using System Center 2012 Configuration Manager – Part 14. Using Compliance Settings

In Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).  In Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups.

 

In Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location. In Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings. In Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent.

 

In Part 6 we prepared our server for the Endpoint Protection Point role, and installed that role before configuring custom client device settings and custom antimalware policies. We then deployed those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections. In Part 7 we added operating system deployment ability to our hierarchy by adding Windows 7 X64. We used the Build and Capture process to capture a WIM image which we can later deploy to targeted computers using network boot (PXE). PXE boot requires specific settings on our distribution points and the boot images used to deliver the operating system WIM images were therefore also enabled for PXE support.

In Part 8 we added Applications to our Software Library and configured the requirements in the Deployment Type to add new abilities to the application delivery process. We monitored the approval process of our applications and saw how requirements can influence whether an application is installed or not and we noted the difference between deploying to Users versus Devices. Now we will take a look at how Automatic Deployment Rules can be used to automate the deployment of windows updates on Patch Tuesday using a recurring schedule to patch your infrastructure using Software Updates.

In Part 9 we created some folders and collections using a PowerShell script to make targeting of Windows Updates easier, we then performed a full synchronization of our Software Update Point before creating an Automatic Deployment Rule (ADR) for Windows 7 monthly updates for Patch Tuesday.  In Part 10 we monitored our previously created ADR and monitored the downloading and deployment of those updates both to the distribution points and finally to our Windows 7 client computers. We reviewed the process in fine detail in order to understand the sequence of events when an ADR is run on a schedule.

 

In Part 11 we upgraded our Hierarchy to System Center 2012 Configuration Manager Service Pack 1. In Part 12 we used the new Build and Capture process in Configuration Manager 2012 Service Pack 1, to capture a master image of Windows 8 Enterprise with the .NET 3.5 feature pre-installed, in addition we did most of it using Powershell cmdlet’s which are now part of Configuration Manager. In Part 13 we customized the Windows 8 start screen to suit our needs on our previously captured image, we learned the steps required to successfully deploy that customized image and we did most of the work using PowerShell Cmdlets (where available).

 

Now we will use Compliance Settings to take control of certain settings on our clients and to make sure that they are compliant with our baselines by remediating when necessary.

 

Introduction

Many organizations today use some form of compliance to enforce standards (via Group Policy or other methods), and that’s a good thing as having standards means that you can keep things the same across many computers which in turn means they are easier to manage and support. If the computers you manage are compliant with your organizations policies then all is good, if the computers are not compliant then we can report on this non-compliance and/or enforce compliance via remeditation (fix the problem by enforcing the standard).

 

In this guide I’ll show you how to do most of the actions using Powershell (where possible, not all actions have been converted 100% to powershell, it’s still in development) but also via the configuration manager console. The reason that I’m showing you how to do it in both ways is to make your job easier in terms of automating certain tasks. Once you see how the cmdlets work you’ll be more inclined to include them in a script.

 

Configuration Manager 2012 Service Pack 1 has Compliance Settings built in (however there are no included configuration baselines or configuration items, you can of course create your own or import ready made baselines) and has the ability to not only monitor but to remediate. Compliance Settings was referred to as Desired Configuration Management (DCM) in Configuration Manager 2007. The Compliance Settings feature is found in the Assets and Compliance  node and is comprised of the following three components:

  • Configuration Items
  • Configuration Baselines
  • User data and Profiles

Configuration Items are rules that govern what should be done. Configuration Baselines are groups of one or more Configuration Items and these baselines are deployed to Collections, clients (users or devices) in collections evaluate their compliance state and submit that data to the site server. You can create your own Configuration Baselines or Import them from elsewhere. Imported baselines always include their associated Configuration Items.

 

Compliance Settings in Configuration Manager 2012 SP1.png

 

Step 1. Verify compliance settings and schedule in Client Settings

Perform the following on the CAS server as SMSadmin

 

Before we can use Compliance Settings we need to enable the ability via client settings. You can configure this site wide (it’s enabled by default) or on a collection by collection basis using custom client device settings. In Part 4 of this series we created Custom Client Device Settings, so let’s go ahead and open up those client settings.

 

Method #1 – Verify the Custom Client Device Settings in Powershell

 

In a Configuration Manager PowerShell console issue the following command

Get-CMClientSetting -Name "Custom Client Device Settings" -Setting 3

It should output something like the below if any valid Client setting is found

 

get-cmclientsetting.png

 

Tip: You can change the -Setting value to an array of values between 0-18 to match the relative Agent type. For example the 3rd agent type is Compliance Settings and the 4th agent type is Computer Agent. You can specify them in any order you want them outputted in, from 0 to 18, like 0,3,2,4,5,7,10,18

Get-CMClientSetting -Name "Custom Client Device Settings" -Setting 3,4

get-cmclientsetting with an array.png

 

Method #2 – Verify the Custom Client Device Settings in the Configuration Manager console

 

In the Administration workspace, select our Custom Client Device Settings, right click and choose Properties.

