Mastering System Center 2012 R2 Configuration Manager (2014)

Chapter 14. Compliance Settings

The Compliance Settings feature in System Center 2012 R2 Configuration Manager allows you to assess the compliance of client devices with regard to a number of configurations, such as whether the correct operating system version is installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed on your clients. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings for the Windows Management Instrumentation (WMI), the registry, and scripts in ConfigMgr 2012 allow you to automatically remediate noncompliant settings when they are found.

Compliance Settings is the new name for ConfigMgr 2007 Desired Configuration Management (DCM). With the new name come changes to the UI by simplifying the process of creating compliance settings, which ensures that IT professionals can remediate those noncompliant settings.

In this chapter, you will learn to

· Enable the client settings

· Create configuration items

· Define a configuration baseline

Overview of Compliance Settings

Compliance settings are evaluated by defining a configuration baseline that contains the configuration items you want to monitor and rules that define the required compliance. This configuration data can be imported from http://pinpoint.microsoft.com in Microsoft System Center Configuration Manager configuration packs, defined as best practices by Microsoft and other vendors, defined within Configuration Manager, or defined externally and then imported into Configuration Manager.

After a configuration baseline is defined, it can be deployed to devices through collections and evaluated on a schedule. Client devices can have multiple configuration baselines assigned to them, which provide the administrator with a high level of control.

Client devices evaluate their compliance against each configuration baseline they are assigned and immediately report back the results to the site using state messages and status messages. If a client is not currently connected to the network but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection.

You can monitor the results of the configuration baseline evaluation compliance from the Deployments node of the Monitoring workspace in the Configuration Manager console. You can also run a number of compliance settings reports to drill down into details, such as which devices are compliant or noncompliant and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients on the Configurations tab of Configuration Manager in the Windows Control Panel.

What’s New in Configuration Manager 2012 R2?

The following Compliance Settings features are new or have been changed since Configuration Manager 2007 (see Figure 14.1).

Figure 14.1 Compliance Settings main page

· Configuration Manager 2007 Desired Configuration Management is now called Compliance Settings in Configuration Manager 2012.

· The process of creating configuration baselines has been simplified.

· Settings can be reused for multiple configuration items.

· Remediation is supported for WMI, registry, and script settings that are noncompliant.

· Configuration baselines can be deployed to users and devices.

· Compliance Settings can be used to manage mobile devices in the enterprise.

· You can create user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8.

· The new Mac OS X configuration item lets you evaluate and remediate preference (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings.

· New mobile device settings and mobile device setting groups have been added.

· Remote connection profiles, company resource access, certificate profiles, VPN Profiles, and Wi-Fi profiles can be created in this new section.

What Can You Do with Compliance Settings?

The best answer is that with Compliance Settings you can automatically check the compliance of your Configuration Manager clients against standards that you choose. Those standards can be company policies regarding how a computer is configured, policies for compliance with regulations such as Sarbanes-Oxley (SOX), or best practices defined by a vendor or based on your internal IT department’s experience. For example, they can be settings that a department manager has decided all the computers within the department must meet or a means to identify computers that need more memory as defined by the IT manager in charge of desktops.

Given that range of potential applications, the next question is, what settings can you check with Compliance Settings? This seems like an easy question to answer, but of course it isn’t. So, let’s explore what you can and cannot do with Compliance Settings.

Let’s examine this from a different perspective, and then it will be clear what exactly you can and cannot check for using Compliance Settings.

Configuration Items

Configuration items (CIs) are the smallest single settings or standards that you assemble with other CIs to create a configuration baseline, which is then applied to Configuration Manager clients. You can choose from specific types of configuration items to create these checks:

· Application CIs

· Operating system CIs

· Software update CIs

· Mobile device CIs

· Mac OS X CIs

· General CIs

These checks are keys to understanding the limits of what you can do with Compliance Settings. When you choose the type of configuration items using the wizard in the Configuration Manager console, it will determine what types of checks you are allowed to include as part of a CI. Table 14.1 summarizes the main CI types.

