Was recently asked by a customer to make a global Hyper-V change on VM’s having the wrong AutomaticStopAction setting, across many HV Hosts. My tool of choice, SCCM Baseline! (Yes, SCVMM is a better option here, but that’s not an option in their environment…)
To familiarize everyone, this is what we are changing:
Let’s hop over to PowerShell and get familiar with the cmdlets needed for this. Let’s check the value first:
$(Get-VM -Name HYD-CLIENT1).AutomaticStopAction
For what’s it worth, running just $(Get-VM).AutomaticStopAction will return the state for all VM’s on the host.
Good source for Hyper-V cmdlets : https://docs.microsoft.com/powershell/module/hyper-v
Create and name the baseline, we’ll come back to it later:
Go ahead and create a new configuration item, name it, platforms you want to limit it to, etc. We’ll focus primarily on the “Settings” and “Compliance Rules”:
For “Setting type” and “Data type”, we’ll choose Script and String as shown below:
Since we know what value we want and how to grab that, we’ll use that for our “Discovery Script”:
And as you may have guessed, we’ll use the Set version of that cmdlet to ensure the desired value is set:
Get-VM | Stop-VM;Get-VM | Set-VM -AutomaticStopAction ShutDown;Get-VM | Start-VM
Now choose the “Compliance Rules” tab, this can also be accessed from the main properties window shown below this. Double click or highlight and:
Here we are defining the conditions for a machine to report as compliant when measured against this baseline, make sure you check the box to “Run the specified remediation script when this setting is noncompliant”:
That’s it for the configuration item!
Last step, head back to the Configuration Baseline and add the configuration item we just created, by adding it to the “Evaluation Conditions” as shown below:
Filter the list to find the newly created item, select it and click “Add”:
Choose “OK” and you’re done!
Please comment with any questions about this procedure or any general baseline questions, we’re here to help!
Choose Import Configuration Data:
Click “Add” and choose the “Speculative Execution Side-channel Vulnerabilitiesv106.cab” downloaded from the link provided in the article above. You’ll notice the following error, assuming that’s ok with you, choose “Yes” and continue.
Once added, choose “Next” and you’ll see the following, click “Next” and continue:
Once complete, you’ll see the following:
Close the Import Configuration Data Wizard once it finishes. You’ll now see the following under Configuration Baselines in the folder where you Imported it.
Since we are testing this first, I went ahead and created a test collection where I will deploy the Configuration Baseline. *Please test before you deploy to production* 
Now that we have the Configuration Baseline added, our test collection created, we can deploy the Baseline. Head back to Assets and Compliance > Compliance Settings > Configuration Baselines, right click on the newly created Baseline and choose “Deploy”. Or choose from the ribbon.
From deployment wizard, we have the option to check “Remediate noncompliant rules when supported” which will automatically remediate the registry entries, however, we will opt to deploy the registry changes via a task sequence and use this baseline for reporting only. Choosing this would automate the remediation within your maintenance windows, otherwise checking “Allow remediation outside the maintenance window” would allow for remediation sooner.
Package the following 
Download and package the following updates and include in the task sequence after “Apply Reg Keys” in the “Execute” portion as shown below:
After you’ve deployed everything, head over reporting and look at “Compliance and Settings Management”. Depending on how you want to view compliance, there is an assortment of built in reports that should show you what you want to see.
To break this down line by line, I will add the explanation and corelating fix: