SCCM 2012 Compliance Settings
If you have worked on SCCM 2007 then Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager. SCCM 2012 Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.
Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. An Administrator can create new configuration items and configuration baselines. After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.
Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.
Configuration baselines : This is a grouping of multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.
Prerequisites for Compliance Settings in Configuration Manager
1) Clients must be enabled and configured for compliance evaluation – To enable it, In the CM console click on Administration, Client Settings. Right click custom client device settings and select properties. choose Compliance settings.
Note – If you want to enable compliance on all the devices, then select Default Client Settings. In this example i have created a Custom Client Device settings and compliance settings is selected and set as true.
On the left pane, select Compliance Settings and under device settings set Enable compliance evaluation on clients as True.
2) Reporting point site system role must be installed and configured. To install the reporting point site role, Click on Administration, Site Configuration, Sites, Add Site System Roles, Choose Reporting services point.
As an example we will download the Configuration manager packs from one of the vendors and import it our configuration manager. We will deploy the configuration baseline to a collection and test the compliance. In this example we will download the Configuration Pack for System Center 2012 Configuration Manager here. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points.
After you download the configuration pack, install the msi file on the SCCM machine. Also note the path where the files are installed.
On the CM console, Under Assets and compliance, Compliance Settings, Right Click Configuration Baselines and and select Import Configuration Data.
Click on Add.
Browse to the path where the Configuration pack was installed. Select the Configuration manager config pack (.cab file) and click on open. On the next screen click Next.
Click on close.
Once you have imported the config pack, click on Configuration Items. We see that there are four configuration items. Right click one of them and click properties.
Every Configuration item has these properties. This configuration item evaluates the configuration of CM 2012 Management point role against Microsoft’s recommended best practices.
In the next tab, Settings, there are few scripts which are executed to test the management point with Microsoft best practices.
To deploy this Configuration Baseline, right on the configuration baseline and click Deploy.
Click on Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. Choose the collection by clicking on Browse. In this example i have created a device collection called SCCM Server and my SCCM is added to it. Click Customize and Set the schedule of your choice.
We see the change now. The configuration baseline has been deployed to a collection. After few minutes we see that under the Noncompliance Count the value is turned to 1 from 0. Lets find out the reason.
On the SCCM machine, click Control panel, Configuration manager, Configurations – we see there a baseline existing. This is the same configuration baseline that we had applied in the above steps. Click on Evaluate and then View Report.
Out of the 4 configuration items, one item has reported that our SCCM server is non compliant.
Lets see why exactly its non compliant. Under Non Compliant rules we see that BGB firewall port for Management point is open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.
What is BGB (Big Green Button) – A way for administrators to push out urgent actions across a large number of clients to combat a particular infection through a quick or full scan for instance.
Right click the configuration item Microsoft System Center 2012 Configuration Manager Management Point, select Properties, choose the Compliance Rules, select BGB firewall port and click Edit.
This settings defined here checks whether the BGB port is open on the firewall. If its not open then a Warning is generated.
In the next step we will modify compliance rule for BGB firewall port. As per the compliance conditions the BGB firewall port should be open on management point. In this lab we don’t need the BGB port to be open, so we will modify value returned by script from Equals to “Not equal to“. This means a warning is not generated if the BGB port is cl0sed on management point.
After few minutes we evaluate and run the compliance report on SCCM server, we see that our SCCM server is fully compliant with Microsoft’s recommended best practices.
The compliance count value is changed from 0 to 1 in the CM console.