Table 14.1: Configuration item types

As you would expect, not all of these configuration item types offer the same properties. For example, the operating system type contains a property to check for the exact build of the operating system that is running on the Configuration Manager client being evaluated; this option is not available in the other configuration types. As mentioned earlier, a configuration baseline can (and almost always will) contain multiple configuration items of all configuration types. The properties available to each configuration item type are listed in Table 14.2.

Table 14.2: Properties of configuration item types

The reason for restricting configuration item types to specific properties, instead of having a single type with all properties available, is to keep the configuration items as small as possible. Defining configuration items as specific types allows you to reuse them when you create configuration baselines. For example, you can create an operating system configuration item that checks for Microsoft Windows 8.

Additional objects and settings are available when you create this configuration item type. You can also check for the presence of a specific file and its attributes. You can run validation against an assembly that is present, and you can even check the string value of a registry key and report on noncompliance for any of these objects or settings, all within the same configuration item. But if you design your configuration items with the idea of being able to reuse them in multiple configuration baselines, they should be as lean and specific as possible. If you need the configuration item to validate something else for a particular scenario, you can simply create a child configuration item. This configuration item will inherit all the original settings of the configuration item and allow you to add additional validations, leaving the original configuration item intact and not affecting any of the configuration baselines that are using that configuration item.

Configuring Compliance Settings Client Settings

Configuring the Compliance Settings client settings is as easy as selecting Yes or No for the Enable Compliance Evaluation On Clients option and determining the appropriate schedule for clients to evaluate their compliance. This setting is located in the Administration workspace under Overview ⇒ Client Settings ⇒ Default Client Agent Settings. Then right-click and select Properties. This will open the properties window for the client settings (see Figure 14.2). By setting the Enable Compliance Evaluation On Clients option to Yes, you enable this option in the default settings. The default schedule for evaluation is every seven days. You can adjust this schedule as necessary for your environment, including using a custom schedule that will allow you more control over when it runs, but the default schedule will typically be adequate for most environments. You can also modify the default client settings, create new custom client settings, or modify existing custom client settings. You can create or modify custom client settings when you want to apply a group of client settings to specific collections.

Figure 14.2 The default client settings

Creating Configuration Items

Configuration items are pieces of the configuration baseline that, when assembled, will allow you to monitor configuration drift from what you have specified. To demonstrate the processes of creating configuration items and a configuration baseline, we’ll use a utility called Microsoft Calculator Plus, described in the accompanying sidebar. Because there are so many ways to configure this product and use it, we’ll demonstrate its use throughout this chapter so you can gain a better understanding of Compliance Settings. You can then take these examples and apply them to any product you choose.

Calculator Plus

This application is a mathematical calculator that allows you to complete many different types of conversions; it also includes all the mathematical functions offered in Microsoft Calculator. This is a very small application, which is why we selected it to use in this example.

To download this application, go to

http://www.microsoft.com/download/details.aspx?id=21622

You will need to install this application on your ConfigMgr client.

Start by opening the Configuration Manager console, if necessary. From the Assets And Compliance workspace, expand Overview; then expand Compliance Settings, right-click Configuration Items, and click Create Configuration Item. You should be on the General page of the Create Configuration Item Wizard, as shown in Figure 14.3.

Figure 14.3 The Create Configuration Item Wizard - General page

To create a new configuration item, follow the instructions in the wizard. As part of this chapter you will be guided through the steps to create your first configuration item and apply this to any collection for evaluation. In this example we will validate that Microsoft Calculator Plus is installed. You could also use any of the applications discussed in Chapter 8, “Application Deployment.”

Name, Description, and Category

In the Create Configuration Item Wizard, you begin on the General tab. Fill in the Name and Description fields and then create a category before moving to the next tab:

1. In the Name field, type Microsoft Calculator Plus - Installed.

2. In the Description field, type This configuration item validates that the Microsoft Calculator is installed.

3. Then, still in the Description field, press Ctrl+Enter to simulate a carriage return and add something descriptive stating when and by whom this item was created or changed.

You could use your initials or the current date or a combination; it just needs to be something that will help you later know who created or changed the item and when, so that if anyone has a question about your configuration item, they know who to contact.

4. Click the Categories button to open the categories list.

The list is populated with a few default categories, and the top section allows you to add your own custom categories.

What Is a Good Category?

