Share This Post

Compliance Settings in System Center Configuration Manager 2012

Business Case: Temporarily change DNS server settings

1. Right-click on Configuration Items, select Create Configuration Item…

clip_image001

2. Name your new Configuration Item…clip_image003

3. Select Supported Platforms… clip_image005

4. Select New…clip_image007

5. Enter details in the Create Settings dialog, and select Add Script… clip_image008

6. Paste in the VBScript that checks for compliance. In my case, I am keying off the AD DynamicSiteName registry value to determine which DNS servers to use for compliance. clip_image009

7. chkDNS.vbs

const HKEY_LOCAL_MACHINE = &H80000002

Set oReg=GetObject(“winmgmts:\\.\root\default:StdRegProv”)

strKeyPath = “System\CurrentControlSet\Services\Netlogon\Parameters”

strValueName = “DynamicSiteName”

‘ get computer AD SiteName

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

Select Case strValue

Case “XXXXXXXXSite”

dns1 = “XXX.XX.XXX.XX”

dns2 = “XXX.XX.XXX.XX”

Wscript.Echo ChkNameServers(dns1,dns2)

Case “AustinSite”

dns1 = “XXX.XX.XXX.XX”

dns2 = “XXX.XX.XXX.XX”

Wscript.Echo ChkNameServers(dns1,dns2)

Case Else

Wscript.Echo “Cannot determine AD SiteName”

End Select

wscript.quit

Function ChkNameServers(dns1,dns2)

dnsfound = 0

strKeyPath = “SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces”

oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

strValueName = “NameServer”

For Each subkey In arrSubKeys

strKeyPath1 = strKeyPath & “\” & subkey

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath1,strValueName,strValue

If (strValue <> “”) Then currdns = strValue

Next

If InStr(currdns, dns1) <> 0 Then dnsfound = dnsfound + 1

If InStr(currdns, dns2) <> 0 Then dnsfound = dnsfound + 1

If dnsfound = 2 Then

ChkNameServers = “Compliant”

Else

ChkNameServers = “Non-compliant”

End If

End Function

8. Now enter your remediation script using the same process, select Add Script under Remediation Script…clip_image010

9. Don’t forget to change the script language, and paste in your vbscript…clip_image011

10. fixDNS.vbs …

const HKEY_LOCAL_MACHINE = &H80000002

Set objShell = CreateObject(“WScript.Shell”)

Set oReg=GetObject(“winmgmts:\\.\root\default:StdRegProv”)

strKeyPath = “System\CurrentControlSet\Services\Netlogon\Parameters”

strValueName = “DynamicSiteName”

‘ get computer AD SiteName

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

Select Case strValue

Case “XXXXXXXXSite”

dns1 = “xxx.xx.xx.xxx”

dns2 = “xxx.xx.xx.xxx”

result = FixNameServers(dns1,dns2)

Case “XXXXXXXXXXSite”

dns1 = “xxx.xx.xx.xxx”

dns2 = “xxx.xx.xx.xxx”

result = FixNameServers(dns1,dns2)

Case Else

Wscript.Echo “Cannot determine AD SiteName”

End Select

Wscript.Quit(Err)

Function FixNameServers(dns1,dns2)

Set objWMI = GetObject(“winmgmts:\\.\root\cimv2”)

Set colNetCards = objWMI.ExecQuery _

(“Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True”)

For Each objNetCard in colNetCards

arrDNSServers = Array(dns1,dns2)

objNetCard.SetDNSServerSearchOrder(arrDNSServers)

Next

FixNameServers = Err

End Function

11. Select Compliance Rules tab and select New… Enter your rule details. Notice the return value expected is what is returned (Echoed) back by the chkDNS.vbs script.clip_image013

12. After you click OK, you’ll have your first compliance rule setup…clip_image014

13. Click OK, then Next…clip_image016

14. Select Next again…clip_image018

15. Click next again to see the Summary and complete the wizard…clip_image020

16. All done with the CI…clip_image022

17. Now onto the Configuration Baseline, right-click Configuration Baselines, then select Create Configuration Baseline…
clip_image023

18. Enter the details for the new Baseline, then select Add, Configuration Items…clip_image024

19. Select the Windows Server DNS Configuration Item and then select Add…clip_image025

20. Select OK to complete your new Baseline…clip_image026

21. Our Baseline isn’t very good unless we deploy it. I typically deploy to a small test collection, or you can use your lab if you have one. I have one test server I use to test the vbscripts before adding it into SCCM. I also am using a duplicate of the Baseline called “DNS Server Configuration Baseline (Report Only)” that is set NOT to remediate, so I can check the compliance reports and determine how the CI will affect all systems. If this is a permanent CI, I will add it to our “Configuration Baseline for All Windows Servers ”, that is targeted to All Windows Server Clients.

22. Right-click on your Baseline and select Deploy. You will also notice the Deployments tab below, which is handy for knowing what deployments you may already have setup. clip_image027

23. This will be a Remediation Deployment, so select “Remediate noncompliant rules when supported. You can also set Allow remediation outside the maintenance window, and then set the schedule to run after business hours. clip_image028

24. This fix needs to run nightly for awhile until all is compliant, so I have the schedule set to after hours. If you had checked “Allow remediation outside the maintenance window”, this should run the remediate during this deployments schedule irrregardless of maintenance windows. Hopefully in theory! clip_image029

25. Click OK to complete the deployment

26. Switch to your Monitoring wunderbar and select Deployments.
clip_image030

27. If you have a bunch of deployments, right-click on the column headers to group by feature type. clip_image031

28. I’ve already added it to a global “All Windows Server Clients” collection. Another note, by default, we do not target any DC’s with these compliance settings. I’ve blanked out some branding, but you can get the idea from looking at the Deployments screen. clip_image033

29. At the bottom of the screen, you have great compliance data being compiled…clip_image034

30. Click on view Status for a detail by server and status…clip_image035

31. Checking out the policy on the agent. From Control Panel, System and Security, select Configuration Manager, then Configurations..

clip_image036

32. If you do not see your Configuration Baseline, select Actions, Machine Policy Retrieval & Evaluation Cycle. The Baseline should show up in a few minutes at most. Since we do not have the evaluate scheduled until after 11PM, you can select Evaluate to check compliance without having to wait. Since I have a number of CI’s in my Baseline, the other Compliance Status is Non-Compliant, but selec ting View Report, I can see the detail.. clip_image038

33. I haven’t investigated the Compliance Settings reports in SCCM 2012, but that is the next step!

Share This Post

2 Comments

  1. This would be awesome if it didn’t use visual basic scripting. That’s “so” 2003.

    • While there is nothing wrong with using VBScript, you can change the script language to VBScript, Powershell, or JScript.

Leave a Reply