We will detect SCCM Configuration Item to find Windows 11 device is blocked from an upgrade or not. We will check this with the help of Registry Key. Hello Everyone!!! Here we come up with another post about Configuration Item Configuration Baseline in SCCM.
The Configuration Item and Baseline can be used to check compliance settings for users and devices. In a larger environment migrating from one Windows 10or 11 version to another, we may be required to check the compliance settings of OS versions, driver versions, application versions, user information, etc. If we find any noncompliant devices or users, we can use CI and CB for remediation.
Configuration Items are widely used in the SCCM world to identify software updates, application models, etc. We can use CI to handle device settings. CIs are not deployed directly to the collections but can be deployed via CB. Configuration Baselines in ConfigMgr is a collection of CIs and Configuration Baselines(CBs). CB can be included at least one or more CI’s to be deployed to device and user collections.
Now let’s start with our post. With the help of the Configuration Item Configuration Baseline in SCCM, we will detect Windows 11 device is blocked from an upgrade using SCCM Console. We will try to explain you all in a very simple way. We will make use of a Registry Key to do so.
- SQL Query for SCCM Configuration Baselines Results | ConfigMgr
- Detect Registry Changes and Revert using SCCM Configuration Item CI CB
- Deployment of Cisco WEBEX using SCCM | Deploy MSI File
Prerequisites for SCCM Configuration Item
Before beginning, you must ensure that Configuration Item-related client agent policies are enabled and working ok. To check this, you need to option the client settings from the Administration workspace.
Follow the steps mentioned below to confirm whether everything is configured as expected for CI and CB to work!
- Navigate to \Administration\Overview\Client Settings.
- Open the Client Settings deployed to Windows 11 or 10 clients.
- Click on the Compliance Settings tab and check:
- The Enable Compliance Evaluation on Clients = Yes, as shown in the below screenshot.
On the client side, you can open the Configuration Manager applet from the control panel or try running the following command from the RUN menu to open the ConfigMgr applet. Check the Components tab and confirm whether the Compliance and Settings Management component is ENABLED.
- Disable Hide Upgrade To Windows 11 Is Ready Notification On SCCM Managed Devices
- Windows 11 ADMX Template
Windows 11 Safeguard Registry Settings
To check whether a machine is blocked from degradation to the latest version, we need to check the state of the particular Registry Key at the below-mentioned path.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2
In the picture shown below GatedBlockId key is highlighted. If this key’s data value returns None, then the machine is not blocked from degradation. So we need to create a CI-CB to check the state of this particular registry key.
NOTE! – I see Gary and Adam are very vocal on Twitter about this registry key and the Safeguard holds database, etc.
The following message will appear if your Windows 11 devices are caught behind the safeguard and the upgrade is blocked. You normally get this message from Windows Update page: Windows 11, version 22H2 is on it’s way to your device. There’s nothing that requires your attention at the moment. Once update is ready for your device, you’ll see it available on this page.
Let’s Create a Configuration Item using SCCM Console
Now let’s move on to the SCCM console and begin with creating a Configuration Item for the registry key we have in the above image to check whether the machine is blocked for upgradation or not. Open Configuration Manager Console and Go to:
- Navigate to SCCM Console \ Asset and Compliance \ Compliance Settings \ Configuration Items
- Right-click on Configuration Items and select ‘Create Configuration Item’
After this, Create Configuration Item Wizard will open and provide the name of CI in the Name box, select the option as shown below, and click on ‘Next ‘as shown below in the image.
Here in the Supported Platforms tab, Select the operating system version for which you want to create the CI. Here I am choosing Windows 11 and clicking on “Next, “as shown below.
Now, in the Settings Tab, click on New, as shown below in the image.
After clicking on New, Create Setting dialogue box will open. In the General Tab, enter the name in the Name box and click on Browse, as shown below.
Now you have to browse the path shown in the table below using the Registry tree. You can check the following registry key.
Hive Name | Key Name | Value Name | Data Type |
---|---|---|---|
HKEY_LOCAL_MACHINE | SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TargetVersionUpgradeExperienceIndicators\NI22H2 | GatedBlockId | String array |
Now, if you see, we have edited the end part, which is different easily in the General tab. Now click on Apply and select the Compliance Rules tab, as shown below.