This will depend on your own administration style to a certain degree as well as the number of configuration items you will be creating. If you plan to check only Exchange servers for configuration drift, then you may not need any additional categories or just a few more. If you plan to check clients for application settings, Internet Explorer for configuration drift, different operating systems files for the correct security settings, and so on, you would probably be wise to set up a standard for determining when new category types are needed and when you can use existing ones.

We have seen administrators who set up categories for every possible difference and others who set up none. If you are going to use the categories and build a large number of configuration items and baselines, then you should set up custom categories, but don’t go overboard. Remember that categories are used to sort and search, so if you have too many, you get little or no benefit; too few is the same as none. It’s best to use simple rules to create a standard: Does this configuration item fit into a category that exists already? Does that category generally and easily define this configuration item’s purpose? If the answer is no to either, then you probably need a new category.

For this example we are going to create a new category.

5. In the Add A New Category section, type Microsoft and click the Add button.

This should add it to the Administrative Categories section and select it.

6. Before you click OK, verify that your categories look like those in Figure 14.4.

Figure 14.4 The Create Configuration Item Wizard’s Manage Administrative Categories dialog box

7. Click OK to return to the General tab in the Create Configuration Item Wizard, which should now contain the item’s name, a description, and your newly created category.

8. Verify that your dialog looks the same as Figure 14.5, and then click Next.

Figure 14.5 Create Configuration Item Wizard - General page completed

Choosing a Detection Method

The next tab in the wizard is Detection Methods, which is unique to the application configuration item type; it is not offered with the other types. The purpose of this tab is to specify the method used to verify that the application being checked for is installed on the client.

Four options are available:

· The first is Always Assume Application Is Installed.

This will skip any verification check, which sounds great; you’re essentially telling the system to check the application for just the settings you’re about to specify. But if you do this while using certain rules in creating your configuration baseline, you will run into problems.

Baseline Rules

Which baseline rules cause problems? You will need to decide which if any of the following are problematic:

· If these optional application configuration items are detected, they must be properly configured.

· These application configuration items must not be present.

If another baseline is dependent on these configuration items, it may invalidate your dependency.

· The second option, Use Windows Installer Detection, is used to verify the product code the application vendor included with the MSI installer and the version.

· The third option is Detect A Specific Application And Deployment Type; you can select an existing application and deployment type that has been previously created.

· The final option is Use A Custom Script To Detect This Application; you can use VBScript, JScript, or PowerShell.

In the following procedure, you’ll use the second option:

1. Select the Use Windows Installer Detection radio button.

This will require you to have access to the installation files, but if you downloaded the Microsoft Calculator Plus application from the Microsoft Downloads site, you should already have this file. If not, please download it now.

2. Assuming you have the Microsoft Calculator Plus files downloaded and extracted, click the Open button on the Detection Methods page, and browse to the folder where you saved the MSI file.

3. Find and double-click the calcplus.msi file, and it will populate the Product Code and Version fields on the Detection Methods page.

If this application is installed on a per-user basis, you may also need to check the corresponding box for it to be properly detected. If it was installed for all users, that is not necessary.

4. Before moving on to the next step, creating and validating an object, verify that your wizard settings look similar to those in Figure 14.6. (Your product code and version number may be different.)

Figure 14.6 CI application Detection Methods page

5. If everything is in order, click Next to proceed to the Settings tab.

Creating and Validating a Setting

On the Settings page, you tell the Create Configuration Item Wizard what type of setting to look for and where that setting is found.

Creating a Setting

In the empty window there are four columns—Name, Setting Type, Inherited, and User Setting—and a New button.

1. Click New (see Figure 14.7); a Create Setting window will appear, as shown in Figure 14.8.

Figure 14.7 CI application Settings page

Figure 14.8 Create Setting dialog box

The General tab of the Create Setting window has several fields and drop-down menus. The red circles with exclamation points indicate that the blank fields require input before you can create the configuration item.

2. From the Setting Type drop-down menu, select File System.

3. In the Path field, enter C:\Program Files (x86)\Microsoft Calculator Plus, and in the File Or Folder Name field, enter calcplus.exe.

