Compliance Settings in System Center Configuration Manager 2012

Business Case: Temporarily change DNS server settings

1. Right-click on Configuration Items, select Create Configuration Item…

2. Name your new Configuration Item…

3. Select Supported Platforms…

4. Select New…

5. Enter details in the Create Settings dialog, and select Add Script…

6. Paste in the VBScript that checks for compliance. In my case, I am keying off the AD DynamicSiteName registry value to determine which DNS servers to use for compliance.

7. chkDNS.vbs

const HKEY_LOCAL_MACHINE = &H80000002 Set oReg=GetObject(“winmgmts:\\.\root\default:StdRegProv”) strKeyPath = “System\CurrentControlSet\Services\Netlogon\Parameters” strValueName = “DynamicSiteName” ‘ get computer AD SiteName oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue Select Case strValue Case “XXXXXXXXSite” dns1 = “XXX.XX.XXX.XX” dns2 = “XXX.XX.XXX.XX” Wscript.Echo ChkNameServers(dns1,dns2) Case “AustinSite” dns1 = “XXX.XX.XXX.XX” dns2 = “XXX.XX.XXX.XX” Wscript.Echo ChkNameServers(dns1,dns2) Case Else Wscript.Echo “Cannot determine AD SiteName” End Select wscript.quit Function ChkNameServers(dns1,dns2) dnsfound = 0 strKeyPath = “SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces” oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys strValueName = “NameServer” For Each subkey In arrSubKeys strKeyPath1 = strKeyPath & “\” & subkey oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue If (strValue <> “”) Then currdns = strValue Next If InStr(currdns, dns1) <> 0 Then dnsfound = dnsfound + 1 If InStr(currdns, dns2) <> 0 Then dnsfound = dnsfound + 1 If dnsfound = 2 Then ChkNameServers = “Compliant” Else ChkNameServers = “Non-compliant” End If End Function

8. Now enter your remediation script using the same process, select Add Script under Remediation Script…

9. Don’t forget to change the script language, and paste in your vbscript…

10. fixDNS.vbs …

const HKEY_LOCAL_MACHINE = &H80000002 Set objShell = CreateObject(“WScript.Shell”) Set oReg=GetObject(“winmgmts:\\.\root\default:StdRegProv”) strKeyPath = “System\CurrentControlSet\Services\Netlogon\Parameters” strValueName = “DynamicSiteName” ‘ get computer AD SiteName oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue Select Case strValue Case “XXXXXXXXSite” dns1 = “xxx.xx.xx.xxx” dns2 = “xxx.xx.xx.xxx” result = FixNameServers(dns1,dns2) Case “XXXXXXXXXXSite” dns1 = “xxx.xx.xx.xxx” dns2 = “xxx.xx.xx.xxx” result = FixNameServers(dns1,dns2) Case Else Wscript.Echo “Cannot determine AD SiteName” End Select Wscript.Quit(Err) Function FixNameServers(dns1,dns2) Set objWMI = GetObject(“winmgmts:\\.\root\cimv2″) Set colNetCards = objWMI.ExecQuery _ (“Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True”) For Each objNetCard in colNetCards arrDNSServers = Array(dns1,dns2) objNetCard.SetDNSServerSearchOrder(arrDNSServers) Next FixNameServers = Err End Function

11. Select Compliance Rules tab and select New… Enter your rule details. Notice the return value expected is what is returned (Echoed) back by the chkDNS.vbs script.

12. After you click OK, you’ll have your first compliance rule setup…

13. Click OK, then Next…

14. Select Next again…

15. Click next again to see the Summary and complete the wizard…

16. All done with the CI…

17. Now onto the Configuration Baseline, right-click Configuration Baselines, then select Create Configuration Baseline…

18. Enter the details for the new Baseline, then select Add, Configuration Items…

19. Select the Windows Server DNS Configuration Item and then select Add…

20. Select OK to complete your new Baseline…

21. Our Baseline isn’t very good unless we deploy it. I typically deploy to a small test collection, or you can use your lab if you have one. I have one test server I use to test the vbscripts before adding it into SCCM. I also am using a duplicate of the Baseline called “DNS Server Configuration Baseline (Report Only)” that is set NOT to remediate, so I can check the compliance reports and determine how the CI will affect all systems. If this is a permanent CI, I will add it to our “Configuration Baseline for All Windows Servers ”, that is targeted to All Windows Server Clients.

22. Right-click on your Baseline and select Deploy. You will also notice the Deployments tab below, which is handy for knowing what deployments you may already have setup.

23. This will be a Remediation Deployment, so select “Remediate noncompliant rules when supported. You can also set Allow remediation outside the maintenance window, and then set the schedule to run after business hours.

24. This fix needs to run nightly for awhile until all is compliant, so I have the schedule set to after hours. If you had checked “Allow remediation outside the maintenance window”, this should run the remediate during this deployments schedule irrregardless of maintenance windows. Hopefully in theory!

25. Click OK to complete the deployment

26. Switch to your Monitoring wunderbar and select Deployments.

27. If you have a bunch of deployments, right-click on the column headers to group by feature type.

28. I’ve already added it to a global “All Windows Server Clients” collection. Another note, by default, we do not target any DC’s with these compliance settings. I’ve blanked out some branding, but you can get the idea from looking at the Deployments screen.

29. At the bottom of the screen, you have great compliance data being compiled…

30. Click on view Status for a detail by server and status…

31. Checking out the policy on the agent. From Control Panel, System and Security, select Configuration Manager, then Configurations..

32. If you do not see your Configuration Baseline, select Actions, Machine Policy Retrieval & Evaluation Cycle. The Baseline should show up in a few minutes at most. Since we do not have the evaluate scheduled until after 11PM, you can select Evaluate to check compliance without having to wait. Since I have a number of CI’s in my Baseline, the other Compliance Status is Non-Compliant, but selec ting View Report, I can see the detail..

33. I haven’t investigated the Compliance Settings reports in SCCM 2012, but that is the next step!