Background:

A while ago, a certain well-respected member of the community (the systems management community, certainly not any community in which he has lived) started touting the advantages of Configuration Manager 2012 over 2007, including the ability to “enforce” or “remediate” DCM CI’s.  Not willing to accept that my arch-nemesis might be correct about something, I immediately set out to show him that the same was possible in the old version.  Of course he already knew that, and knew I would have to solve that riddle, but admitting that would be admitting he was correct, and I’m not about to fall into that trap.

The result:

As configuration types include “script,” it should be possible to find a setting that is out of compliance, and flip the switch.  Once I got started it proved very simple to do just that.  This example creates an Application Configuration Item (CI) to disable Java automatic updates on x64 operating systems. A master Configuration Baseline is then created to which the CI is assigned, then it is assigned to a test collection. 

If you’re new to DCM, you might want to watch Jason Lewis’ screencast series before diving in: http://blogs.technet.com/b/jasonlewis/archive/2010/03/26/screencast-dcm-introduction.aspx

Create the Configuration Item

• Within the Configuration Manager Console, browse to Site Database, Computer Management, Desired Configuration Management, Configuration Items.

• Right-click Configuration Items and select New, Application Configuration Item. The Create Application Configuration Item Wizard will begin.

• On the Identification window

  • In the Name: field, enter “Oracle Java Auto-Updates (x64).

  • In the Description field, enter “Disables automatic updates on systems where the installation is detected.

  • In the Categories field, use the wizard to create a new category named “Auto-Updates.”

• Click Next >

• On the Detection Method window

  • Select Use custom script

  • Leave VBScript selected as the script type, and enter the detection script in the space provided

Option Explicit

Dim WshShell

Set WshShell = CreateObject("WScript.Shell")

If WshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion") Then

WScript.Echo WshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\CurrentVersion")

End If

Set WshShell = Nothing

• Click Next >

• On the Objects window, click Next >

• On the Settings window

  • Click New, Script

  • On the General tab

    • Enter “Disable Auto Updates” in the Display name: field

    • Enter “Changes value of EnableJavaUpdate registry key” in the Description: field

    • Leave VBScript selected as the script type, and enter the detection script in the space provided

Option Explicit

Dim WshShell

Set WshShell = CreateObject("WScript.Shell")

WshShell.RegWrite "HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\EnableJavaUpdate", 0, "REG_DWORD"

WScript.Echo WshShell.RegRead("HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\EnableJavaUpdate")

Set WshShell = Nothing

• On the Validation tab

  • Enter “0” in the Value: field

  • Click OK to close the Validation and New Script Setting mini-wizards

• Click Next >

• On the Applicability window

  • Select Specified windows platforms

  • Place checks next to All x64 Windows XP Professional, All x64 Windows Vista, and All x64 Windows 7

  • Place a check next to This application runs on 64-bit computers only

• Click Next >

• On the Summary window, click Next >

• On the Confirmation window, click Close

Create the Configuration Baseline

• Within the Configuration Manager Console, browse to Site Database, Computer Management, Desired Configuration Management, Configuration Baselines.

• Right-click Configuration Items and select New, Configuration Baseline. The Create Configuration Baseline Wizard will begin.

• On the Identification window

  • Enter “Disable Auto-Updates” in the Name: field

  • Enter “Contains application-specific CIs to disable automatic updates” in the Description: field

  • Select Auto-Updates from the available Categories

    

  • Click Next >

• On the Set Configuration Baseline Rules window

  • Click application in the Rules: section and select the new CI created in section 1, then click OK to close the Choose Configuration Items mini-wizard

• Click Next >

• On the Summary window, click Next >

• On the Confirmation window, click Close

Assign the Configuration Baseline

• Right-click on the Disable Auto-Updates Configuration Baseline created in section 2 and select Assign to a Collection. The Assign Configuration Baseline Wizard will begin.

• On the Choose Baselines window, verify that the Disable Auto-Updates baseline appears and click Next >

• On the Choose Collection window, browse to a collection that contains the workstations you will use for pre-deployment testing and click Next >

• On the Set Schedule window, click Next >

• On the Summary window, click Next >

• On the Confirmation window, click Close

Final note:

At first I wondered whether using this method to enforce settings was responsible, since I’m not exactly using the product for its intended purpose, and I could theoretically do some really diabolical stuff, but two things helped set me straight:

1. I already have the power to manipulate corporate computers in any way imaginable, just by virtue of being an SCCM guy.  The above trick may simplify the execution of my powers, but does not enable me to do anything I can’t already do through more traditional means.

2. The next version does all of this automatically with a checkbox, so it was probably the intended purpose anyway.

The attachments below include the CI’s for disabling auto-updates on Flash, Reader 9.X, Firefox, Java, and Silverlight.  You’ll want to view the Firefox CI’s closely, there’s some wizardry going on in the script.  If there’s enough interest, I might be convinced to add more of these.  Let me know if you find this valuable.

Update: attachments coming soon...