Wildcards and Environment Variables with Compliance Settings

The use of wildcards is allowed and actually required for the Specify File Or Folder To Assess For Compliance On The Computer section in the Path field. The ? and * characters are the permitted wildcards, but you should carefully consider whether to use them. Using wildcards can produce additional overhead when you’re trying to find a file or folder, because the search will work exactly as instructed. Specifying the Windows directory, for example, and then telling it to search all subdirectories is not ideal. You can also make use of environment variables such as %ProgramFiles% or %AllUsersProfile%. The result may be that you get more than one result if the users all have the file or folder you are looking for in the search path.

4. In the Description field, enter This configuration item locates the file calcplus.exe and validates that it is the latest version of this file.

5. You can leave the This File Or Folder Is Associated With A 64-Bit Application check box unchecked for Microsoft Calculator Plus.

64-Bit Applications and the Registry

Readers who have 64-bit applications should be aware of a possible issue with the registry and configuration baselines. Because of the registry reflector that mirrors certain registry keys for interpretability, it is possible that you could detect the presence of two registry keys with a single configuration baseline. If you are running 64-bit applications, you will need to check for this before deploying a configuration baseline containing a configuration item that involves checking for a registry key associated with a 64-bit application.

You have finished creating the object’s details by telling Compliance Settings what you are looking for and where to look for it. The next step is to validate the setting by telling Compliance Settings the specifics of the setting to validate.

6. Before you click OK to move to the Compliance Rules tab, make sure your General page looks like the one in Figure 14.9. Click Next when ready.

Figure 14.9 General page of the Create Setting dialog box completed

Validating a Setting

Now that you have created your setting, you need to tell Compliance Settings how you want this CI to validate the file.

1. As you did when creating a new setting, click the New button, shown in Figure 14.10, to get started.

Figure 14.10 The Compliance Rules page

The top field of the Create Rule dialog box contains the name of the compliance rule. This is a required field, and a value will be supplied by default.

2. In the Name field, enter in a rule name of File_calcplus.exe_Date Modified.

3. Click Browse.

4. Select Microsoft Calculator Plus - Installed, the CI name that you previously created. Click Select.

5. In the Description text box, enter the following or something similar, but make sure you also put your initials and the date in the event someone else reviewing this rule has questions: Validates that the calcplus.exe file in the Microsoft Calculator Plus folder has the latest version of the file approved and distributed by IT. 12/13/2013

In the Create Rule dialog box, you tell Compliance Settings exactly how to validate this file. The Setting Must Comply With The Following Rule field in the middle of the page is grayed out and unavailable because you have already selected the type of setting you are going to validate against. Next to that is a drop-down menu, where you have nine operators to choose from:

· Equals

· Not Equal To

· Greater Than

· Less Than

· Between

· Greater Than Or Equal To

· Less Than Or Equal To

· One Of

· None Of

If you choose Between as the operator, you get the option to specify a range.

6. In this example, choose the Equals operator, and in The Following Values field, enter the date and time for which you want the rule to be applied.

Obviously, because you are going to use this as a test, you should make a change to the file so that the modified date is not its original date, or input your validation date and time.

In the bottom section of the Create Rule dialog, choose the level of Noncompliance Severity For Reports should this check fail on one of your Configuration Manager clients. There are five levels to choose from:

· None

· Information

· Warning

· Critical

· Critical With Event

The Information, Warning, Critical, and Critical With Event levels report back to Configuration Manager, but the None does not write an event to the application event log in Windows as the last one does. This was made an option to prevent Compliance Settings rules from filling up the event logs on clients if a check comes back as invalid too many times. This might happen if, for example, you input the wrong validation data or if something out of your control occurs, such as an upgrade or service pack installation.

7. In this exercise, select None if you don’t already have it selected, and then verify that your window looks like Figure 14.11 before clicking OK to continue.

Figure 14.11 The Compliance Rules - Create Rule dialog box

8. Return to the Compliance Rules window, where in the formerly empty section you’ll now see the new compliance rules for this file.

You now have to tell Compliance Settings if you want it to report on a noncompliant event and, if so, the details of when and how it should report.

Select the File_calcplus.exe_Date Modified rule you just created, and click Edit. Check the Report Noncompliance If This Setting Instance Is Not Found check box so that it is enabled.