 

Custom Client Device Settings.png

 

From the list that appears place a checkmark in Compliance Settings

 

add compliance settings.png

 

and set both options to Yes as per the screenshot below.

 

Note: Enabling the Compliance Settings client settings makes it possible for Configuration Manager clients that are assigned to this site to evaluate compliance with assigned configuration baselines. This client setting is enabled by default via the Default Client Settings, but the client will not evaluate its compliance until it downloads one or more configuration baselines and evaluates them at the configured schedule. Disabling the Compliance Settings client settings prevents Configuration Manager clients that are assigned to this site from evaluating compliance with deployed configuration baselines.

 

compliance settings set to Yes.png

 

Note: The option Enable User Data and Profiles is for Configuration Manager 2012 SP1 only and applies to Windows 8 computers in your hierarchy.

 

If you want to change the schedule of when compliance is evaluated then you’ll need to edit the Default Client Settings, and open the corresponding compliance settings  option listed below, for the purpose of this guide let’s change it to every 1 day (by default it’s every 7 days).

 

change compliance settings schedule.png

 

Tip: you can always manually check for compliance on a client computer by reviewing the actions available in the Configurations tab of the Configuration Manager client agent.

 

 

Step 2. Create a baseline to set the homepage for All Users using Windows 8

Perform the following on the CAS server as SMSadmin

 

Now we will create our first baseline called Set Home Page. I’ll show you how to do it in two ways, you can decide which way to do it. One method will be with powershell cmdlets built into Configuration Manager and the other method is with screenshots of the steps required in the Configuration Manager console.

 

Method #1 – Create the Baseline in Powershell

 

To create the Configuration Baseline in PowerShell we will use the New-CMBaseline cmdlet. In the Configuration Manager console (or using a console that has the configuration manager module imported), open a Powershell console and use the following command to create the new Configuration Baseline:-

New-CMBaseline -Name "Set Home Page" -Description "Sets the homepage in Internet Explorer to https://www.windows-noob.com for All Users using Windows 8" -Category -- Client

Method #2 – Create the Baseline in the Configuration Manager console

 

To create the Configuration Baseline using the Configuration Manager console, in Assets and Compliance right click on Configuration Baselines in Compliance Settings, and choose Create Baseline.

 

create configuration baseline.png

 

enter the following info, give it a name, description and select the Client category (or create a new one if you wish), at this point we won’t select any configuration item.

 

set home page.png

 

save your settings and your baseline appears in the console.

 

baseline created.png

 

 

Step 3. Create a Configuration Item to set a registry key

Perform the following on the CAS server as SMSadmin

 

A baseline is pretty useless without one or more configuration items to ‘tell’ it what to do or what to check for, so let’s go ahead and create a new configuration item which checks the value of a registry key and set’s it to the value that we desire (by remediating the value). The registry key we are checking for is a current user registry key so this can only be checked when a user is logged on. Once again i’ll show you two methods of doing this, one using powershell, one using the Configuration Manager console.

 

Method #1 – Create the Configuration Item in Powershell

 

To create the Configuration Item in PowerShell we will use the New-CMConfigurationItem cmdlet. Use the following command to create the new Configuration Item:-

New-CMConfigurationItem -Name "Set home page via a registry key" -Description "Sets the homepage to https://www.windows-noob.com" -CreationType "WindowsOS" -Category "Client"

Note: The New-CMConfigurationItem cmdlet is not fully fledged yet so you’ll have to go and edit the Configuration Item (CI) in the console manually to add the remaining bits, see below for what to add.

 

Method #2 – Create the Configuration Item in the Configuration Manager console

 

To create the Configuration Item using the Configuration Manager console, in Assets and Compliance right click on Configuration Item in Compliance Settings, and choose Create Configuration Item.

 

create configuration item.png

 

fill in the name, and a good description, select Windows as the OS and Client as the category

 

create configuration item details.png

 

next for supported platforms deselect All and place a checkmark in Windows 8 (this will mean that the CI is only supported on Windows 8 systems)

 

Supported Platforms - Windows 8.png

 

and on the Settings page click on New to create a new setting

 

Settings - New.png

 

on the Create Setting page, fill in details about the setting you are creating, when creating settings you can select the following types of setting type

  • Active Directory Query
  • Assembly
  • File System
  • IIS metabase
  • Registry key
  • Registry Value
  • Script
  • SQL query
  • WQL query
  • XPath query

we are going to set a registry key in the Current User Hive, so select the following:-

  • Hive Name: HKEY_CURRENT_USER\
  • Key Name: Software\Microsoft\Internet Explorer\Main
  • Value Name: Start Page

 

Create Setting.png

 

Next, click on the Compliance Rules Tab and click on New

 

New compliance rule.png

 

On the Create Rule page, fill in the following details:-

  • Name=Verify and Remediate start page
  • Description=Verify the Internet Explorer start Page value and set to https://www.windows-noob.com if not compliant
  • Selected Setting=Set home page via a registry key \ set home…
  • Rule Type=Value
  • Remediate noncompliant rules when supported=True
  • Report noncompliance if this setting instance is not found=True

Create rule.png

 

Apply your settings and click next to continue at the compliance rules page

 

Compliance Rules.png

 

continue through the wizard until the Create Configuration Item wizard is complete

 

Create Configuration Item complete.png

 

Step 4. Add the Configuration Item to the Configuration Baseline

Perform the following on the CAS server as SMSadmin

 

Now that our Configuration Item is created we need to add it to our baseline the baseline won’t have anything to do.