In the Edit Rule tab, check the options shown below:
- Report noncompliance if this setting instance is not found
Click Next on Compliance Rules and Summary Tab and end the Create Configuration Item Wizard by clicking Close in Completion Tab.
- Top 20 Methods to Increase Windows 11 Performance Optimization
- Enable Optimized Performance of Edge Browser | Windows 11 | Intune | Group Policy
Create Configuration Baseline using SCCM Console
Now let’s create an SCCM Configuration Baseline using SCCM Console. For this, go to:
- Navigate to SCCM Console \ Asset and Compliance \ Compliance Settings \ Configuration Baselines
- Right-click on Configuration Baseline and click on ‘Create Configuration Baselines‘
In the Create Configuration Baseline Dialogue Box, enter the Name of the Baseline and click on Add to add the Configuration Item created earlier, as shown in the image below.
Now choose the Configuration Item created by you from the list as shown below, click on ADD, and press OK.
Also, don’t forget to tick the check box mentioning Always apply this baseline even for co-managed clients and click on OK as shown below in the image. If you don’t enable this option, you normally get the following error in DCMAgent.log.
CDCMAgent::CheckAgentEnabled - The Desired Configuration Management agent is not enabled due to co-management. Request will be ignored.
Agent is disabled. No action needed.
NOTE! – Co-management check box is required if your Windows 11 devices are co-managed and workloads are moved to Intune
- 4 Methods Enable or Disable Virtualization Based Security VBS on Windows 11
- 4 Methods Disable Edge Browser Search Suggestions from Address Bar
Deployment of Configuration Baseline on Targeted Device Collection
After creating the Configuration Baseline, it will appear in the console, and now right-click on it and click on Deploy, as shown below in the image.
In the Deploy Configuration Baselines wizard,
- Tick the check box for Remediate noncompliant rules when supported
- Select Simple Schedule and set Run Every to 12 mins as shown below in the image. Please Note that this can vary from the production environment to environment. As I am in performing this in my lab environment so I choose 5mins.
After this, click on Browse to select the device collection as shown below.
Now choose the device collection as shown below in the image. Here I choose Windows 11 device collection for deploying the SCCM Configuration Baseline.
User Experience
Until now, we have created an SCCM CI (Configuration Item), then created SCCM Configuration Baseline and deployed it to windows 10 or 11 devices. To test the CI quickly on a lab device, you can manually initiate the machine policy either from Windows 11 or the console.
Now when you login into the Windows 10/11 device, open the Configuration Manager applet from the Control panel and select the Action tab. Now choose the Machine Policy Retrieval & Evaluation Cycle and click on Run Now as shown below in the image.
Now click on the Configurations tab and you will see your Configuration Item here in the list. So now click on Evaluate as shown below in the image. The moment you click Evaluate it will check whether GatedBlockId is set to None or not. If it is set to None then the system is open for upgradation. As you can see in the below image, it returns Compliant.
So the above you see, the Configuration Item Configuration Baseline which we created works absolutely fine on the windows 11 device collection.
- New Windows 11 Configure Hash Algorithms for Certificate Logon Authentication Group Policy for Kerberos
- Windows 11 New LSA Local Security Authority Policies
Troubleshooting SCCM Configuration Item and Baseline Deployment
Let’s have a quick look at the Troubleshooting parts of the SCCM Configuration Item and Baseline Deployment. As usual, you need to understand the logs related to SCCM CI & CB. Normally you can check all the SCCM log file details from the following post – SCCM Log Files Updated List Client and Server.
- CIAgent.log
- CITaskManager.log
- DCMAgent.log
- DCMReporting.log
- DcmWmiProvider.log
You can check the default SCCM reports available to tackle the progress of the SCCM Configuration Item. You can also have the option to add non-compliant devices into a collection.
- Compliance history of a configuration baseline Compliance and Settings Management
- Summary compliance of a configuration baseline for a collection Compliance and Settings Management
- Summary compliance by configuration policies Compliance and Settings Management
- Summary compliance by configuration items for a configuration baseline Compliance and Settings Management
- Summary compliance by configuration baseline Compliance and Settings Management
Author
Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a BTech graduate in Information Technology.