This option turns on and off the reporting of a noncompliant client and allows you to set the severity of noncompliance as well as at what point it should report. Click OK.

9. You have now created your first compliance item. After reviewing all information and verifying that it is correct, click Next to validate the supported operating systems.

This is the only object you are going to create in this first example, but we’ll cover other tabs and their options in the following examples or in later examples.

10.Because you are not going to make changes to this configuration item, you can click through to the end using the Next button at the bottom of the window.

Eventually you should reach the Summary tab, shown in Figure 14.12, which will give you a list of all the options and settings selected while creating this configuration item.

Figure 14.12 Application CI Summary page

11.Verify that the settings are as you expect them to be; if any are not, use the Previous button or the tabs to make any modifications.

12.Once you have checked to ensure that everything is in order, click the Next button or the Progress tab to start the process of building the configuration item.

After a short period, the progress indicator and window should disappear and you should see the Completion window, which says

Success: The Create Configuration Item Wizard completed successfully.

It also shows a list of the settings you chose. Verify again that everything is listed as expected. You can now click the Close button to complete the wizard and return to the Configuration Manager console.

Building a Configuration Baseline

You have built a configuration item to make your configuration baseline, which is what you assign to your clients to check for drift.

Briefly, you have a configuration item that validates that your Microsoft Calculator Plus application is installed and the file is the latest file you deployed. In order to deploy this compliance setting and rule, you need to create a baseline and apply this baseline to a specific collection to validate its compliance.

Configuration baselines in System Center 2012 R2 Configuration Manager contain predefined configuration items and optionally other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection will download the configuration baseline and assess their compliance with it.

Configuration baselines in System Center 2012 R2 Configuration Manager can contain specific revisions of configuration items or can be configured to always use the latest version of a configuration item.

Creating the Initial Baseline

As it does with most tasks, Configuration Manager provides a wizard to guide you in creating a configuration baseline.

1. In the ConfigMgr 2012 console choose the Assets And Compliance workspace, select Overview ⇒ Compliance Settings ⇒ Configuration Baselines, and right-click Create Configuration Baseline.

You should now see the Create Configuration Baseline Wizard, shown in Figure 14.13. Here you select the categories and input the name, description, and configuration data.

Figure 14.13 Create Configuration Baseline Wizard - Create Configuration Baseline dialog

2. Fill in the following details:

Name: Microsoft Calculator Plus - Check

Description: This configuration baseline validates the Microsoft Calculator Plus settings to make sure that there has been no configuration drift and that the latest copy of the calcplus.exe script has been distributed to the client.

3. To select Microsoft as the category, click the Categories button to display a list. This section is at the bottom of the window.

The Configuration Data list displays all the configuration items or configuration baselines that are included in the configuration baseline.

4. Click Add to add a new configuration item or configuration baseline to the list. You can choose from the following:

Configuration items

Software updates

Configuration baselines

5. Once the Add Configuration Items window checks for available configuration items, choose Microsoft Calculator Plus - Check.

6. Click Add, and then click OK.

7. Verify that your settings match those shown in Figure 14.13 and click OK.

You can now click the Close button and return to the Configuration Manager console, where you will next assign your new configuration baseline to clients that will be evaluated for compliance.

Baseline Rules

The process of creating rules is similar to the way you build rules in Outlook. Or you can think of it as telling Compliance Settings a story or writing a recipe to build your baseline. The available rules include those that reference which operating system you want to check for; in this option you will be able to see all the different operating systems and service pack levels. If you have not built a configuration item to check for a specific operating system, when you click the link in the rule there will be no configuration items to choose from and nothing to put into this rule. Although our example doesn’t include them, Figure 14.14 illustrates the additional selections available when you have created one or more CIs.

Figure 14.14 Add Configuration Items

One available rule is Checking For Software Updates. Earlier in the chapter we mentioned that you cannot create CIs for software updates in the same location as the other CI types and you must specify the updates when creating your configuration baseline; this is exactly where you would specify the software updates to check for. If you click the link in the software update rule, this option will show up on step 4 of “Creating the Initial Baseline.” It will spawn a new window called Add Software Updates (see Figure 14.15), where you will see the same folder display as in the Configuration Manager console, and you will have all the updates that you set to download to your server available to choose from. It is important to understand that you will not see software updates that you have already added to the baseline. You can see the software updates that are included in the configuration baseline by viewing its properties in the Configuration Manager console.