 

Method #1 – Add the Configuration Item to the Configuration Baseline in Powershell

 

This functionality is not available yet.

 

Method #2 – Add the Configuration Item to the Configuration Baseline in the Configuration Manager console

 

Select the Set Home Page baseline in Configuration Baselines and right click, choose Properties.

 

Properties of Configuration Baseline.png

 

click on the Evaluation Conditions tab and in the drop down  Add menu select  Configuration Items

 

Add configuration items.png

 

select our newly created Configuration Item, click Add then click OK

 

add configuration items 123.png

 

Once done click on Apply then OK.

 

apply then ok.png

 

Step 5. Deploy the Baseline

Perform the following on the CAS server as SMSadmin

 

Now that our Configuration Item is created and added to our Configuration Baseline, we want to Deploy the baseline to a collection. As we are targeting to the Windows 8 computers collection (I’ve created that device collection in advance using a query to check for Windows 8 as the operating system), all computers in this collection will get this Baseline when they next poll for policy and they’ll be checked for compliance. Carefully targeting your collections will mean that the compliance data returned will be more meaningful.

 

Method #1 – Deploy the Configuration Baseline in Powershell

 

We will use the powershell cmdlet Start-CmBaselineDeployment to deploy our configuration baseline.

Start-CmBaselineDeployment  -Name "Set Home Page" -CollectionName "Windows 8 Computers" -EnableEnforcement $True -OverrideServiceWindow $True -GenerateAlert $True -ParameterValue 90

Method #2 – Deploy the Configuration Baseline in the Configuration Manager console

 

Right click on our Configuration Baseline and choose Deploy, fill in the values as you see in the screenshot below.

 

deploy configuration baseline in the configuration manager console.png

 

Step 6. Verify compliance on a client computer

Perform the following on a Windows 8 computer as a testuser

 

Logon to a Windows 8 client and start up Internet Explorer, set the homepage to a value such as https://www.niallbrady.com

 

home page set to niallbrady dot com.png

 

Apply the settings and open the Configuration Manager Client. Browse to the Actions tab and initiate a Machine policy retrieval.

 

Machine Policy retrieval and Evaluation cycle.png

 

Once done, select the Configurations Tab and click on refresh, our Baseline should appear and if it has not run yet the compliance level will be unknown.

 

set home page baseline not run yet.png

 

select our baseline and click on Evaluate to check our compliance

 

evaluate.png

 

After it has run (it is quick) you’ll see that we are compliant.

 

compliant.png

 

go ahead and click on View Report to see a report of what it has just done

 

compliance report.png

 

and scroll down to see more details of what the previous value was and what it was remediated to

 

previous value and remediated value.png

 

and of course you can browse to the homepage in Internet Explorer to see that our Configuration Baseline is working, it is ! Job Done !.

 

job done.png

 

 

Troubleshooting

 

You can review the following log files on the client to troubleshoot configuration baseline application and remediation issues.

  • CIAgent.log Records details about the process of remediation and compliance for compliance settings, software updates, and application management.
  • CITaskManager.log Records information about configuration item task scheduling
  • DCMAgent.log Records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications
  • DCMReporting.log Records information about reporting policy platform results into state messages for configuration items
  • DcmWmiProvider.log Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).

 

You can also review built in Compliance and Settings Management reports to get details of compliance levels in your organization

 

Compliance and settings management reports.png

 

You can drill down into those reports once the state messages have been processed

 

List of unknown assets for a configuration baseline.png

 

Or you can check the compliance level from the Deployments node in Monitoring, or via the Configuration Baseline itself by selecting the Deployments tab, you will see the compliance level, you can run a summarization to get up to date results or click on View status to get more information about the deployment

 

view status of Compliance.png

 

and check the Error, Non-Compliant or Unknown tabs for details of why they are not compliant

 

Unknown status.png

 

that’s all for now folks so until next time,

cheers

niall.

 

Summary

 

Compliance Settings in Configuration Manager 2012 SP1 gives you power to enforce standards across your organization, all via the configuration manager client. In addition you can report on that compliance on the client computer itself, on your Configuration Manager reporting services servers or in the Configuration Manager console itself. With Configuraiton Manager 2012 SP1 you now have additional powershell cmdlets to do most of the actions required to successfully create, manage and deploy your baselines, so what are you waiting for, get compliant !

 

Recommended reading

 

Compliance Settings in Configuration Manager – http://technet.micro…y/gg681958.aspx

Security Compliance Manager 3.0 – http://www.microsoft…s.aspx?id=16776

 

This entry was posted in Compliance Settings, Compliance Settings, ConfigMgr 2012, Custom Client Device Settings, Windows 8. Bookmark the permalink.

Leave a Reply