for MSIX, that makes to process so much easier and cost efficient.

This script will list all packages with programs, that is configured to install as user (within the user context)

All you need to do is configure the path to your import module and set the site code.

A file will be created in “C:\TEMP\Packages_and_Programs_Run_Mode_List.csv” with the following format:

“Package Name”,”Package ID”,”Program Name”,”Run with USER’s right”
“My Application”,”BB10001D”,”execute”,”TRUE

With the example above we have a package ‘My Application’ that has a run mode configured: Run with user’s rights

Properties on the program, where the program run enviroment is configured to Run with Users’s rights


Download the script from TechNet Galleryhttps://gallery.technet.microsoft.com/Generate-a-list-of-d8778d4c?redir=0



List Applications that run in user context (Install for User)

Introduction

When deploying applications sometimes they are created to install within the active users context.
This means that the actual installation requires the users to have the needed permissions to the filesystem, registry and etc.
In some cases local administrative rights are needed to perform the application installation, this is not a good practice.

As applications mature for the modern design of the Windows Operating System or we choose to remove the users administrative rights due to security reasons, we may need to list and change the behavior of existing Applications.

This script was created to list applications that is configured to run with Installation behavior: Install for User

The actual output will end up in the export csv file

Script Download Get_Application_USER_Context_List



Today with the modern management tools and applications, the users should not have local administrative rights on a permanent basis.
Most, if not all applications can be repackaged to deploy without the need for administrative rights.



Useful links:

PowerShell Application Deployment Toolkit: https://psappdeploytoolkit.com
Advanced Installer: https://www.advancedinstaller.com/
Access Director Enterprise: https://ctglobalservices.com/access-director-enterprise/



Configuration Manager 1810 Installation – Prerequisite Check – SQL Server Native Client Version

I came across this error while adopting the Configuration Manager 1810 (Early Update Ring)

[Completed with warning]:Verifies that the version of Microsoft SQL Server Native Client installed on the site server meets the minimum requirements to enable TLS 1.2 support. https://go.microsoft.com/fwlink/?linkid=2026746

I was apparently running an older SQL Native client version, that did not support TLS 1.2 which is required for ConfigMgr 1810.
Review your SQL versions and update to a version that supports TLS 1.2:

This link provides information about the updates that Microsoft is releasing to enable TLS 1.2 support for SQL Server 2017 on Windows, SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014. This article also lists supported client providers.

Download and install the correct update for your existing SQL version.
Reboot and proceed with the 1810 update.

If your looking for the ConfigMgr 1810 package to enable early update ring follow this link

The package adds your hierarchy or standalone primary to the early update ring for Update 1810 for the current branch of System Center Configuration Manager. The package is signed and bundled inside a signed self-extracting executable.

Note: The 1810 update is only applicable to 1710 and higher versions of System Center Configuration Manager

Windows 10 Registry tweak to disable Microsoft Edge Icon for MDT or ConfigMgr

The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)

Thank god there is way to stop this behavior.

You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD

If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1

In case your wondering what i have in the steps to disable Cortana, let me share them:

Registry tweaks for Build and Capture or Windows 10 Deployment task sequences

Disable Cortana Voice:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v DisableVoice /t REG_DWORD /d 1

Disable Cortana Search:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v “AllowCortana” /t REG_DWORD /d 0 /f

Disable Cortana Search Box:
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search” /v “SearchboxTaskbarMode” /t REG_DWORD /d 0 /f

Using SCCM CI Baseline to check for expiring user certificates

The topic is almost self explaining.

You need to monitor specific user-based certificates, to avoid a situation where they have already expired.

You can add this to your daily security compliance checklist.

Prerequisites for running CIs can be found here: Compliance Baseline prerequisites

  1. Create Configuration Item

Go to Assets and Compliance, Compliance settings Configuration Items, right click and select Create a new configuration item:

Create Configuration Item

Provide the name CI – Script – USER CERT Expiration check, leave the configuration item type as Windows and press Next:
Configuration Item Wizard

Optionally you can provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console.

Select the OS where this configuration item assumes to be applied and click Next
client operating systems that will assess this configuration item for compliance

To create Configuration Item, click New:
Create Configuration Item Wizard

Type in the name CI – Script, from drop down of settings type select Script and data type as String.

There are two options to specify where a script would reside

– Discovery Script

– Remediation Script

Remediation is not handled in this post.

To place discovery script since to evaluate compliance, click on Add Script.

Please note that this script needs to be runin the logged-on user context, therefore please check “Run scripts by using the logged on user credentials”

Create Setting

Select script language as Windows PowerShell and type in the script (see attached USER_CERT_Expiration _Discovery.ps1) in the Script field:
Edit Discovery Scripts

#

$Compliance = ‘Compliant’

$Check = get-childitem -path cert:\currentuser -recurse | where-object {$_.thumbprint -eq ‘‎‎‎‎‎‎245c97df7514e7cf2df8be72ae957b9e04741e85’}| where { $_.notafter -le (get-date).AddDays(30)}

If ($Check) {$Compliance = ‘NonCompliant’}

$Compliance

#

Script download: USER_CERT_Expiration _Discovery

and click OK

Click Next

Specify settings for this operating system

After the script is in place, you can click the “Compliance Rules” tab. Now compliance rule needs to be created. This rule will determine how the compliance is reported once the script runs on a computer (based on how the compliance a machine could be either Compliant or NonCompliant).

 

Click on New

Specify complance rules for this operating system

Type in the comSpecify rules to define compliance conditions for this settingpliance rule name and click on Browse:

Select the name of the configuration setting that just created (if not already selected and then click on Select):
Select a setting for this rule

In the Rule Type select Value and then select if the value returned is Equals to Compliant.

Click OK

Click Next
Use compliance rules to specify the condition that make a configuration item setting compliant

Next screen presents the summary of the settings, if any changes are needed then you can go back and make changes here. Click Next.

create an operating system configuration item with the following settings

Configuration Item is ready now.
The Create Configuration Item Wizard completed successfully

Next step is to create Configuration Baseline.

  1. Create Configuration Baseline

Right click Configuration baseline and create configuration baseline.
Create Configuration Baseline

Type the name of configuration baseline CB – Script – USER CERT Expiration check. Click on add and select configuration item from drop down menu.
Specify general information about this configuration baseline

Please make sure that Purpose set to Required!

Select the configuration item just created and click OK. This would finish creating configuration baseline.

Add Configuration Item

Now it is time to deploy this base line to relevant Users Collection(-s).

  1. Deploy the Configuration Baseline

    Go to configuration baseline and right click and select Deploy.
    Deploy Configuration Baseline

Select the configuration baseline CB – Script – USER CERT Expiration check.

Browse and point it to targeted Users collection (its recommended to run it for some limited collection for testing before deployment to production)

Change the evaluation schedule as per as your requirements (taking in consideration that in case of it seems to be critical for your environment, in production running this CB probably once a day is recommended)

Again, the key thing here is to be sure that you deploy this CB to users and not to your systems!

Select the configuration baseline that you want to deploy to a collection

Click OK

Note: When the configuration baseline is deployed, please allow that it can be evaluated for compliance within about two hours of the start time that you schedule.

  1. Verify that a device has evaluated the Configuration Baseline

To check it on a Windows PC client (general recommendation to do it for all targeted OS client types)

On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at its specific schedule. Click on configurations and click on “Evaluate”, “Refresh” and then “View Report”.
As shown in the pictures below, Configuration Baseline was evaluated to be Compliant or Not
Configuration Manager Properties

Report view

Report view, non-compliant