Figure 14.15 Add Software Updates window

Another rule that you can build is Configuration Baselines. This is how you would reuse other configuration baselines that you have created and thus save quite a few steps. Clicking this rule opens another window that lists the configuration baselines previously created and available to select, much like Figure 14.14.

We have saved the other three rules for last because they are all related to application CI types, differing in the way that they build the rules for your baseline. An application-type CI can be marked in one of three ways:

· Required

· Optional

· Prohibited

Let’s consider how each of these might be used when building a configuration baseline.

Required

This rule means that if you select an application CI, it will use the detection method specified to ensure that the application is installed. We used two different detection methods when we built the application CIs for Microsoft Calculator Plus. For the first one, we pointed it at the MSI file and got the version and GUID.

When you build an application CI and use the “always assume installed” detection method, you are simply skipping the detection method. Thus, there is no chance that the detection method will fail, and the next step in your application CI will do its check. Once a CI fails a check, the remainder of the CI checks to see if settings or objects are not validated against the client. The actual status returned can vary depending on these settings as well; if the detection method is specified and it fails, it will return Not Detected compliance.

You would use this to add general CIs to your list of rules but also for applications that you want to ensure are installed, or at least to detect that they are installed and that they are configured correctly. Going back to the CIs we created for Microsoft Calculator Plus, if we specified the CIs that detect if the latest calcplus.exe file is on the client, the CI for Microsoft Calculator Plus would first have to pass the detection method we specified, so if the version or GUID returned Noncompliant, then the rest of the CI validation would be skipped and we would get a status message indicating that the application was not detected.

Optional

The rule that if optional application CIs are detected, they must be properly configured means that if you make application CIs part of the baseline and they fail to be detected, then the validation checks that are part of that CI will be skipped; if the application is detected, it will then validate the objects or settings specified in the CI and report compliance or noncompliance. A typical use for this type of rule might be a situation in which you are not sure an application is installed on the client, but in the event that it is, you want to make sure that the application is configured correctly.

Prohibited

The last application CI rule specifies that selected application CIs must not be present. This type of rule could be used to make sure that an application is not present on a system. For instance, if you are checking the configuration of Microsoft Calculator Plus 5.x, you might want to make sure that Microsoft Calculator Plus 4.x was properly removed. Assuming you had a baseline that you used to check the configuration of Microsoft Calculator Plus 4.x, you could select one of these rules and run it to validate that the application had been previously uninstalled.

Assigning the Configuration Baseline to Clients

Now that you have all the baselines configured, you need to assign them to the clients or all your hard work will be in vain. Assigning the configuration baselines to the clients will allow Configuration Manager to monitor the clients and ensure the baselines are met.

1. Back in the Configuration Manager console, you should still see the configuration baselines. If you highlight the newly created baseline, you will see its details at the bottom of your console.

2. To assign this configuration baseline to clients for validation, right-click the baseline and choose Deploy.

This will start the Deploy Configuration Baselines Wizard, shown in Figure 14.16.

Figure 14.16 Deploy Configuration Baselines Wizard

This should prepopulate with the configuration baseline that you used to launch the wizard; as you can see, you can add or remove configuration baselines by clicking the Add or Remove button on the center.

3. At this time if you see the correct configuration baseline in the available list, select the baseline and click Add to move it to the list on the right.

4. In the Select The Collection For This Configuration Baseline Deployment section, indicate the collection you are going to assign this baseline to by clicking the Browse button.

Be sure to select a collection that includes the clients where you have installed and configured the Microsoft Calculator Plus client.

5. After you have selected the appropriate collection, click OK to go back to the deployment baseline window.

Next, you set the compliance evaluation schedule, much as you do with a deployment. You can create a simple schedule such as Run Every 7 Days or create a custom schedule for more flexibility.

6. For the example, choose Custom Schedule and set it to reoccur every four hours; this ensures that the validation will run and return data so you can examine the reports.

