i am trying to figure out if that would be best done by baseline configuration or query? any thoughts or experience int he subject?

If it were me, 'cause I'm a wmi kind of person, I'd probably use a DCM baseline. But it would depend upon what i was looking for. You can check the SID of the guest account vs. the account name in WMI. But depending upon if you wanted to know that the guest account was renamed or that is was NOT, that would determine how you write the CI for compliant vs. non-compliant. But fyi, I've written a custom ci. Let me see if I can find it, and what I was testing for... found it!for me, I was testing specifically to confirm that the guest account had been renamed to a specific name as defined in the GPO. the theory being that if the guest account was not renamed, the GPO was not being applied at all, or not correctly, and the computer would need to be looked at.WQL Type, namespace: root\cimv2class: win32_useraccountproperty: NameWQL: Description = 'Built-in account for guest access to the computer/domain' and LocalAccount = 1then in Validation, checked on Report a non-compliant is Greater than 0and the Details, Data Type is String, and Operator: Equals, Value: The_Name_In_Our_GPO_That_It_Should_Be.................If for whatever reason a DCM Baseline is not your preference, there are ways to pull that information using a custom Hardware Inventory extension. That's what we (us old timers) would have done using SMS2003. But with ConfigMgr, I'd go with a DCM Baseline. If you'd rather customize sms_def.mof/configuration.mof, we can do that. But meh. Use the new cool stuff if you can.Standardize. Simplify. Automate.

Sherry I cannot say what is really my preference, I am one month old when it comes to SCCM, so what ever good advice I get here which I can implement, works for me. Our end goal is to get rid of another software delivery and inventory currently used, so the expectation is for us, the helpdesk team is to deliver satisfactory results with SCCM. Having said that, my goal is to create as much as possible stable configuration that can be built upon, representing best practices. I am not sure why a GPO was not used, I had it running in my previous workplace. I will read as much as I can about it and try to implement per your recommendations. it means that the new cool stuff is what I will work with, despite being an old timer :->, from the NT 3.51 days.. It is going to be a long weekend..

Well, as to remediation, DCM does not "fix" a client which is listed as "non-compliant". It's really (unless you do more work) meant to just make you aware of non-compliant status via reporting. I have targeted clients which reported a non-compliant for a custom baseline, but only a few times. I would never rely on DCM non-compliant over a GPO. GPO is the clear winner for enforcing policies.a GPO to rename the Guest account is still (in my opinion), 100% the correct way to rename the Guest account. I guess I assumed the GPO was already in place, and some Security team asked that you confirm it's actually working.What you would use the DCM Baseline for would be (again in my opinion) to find those computers which either do not deserve that GPO, or for whatever reason are not able to successfully apply the GPO, so you can get them to recieve the GPO successfully.Disclaimers: I'm no GPO expert nor a DCM expert--I know just enough to be dangerous. :-) So please do more research, and find the right answer for your company. I've heard the phrase "GPO Preferences" lately. Might not be exactly what you'd need, but the description was really intriguing. You may want to research that.Standardize. Simplify. Automate.

>>Well, as to remediation, DCM does not "fix" a client which is listed as "non-compliant" << I am aware, and actually found the MS pre-configured vulnerability MSI, imported it into the DCM and got alot more information than I bargained for :->. >>a GPO to rename the Guest account is still (in my opinion), 100% the correct way to rename the Guest account << I Absolutely agree!! Always worked for me in the past. I tested few GPO implementation with WQL this weekend, and found some surprising results. Since no one was able to tell me what the guest account was renamed as by the script, and I found out it was a rand name, I took you on the WQL advice, and actually flipped and looked for "Guest" which in it's turn, made the compliant "non-compliant". The MS Windows Baseline pre-configured helped take care of the rest. now it is up to the people involved to resolve. Not enough words to thank you for your great insight and help!