6:48 am in Uncategorized by nsienaert
Desired Configuration Management as we know it from CM2007 is called now Settings Management.
In the field I encounter quite some environments where DCM is not used… I expect that Settings Management within CM2012 will be more popular because of the simplified user experience, user targeting and last but not least auto remediation.
Technically with CM2007 you could auto remediate as well but you had to be creative by populating collections based on the results of DCM evaluation. By linking these collections to your remediation program you were able to solve your non-compliant situation.
With CM2012 it will be less complicated, let’s have a look…
Under the “Assets and Compliance” wunderbar you can find the Compliance Settings node with Configuration items and Baselines underneath like in CM 2007.
For the sake of the demo I have created 2 baselines and each has one CI linked. Of course you can add multiple CI’s per Baseline.
In the first Baseline (Windows 7 Labo) I will make sure that my machines have Remote Desktop enabled.
I’ll do this by checking the corresponding registry key.
In this example I use the registry but you can also use AD queries, SQL queries, scripts (see below),… to check your compliance state.
Pay attention to the browse button, besides browsing the server you can also browse to a reference machine!
In the Compliance Rule tab you can specify the required value of the particular registry AND here is a checkbox available to remediate the registry setting if the value does not meet the required value.
Further you can define which type of alerts you want regarding this CI.
I will add this CI now into a Baseline and target it to a machine OR user collection.
In the second baseline I will add a CI that checks if a certain folder exists, if it not it needs to be created. I’ll do this by combining to 2 simple VB scripts.
In the General tab I select I want to use a script.
I need to specify a script to check the compliant state (does the folder exist)
and another script that will remediate (create the folder).
Based on an echo command (This Folder Does Not Exist) I generate in the first script, the second script will start.
In the “Compliance Rules” tab I create a new rule. I specify here if ConfigMgr receives the echo of the first script which equals “This Folder Does Not Exist” it will start the second script to create the folder. (checkbox)
!! Without quotes it will not work!!
Also this CI will be added to a baseline called, Folder.
If we go to the clients and open the ConfigMgr client we see 2 baselines.
If we evaluate them we will see that the particular folder is created and Remote Desktop is enabled.
Changing the settings and removing the folder will be fixed if you hit the Evaluate button again or you can also wait for the Re-Evaluation cycle.
To conclude I also point to the Revision & Audit tracking that is possible with CM2012.
So no more, “I didn’t change anything!”
Till next time,
Nico (twitter: @nsienaert)