7. After reviewing the settings, proceed to assigning the baseline by clicking OK.

Additional Configuration Baseline Options

Within the Configuration Manager console, some additional options are available when you view the configuration baseline folder. On the ribbon, there is an option called Import Configuration Data. This option allows you to import a CAB file that could have been created by a vendor, using an external tool such as Silect Software’s CP Studio, or it could come from another Configuration Manager site. If you have a baseline currently selected, you should see some additional options, including the ability to export configuration data. This will allow you to export your data so that you can import it to another site or edit it with an external tool.

You also have the ability to enable or disable the baseline; if you select the Disable option, it will stop the clients from evaluating this baseline. Once a baseline is disabled, the option changes to allow you to enable it from the same location on the ribbon. You can also view the XML that defines this baseline by clicking the View XML Definition button of the ribbon. The Categorize option should be self-evident at this point; you can add or remove categories from the baseline using this button.

Client Validation of Compliance Baseline Rules

Once you have deployed the compliance baseline to a collection, you should log on to a client and validate that this rule has been applied and what its current state is; this will help you to understand better if the rule has been applied correctly or not and if the compliance state is the desired one.

1. Log on to the Windows client or any resource on the collection deployed.

2. Choose Control Panel ⇒ All Control Panel Items, and locate Configuration Manager.

3. Open Configuration Manager and select the Configurations tab.

4. Select the Microsoft Calculator Plus baseline and click Evaluate. Note, if the client has not polled for machine policy from the Configuration Manager site server yet, you might also need to first request the machine policy update action.

As shown in Figure 14.17, the Compliance State field now shows Compliant.

Figure 14.17 Configuration Manager client configurations

5. Now click View Report and wait for Internet Explorer to show the results. You can see our results in Figure 14.18.

Figure 14.18 Compliance Report

Once you have finished reviewing the compliance setting results, you can also look at the client log files to see more details about the compliance state; two of these log files are as follows:

1. dcmagent.log Provides high-level information about the evaluation of assigned configuration baselines and desired configuration management processes

2. ciagent.log Provides information about downloading, storing, and accessing assigned configuration baselines

Open these log files using CMTrace.exe and you will see more details. Now that you have been able to successfully apply a configuration baseline, you may want to try this again using a production application for which you may need to confirm its compliance state.

Compliance Settings Alerts

As part of the new alert and notification system, once the compliance baseline is deployed you can decide if you need to get alerts when the compliance check falls below a specific percentage. To do this you must perform the following task:

1. In the Configuration Manager console, choose the Assets And Compliance workspace.

2. Under the Overview section, expand Compliance Settings.

3. Select Configuration Baselines.

4. In the right section select Microsoft Calculator Plus - Check; right-click and select Properties.

5. Click the Deployment tab.

6. Select the deployed collection and click Edit.

7. Click Generate An Alert, as shown previously in Figure 14.16.

8. Set the compliance percentage to 95.

9. Click OK twice.

This will generate the alert configuration on the Monitoring workspace, should less than 95 percent of the systems in the targeted collection be noncompliant.

Compliance Settings Reporting

After a short period of time you should be able to run several of the reports included with Configuration Manager for compliance and settings management. These reports can be customized to suit your needs, or you can build your own reports if they don’t provide the level of detail you require. Reports are located in the Monitoring workspace, under Overview ⇒ Reporting ⇒ Reports; in the search criteria look for Compliance And Settings Management. The current list of reports is as follows:

· Compliance history of a configuration baseline

· Compliance history of a configuration item

· Details of compliant rules of configuration items in a configuration baseline for an asset

· Details of conflicting rules of configuration items in a configuration baseline for an asset

· Details of errors of configuration items in a configuration baseline for an asset

· Details of non-compliant rules of configuration items in a configuration baseline for an asset

· Details of remediated rules of configuration items in a configuration baseline for an asset

· List of assets by compliance state for a configuration baseline

· List of assets by compliance state for a configuration item in a configuration baseline

· List of rules conflicting with a specified rule for an asset

· List of unknown assets for a configuration baseline

· List of unknown assets for a configuration item

· Rules and errors summary of configuration items in a configuration baseline for an asset

· Summary compliance by configuration baseline

· Summary compliance by configuration items for a configuration baseline

· Summary compliance by configuration policies

· Summary compliance of a configuration baseline for a collection

Importing Configuration Packs

In this section you will learn how to implement a configuration pack from the Security Compliance Manager tool. This tool has different baselines, and each of the baselines can be exported to ConfigMgr and later or imported as Compliance Settings data.

