Compliance Settings SCCM 2012


Compliance Setting in SCCM 2012

Compliance Setting in SCCM 2012 is to asses and remediate the configuration and compliance of servers, workstations, including mobile devices in your organization

In this post, I will pick few examples on using Compliance settings including reporting and reviewing few log files to see the record process information.

 Example1:

Assess/track the file version and report Compliance or Non-Compliance,  if the file version does not match the specified version  that is targeted to a specific device collection that has 2 members

 

Start with Configuration Item that will contain the configuration settings

Go to “ Asset and Compliance–>Compliance Settings–>Configuration items”

Right click and select “Create  configuration Item”  Enter/select the following values and click “Next”

 

Select “Always assume application is installed”

If you have an application that has an MSI you can also select “use Windows Installation Detection” Click “Next

 Following Screen will appear and click “New”

After you click on “New” enter setting name and change setting type to “File System” and then click on Browse

When you click on “Browse”, connect to the computer that has the new version of the file and update the check boxes as below, then click on “ADD”

 

Once you click on “Add” update the file property as below and click “ok”

 

Click on “Compliance Rules” tab

On “Compliance Rules” tab, edit each rule and Change the “Severity” to Warning for each “Compliance Rule”

Note: when you click on 2nd rule “version check”For Rule “Version check”

 

 

At this point the configuration item is created.

Next we will create the “Configuration Baseline” and in this “Configuration Baseline” add the configuration item that we created and deploy it to a collection for compliance evaluation.

 

Deploy this Configuration Baseline to a “Collection”

 

 

Click on “Run summarization”

 

Now let us check the compliance evaluation/Reporting, which can be reviewed on the client and from the SCCM console.

Evaluating Compliance on the client

On the client workstation Go to control panel–>Configuration Manager–>Actions and refresh “Machine policy Retrieval and Evaluation Cycle”

Go to the “Configuration Tab”, you will see that configuration baseline is assigned to this computer

Click on “Evaluate”  “Refresh”  and then “View Report”

On this Workstation since I am using older version of MSPAINT, it is shown as “Non-Compliant”

 

 

 

The another workstation has the correct file version and is shown as “Compliant

Evaluating the compliance from SCCM Console

Launch Console, Go to Asset and Compliance->Monitoring->Alerts

Go to Monitoring->Deployments

 

A variety of reports can be generated from: Monitoring->Reporting->Compliance and Setting Management

 

Example 2:

 In this example, we will use a PowerShell Script to check a specific service and report on compliance/non-compliance

Scenario:

  •  If “Spooler Service” is running and the start mode is automatic, It is Compliant
  •  If Service is running and start mode is set to manual or disabled, it is non-compliant
  •  If service is not running and start mode is automatic or manual or disabled, it is non- Compliant         

Though you can remediate it also by having a remediation script, in this scenario I am not using that feature.

 

PowerShell script will be used to achieve this goal:

            function CheckService {

              param($Services)

           $Compliance= “Compliant”

           $StoppedServices= Get-WmiObject Win32_Service -Filter {state=’stopped’ or startmode!=’auto’}

       $StoppedServices | ForEach-Object {if ($services -match $_.Name) {$Compliance = “NonCompliant”}}

       $Compliance

}

 $services= “spooler”

checkService-Services $services

 

Go to SCCM Console->Assets and Compliance->Compliance Settings->Configuration Items

 Start “Create Configuration Wizard”, enter Name, and Click “Next”, select “Operating System that will
assess this configuration for compliance”

Then at the Setting option click “New” and select the setting type “Script” Data type “String” and click on “Add Script”

 

 

Under Script Language choose “Windows PowerShell” and import/paste the script, Click “Ok”

Create a compliance rule as below

Next go to configuration baseline, create a new configuration baseline and add “Configuration Item’ to
this baseline and deploy it to a collection, like we did in previous example

 

 Configuration Packs

Configuration Packs are predefined configuration baselines that you can use to deploy for OS and applications e.g.  Exchange Server 2010, Windows Server 2008,
Windows 7, IE, Microsoft office that contains the configuration items you want to monitor.

 You can get these configuration packs from:

http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

http://pinpoint.microsoft.com/en-US/applications/microsoft-security-compliance-manager-12884902442

 Download Security Compliance Manager (SCM) from the above site and install it on any workstation/server.

Launch SCM and export the desired Baseline to SCCM DCM 2007 and then go to SCCM 2012 console and import
it under configuration baseline and tweak it based on your requirements.

Deploy it to devices through collections and evaluate on a defined schedule.

 

Few Log files to review the record process information on the site server and on the client

 

DCMAgent.log:  Records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications.

CIAgent.log: Records details about the process of remediation and compliance for compliance settings, software updates, and application management. 

 

         e.g. from  our example 1 above, CI agent job is initiated with job id 5851XXX for one target machine  (DCMAgent.log on client)

 

              mspaint baseline is targeted to this collection for evaluation (CMAgent.log on client)

                 

 

CMReporting.log :  Records information about reporting policy platform results into state messages for configuration items.

 DcmWmiProvider.log Records information about reading configuration item synclets from Windows Management Instrumentation (WMI).              

Technical Reference for Log Files in Configuration Manager & Compliance Settings

http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_ClientInstallLog

http://technet.microsoft.com/en-us/library/gg681958.aspx

 

 DISCLAIMER: This posting is provided “AS IS” with no warranties and confers no rights 

 

 

 

 

 

 

 

  

 

 

 

 

 

 

 

 

 

 


Comments (6)

  1. Deepanshu says:

    Hi

    i am having problem with finding machines in file based compliance.

    during the browse option to find the MS PAint application it gives the error

    That unable to connect to Machine name.Ensure that computer is connected to this network or you have sufficient permission to connect.

    Please help how to resolve this issue

    Machine are joined to domain

    have client installed on them

  2. Hope you have resolved the issue by now,   First you may want to check if you are able to access the share/file on that computer from a different workstation/server

  3. panky says:

    Hi, The power shell script gives compliant return for both services which are running or stopped. can you please check it.

  4. cpizzer says:

    I know this is an old article but @panky you need to use the service name, not the generic name. For instance Windows Update is wuauserv.

  5. Sourabh says:

    I have created configuration baseline (configuration item with script) and deployed on a collection.I have scheduled it to run every 7 days.

    CB is available on client but not yet evaluated even though client is healthy and taking policies in normal interview.I tried to investigate but didn't get any success in dcmagent.log & ciagent.log.

    Is there any alternate to evaluate CB remotely ??

  6. Sudarsen says:

    Great explanation about the Compliance Settings in SCCM 2012

    Can I create a single config item and baseline to

    1. Check if a file exists in a specific location

    2. A service is running state

Skip to main content