Creating Your Own Custom ConfigMgr 2012 Compliance Packs
This demonstration will show you how to create your own custom compliance packs to import into ConfigMgr 2012/R2.
- First, download and install the Microsoft Security Compliance Manager (SCM) solution accelerator. Note that this can be easily from your workstation computer, it does not need to be on a Windows Server. Also, a version of SQL (including the Express edition) needs to be installed locally as a prerequisite. http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx
- When SCM has been launched for the first time, it will check for, download, and import baselines.
- However, newer baselines will still be missing. Select the option to download baselines automatically.
- From the available products and baseline options, multi-select the desired configuration items, then export to SCCM DCM 2007 (.cab) –even for ConfigMgr 2012/R2!
- Next, store/save a copy of the .cab file where it can be easily imported into ConfigMgr. If you’ve made a “complex” DCM, then I recommend ensuring that you’ve either created instructions on how to rebuild the cab, or retain/backup the original file.
- In the ConfigMgr console for Compliance Settings > Configuration Items, select to Import Configuration Data.
- In the wizard, click the Add button to include the baseline(s) that have been created and are ready for import. Then complete the remainder of the wizard.
- Note that with the imported configuration data, the baseline(s) are automatically created as well.
- Finally, deploy the baseline(s) to the desired collection of systems.
And that’s all there is to quickly using SCM for creating your own compliance packs for ConfigMgr 2012/R2!
Limit DCM and Programs to Win7 RTM
Microsoft began supporting Windows 7 in SCCM with SP2, so there has been the option to limit execution of DCM or package/program on a computer running Win7. SCCM has the ability to limit execution based upon an OS + Architecture + SP level. For example, you could limit execution to just Vista x86 RTM by selecting the following option.
Now that SP1 for Win7 has been released (to MSDN/TechNet/MVLS), you may find yourself in a position of needing to prevent a DCM or package from running on computers with SP1. Unlike with other operating systems, SCCM SP2 doesn’t have an option to limit execution to “x86 Windows 7 original release”.
To work around this, I found (for both DCM and package/programs) that selecting option “x86 Windows 7” will detect Win7 SP1 as not being applicable….and it works in my brief tests!
DCM for Action Center AntiVirus Warning
Have ever experienced a warning message in the Windows 7 Action Center that it is “important” to find and install an antivirus program – even though the computer already does have a functional AV installed? I myself have experienced this many times (at random) over the last year since we began deploying computers with Windows 7. While the cause is unknown to us at this time (is it the AV or Windows?), we do know how it can be identified.
WMI contains a namespace called “securitycenter2”. There are three classes to pay attention to, particularly AntiVirusProduct. If this class does not contain any instances, but rather is empty, then this will cause the Action Center to report the warning.
So now you be asking, “how does one identify this across an organization?” By using Desired Config Management (DCM) within SCCM of course! So here is how you go about creating a DCM to identify these computers.
- Create a new Configuration Item (CI) in DCM.
- In the CI, on the Settings tab, create a new WQL query
- Call the display name anything you like (I used “AV_Query”)
- Enter the namespace as “Root\securitycenter2”
- Enter the class as “AntiVirusProduct”
- Enter the property as “displayName”
- Click on the Validation tab and change the instance count operator from “Greater than” to “Not equals”
- Optional – change the severity to “Information – no Windows event message”
- On the Applicability tab, limit the specified platforms to only Win7 computers
- Click OK throughout to save the CI
- Create a new Configuration Baseline
- In the baseline, on the Rules tab, add the CI to the “applications and general configuration items”
- Assign the baseline to a collection of computers
- Use the default web reports to monitor the status of the deployment and results (I used report “Summary compliance for a configuration item by computer”).
- Computers saying that they are “Non-compliant” in column Actual Compliance State are actively impacted by this issue.
When doing this in our enviroment, I discovered that about 5% of our Windows 7 computers are affected. The other great thing about using a DCM to do this is that collections can be created based upon the compliance and a SWD package be used to take actions on the computers in the collection.
SCCM DCM Inventory for Installed Windows Hotfixes
Here’s the situation, you need to deploy hotfix KB2434932 for Windows 7, so you download and package the hotfix. (Side note, this is because hotfixes for Windows which must be manually downloaded in order to deploy them do not show up in the WSUS catalog for deployment using SCCM Software Updates) However, after deployment to a few test computers, you discover that Windows updates are no longer registered within the Add Remove Programs inventory. So what do you do? Turn to DCM for help doing the inventory for you!
This is precisely the challenge that I faced today. Here’s how I used DCM to inventory Windows 7 installed hotfixes.
First, create the CI
- In your SCCM console, navigate to Computer Management > Desired Configuration Management
- Create a new “General Configuration Item”. Name it “KB2434932” and tag it as “WMI”
- On the “Settings” wizard page, create a new “WQL Query” setting. Configure the following
- Click on the Validation tab and change the severity to “Information – no Windows event message” then click OK to close the dialog box.
Note: this change is optional
- On wizard page “Applicability”, select the specified platforms for Win7
- Complete the wizard
Second, create the baseline
- Create a new Configuration Baseline named “WMI QFE KB2434932”
- On the wizard page “Set Configuration Baseline Rules”, select option “These applications and general configuration items…”, then find and select the CI created above.
- Complete the wizard
Third, assign the baseline to a collection on a schedule
- Select the create baseline within the console and run action “Assign to a Collection”. In the wizard, on page “Choose Collection” select the systems you wish to target.
Note: that I’ve selected a collection only containing test systems for now. If your DCM inventory works, then it will be safer to deploy in production.
- On the Set Schedule wizard page, define a short schedule (such as 15 minutes) for quicker testing.
- Complete the wizard
Finally, create a collection which contains computers that do not comply to the baseline
- Select the baseline in the console
- Select action Create New Collection > Non-Compliant Systems
- Complete the wizard as you see fit
Voila, now you have a collection to target for your package/advertisement. The only catch is that the collection won’t have any computers within the collection, so you’ll need to force a machine policy update on those computers so that they know they have the baseline to run the DCM inventory. You can use web report “Compliance details for a configuration baseline” to monitor when those computer have completed the inventory. Once they appear as “Non-Compliant” in column “Action Compliance State”, then you can update the collection membership to populate the collection with members.