prajwaldesai.co m http://prajwaldesai.com/sccm-2012-compliance-settings/

SCCM 2012 Compliance Settings

If you have worked on SCCM 2007 then Conf iguration Manager 2007 desired conf igurationmanagement is now called compliance settings in System Center 2012 Conf iguration Manager.SCCM 2012 Compliance settings contains tools to help you assess the compliance of usersand client devices f or many conf igurations, such as whether the correct Windows operatingsystem versions are installed and conf igured appropriately, whether all required applications are installedand conf igured correctly, whether optional applications are conf igured appropriately, and whetherprohibited applications are installed. Conf iguration item settings of the type Windows ManagementInstrumentation (WMI), registry, script, and all mobile device settings in Conf iguration Manager let youautomatically remediate noncompliant settings when they are f ound.

Compliance is evaluated by def ining a conf iguration baseline that contains the conf iguration items thatyou want to evaluate and settings and rules that describe the level of compliance you must have. Youcan import this conf iguration data f rom the web in Microsof t System Center Conf iguration ManagerConf iguration Packs as best practices that are def ined by Microsof t and other vendors, in Conf igurationManager, and that you then import into Conf iguration Manager. An Administrator can create newconf iguration items and conf iguration baselines. Af ter a conf iguration baseline is def ined, you candeploy it to users and devices through collections and evaluate its settings f or compliance on aschedule. Client devices can have multiple conf iguration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that def ines what is compared,checked, or evaluated on a target system.

Configuration baselines : This is a grouping of multiple conf iguration items. Conf iguration items mustbe part of a conf iguration baseline to be assigned f or evaluation on a collection of systems.

Prerequisites for Compliance Settings in Configuration Manager1) Clients must be enabled and configured for compliance evaluation – To enable it, In the CMconsole click on Administration, Client Sett ings. Right click custom client device sett ings andselect properties. choose Compliance sett ings.

Note – If you want to enable compliance on all the devices, then select Def ault Client Settings. In thisexample i have created a Custom Client Device settings and compliance settings is selected and set astrue.

On the lef t pane, select Compliance Settings and under device sett ings set Enable complianceevaluation on clients as True .

2) Reporting point site system role must be installed and configured. To install the reporting pointsite role, Click on Administration, Site Configuration, Sites, Add Site System Roles, ChooseReporting services point .

As an example we will download the Conf iguration manager packs f rom one of the vendors and import itour conf iguration manager. We will deploy the conf iguration baseline to a collection and test thecompliance. In this example we will download the Conf iguration Pack f or System Center 2012Conf iguration Manager here. This Conf iguration Pack contains Conf iguration Items intended to manageyour Conf iguration Manager 2012 site system roles using the desired conf iguration managementcomponent in Conf iguration Manager 2012. This conf iguration pack monitors the f ollowing site systemroles: management points, site server, and software update points.

Af ter you download the conf iguration pack, install the msi f ile on the SCCM machine. Also note the pathwhere the f iles are installed.

On the CM console, Under Assets and compliance , Compliance Settings, Right Click ConfigurationBaselines and and select Import Configuration Data.

Click on Add.

Browse to the path where the Conf iguration pack was installed. Select the Conf iguration manager conf igpack (.cab f ile) and click on open.

Click Next.

Click on close.

Once you have imported the conf ig pack, click on Conf iguration Items. We see that there are f ourconf iguration items. Right click one of them and click properties.

Every Conf iguration item has these properties. This conf iguration item evaluates the conf iguration ofCM 2012 Management point role against Microsof t’s recommended best practices.

In the next tab, Settings, there are f ew scripts which are executed to test the management point withMicrosof t best practices.

To deploy this Conf iguration Baseline, right on the conf iguration baseline and click Deploy.

Click on Remediate noncompliant rules when supported and Allow remediation outside themaintenance window. Choose the collection by clicking on Browse . In this example i have created adevice collection called SCCM Server and my SCCM is added to it. Click Customize and Set the scheduleof your choice.

We see the change now. The conf iguration baseline has been deployed to a collection.

Af ter f ew minutes we see that under the Noncompliance Count the value is turned to 1 f rom 0. Lets f indout the reason.

On the SCCM machine, click Control panel, Configuration manager, Configurations – we see there abaseline existing. This is the same conf iguration baseline that we had applied in the above steps. Clickon Evaluate and then View Report .

Out of the 4 conf iguration items, oneitem has reported that our SCCM serveris non compliant.

Lets see why exactly its non compliant. Under Non Compliant rules we see that BGB f irewall port f orManagement point is open. As per the Script the warning is set to generated if BGB port is f ound closedon MP. The rest of the conf iguration items report that our server is Compliant.

What is BGB (Big Green Button) – A way f or administrators to push out urgent actions across a largenumber of clients to combat a particular inf ection through a quick or f ull scan f or instance.

Right click the conf iguration item Microsoft System Center 2012 Configuration ManagerManagement Point , select Properties, choose the Compliance Rules, select BGB firewall port andclick Edit .

This settings def ined here checks whether the BGB port is open on the f irewall. If its not open then aWarning is generated.

In the next step we will modif y compliance rule f or BGB f irewall port. As per the compliance conditions theBGB f irewall port should be open on management point. In this lab we don’t need the BGB port to beopen, so we will modif y value returned by script f rom Equals to “Not equal to“. This means a warning isnot generated if the BGB port is cl0sed on management point.

Af ter f ew minutes we evaluate and run the compliance report on SCCM server, we see that our SCCMserver is f ully compliant with Microsof t’s recommended best practices.

The compliance count value is changed f rom 0 to 1 in the CM console.