Santos Martinez aka ConfigNinja, is back with a tip which illustrates how you can use compliance items to monitor – and optionally enforce – defined registry values. In this case, LegalNoticeText.

Hello All! ConfigNinja here writing about Legal Notices.

Yeah, this Is the first window many of us see when try to log into our systems, but what if you need to ensure every machine is using the same message and it hasn’t been deleted by the local user? I know your first thought will be to use Group Policy, and I agree – however, there are times we need to monitor or remediate this type of situation, not just replace the setting.

If you are looking to deploy a legal notice using GPO, take a look at this article:

http://blogs.technet.com/b/askds/archive/2008/02/08/deploying-legal-notices-to-domain-computers-using-group-policy.aspx

Let’s begin with our compliance setting approach. Since most of my time is spent with ConfigMgr, I was trying to find a good way to deploy this Legal Notice without having to create a script, or use any existing one. So I decided to create a Compliance Baseline to monitor a Compliance Item: this item will validate the use of the Legal Notice, and match an existing text.

image

To do this I went and created a Configuration Item.

In the ConfigMgr Console, click on the Assets and Compliance workspace.

In the Asset and Compliance Workspace, expand Compliance Setting.

Right click Compliance item and click Create Configuration Item.

image

Enter a name of the configuration item and description then click Next.

The next section of the wizard will be supported platforms, just click next on this part.

Once you are at the Settings section, click New and the following screen will show up:

image

While you are at this Create Setting dialog, click on Browse to find the registry entry we want to modify.

image

Browse to the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Legalnoticecaption

Select this registry value must satisfy the following rule if present and enter the notice information (I recommend you to copy and paste it from Notepad).

Follow the same process again, this time for

Legalnoticecontext

image

If you performed these steps correctly, you should then have 2 settings (making 4 compliance items) as part of the configuration item:

image

Select each item and click edit, to modify the setting and ensure this Configuration Item is not just to monitor but also to remediate.

image

Each item should look like the screen above and below.

image

Once you finish both settings from the Configuration Item, click Next to finish and complete the item.

image

The next step will be to create a configuration baseline and deploy it to the collections.

image

Once you create the baseline, ensure to select the configuration item created earlier.

image

When you are performing the deployment, ensure to select Remediate noncompliance rules when supported, and select the correct collection.

Log on to your test Machine and ensure the Compliance Baseline is there.

image

In this case is already there but haven’t check for compliance, just click Evaluate and wait.

If the Compliance State comes back as Non-Compliant, you have it set up to monitor only.

image

Once you change it to remediation you will see the following.

image

Next time you log in to the machine, you will see the Legal Notice at the log on process:

image

Since I know this process can be a little difficult, I have uploaded this baseline to Gallery, and you can download it by clicking on this link!

Enjoy, and thanks for reading!

If this helped you, please leave a comment.


Posted by Tristan Kington, MSPFE Editor and fan of System Centaur Convict Manager, aka Neighsayer.