What Is Security Compliance Manager?

Microsoft Security Compliance Manager provides security configuration recommendations from Microsoft, centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft products.

To download this tool, go to

http://www.microsoft.com/download/en/details.aspx?displayLang=en&id=16776

To learn more about this tool, go to

http://technet.microsoft.com/en-us/library/cc677002.aspx

Figure 14.19 shows the Security Compliance Manager console focused on Internet Explorer 9 Computer Security Compliance. As an example, to import the Internet Explorer 9 configuration pack, perform the following procedure:

Figure 14.19 Microsoft Security Compliance Manager

1. Download Security Compliance Manager from the Microsoft Download site.

2. Install Security Compliance Manager.

3. Confirm that the product has been installed and all the baselines have downloaded it.

4. Launch the Security Compliance Manager tool.

5. For the Microsoft baseline select Internet Explorer 9.

6. For Internet Explorer 9 select IE 9 Computer Security Compliance.

7. In the right section the Export option will be enabled; click SCCM DCM 2007 (.cab).

The Export to SCCM DCM 2007 dialog box will open.

Note: Even though it says SCCM DCM 2007, this works great with ConfigMgr 2012 R2. On the new version of Security Compliance Manager, this should be updated.

8. Save the .cab file to a known location.

9. Open the Configuration Manager console.

10.Choose the Assets And Compliance workspace.

11.In the navigation pane, expand Compliance Settings, and then click Configuration Items.

12.In the navigation pane, right-click Configuration Baselines.

13.Choose Import Configuration Data.

The Import Configuration Data Wizard will appear, as shown in Figure 14.20.

Figure 14.20 Import Configuration Data Wizard - Select Files page

14.Click Add.

15.The Open dialog box will appear; locate the file saved in step 8 and click Open.

16.Click Next. The import will analyze the .cab file.

The Import Configuration Data Wizard Summary page will list one configuration baseline and six configuration items.

17.Click Next.

The Import Configuration Data Wizard will complete at this point. Your Confirmation screen should look like the one in Figure 14.21. You can close the wizard.

Figure 14.21 Import Configuration Data Wizard - Confirmation page

Now that you have imported the configuration data to Configuration Manager’s Compliance Settings, you can deploy this baseline to any collection and evaluate the current compliance state for Internet Explorer 9. This will also give you a better idea of how to use Compliance Settings and the configuration items.

User Data and Profiles

User data and profiles configuration items contain settings that control how users in your hierarchy manage folder redirection, offline file, and roaming profiles on computers that run Windows 8 and Windows 8.1. You can deploy them to a collection of users and then monitor their compliance from the Monitoring node of the ConfigMgr console. Unlike other configuration items, you do not add these to configuration baselines before you deploy them. You can deploy them directly with the Deploy User Data and Profiles Configuration Policy dialog, as shown in Figure 14.22.

Figure 14.22 Deploy User Data And Profiles Configuration Policy dialog

The following are examples of user data and profiles configuration items you can manage in ConfigMgr 2012 R2:

· Redirect a user’s Documents folder to a network share.

· Ensure that specified files stored on the network are available on a user’s computer when the network connection is unavailable.

· Configure which files in a user’s roaming profile are synchronized with a network share when the users logs on and off.

Use the following steps to create a user data and profiles configuration item in ConfigMgr:

1. Open the ConfigMgr console and select Assets and Compliance ⇒ Overview.

2. Choose Compliance Settings ⇒ Users Data And Profiles. Right-click and select Create User Data And Profiles Configuration Item.

3. On the wizard, as shown in Figure 14.23, enter the information requested and select the appropriate check boxes:

Figure 14.23 Create User Data And Profiles Configuration Item Wizard

a. Name: Enter the name of this configuration item.

b. Description: Enter details about this CI.

c. Folder Redirection: Enable this check box if you are going to configure it as folder redirection.

d. Offline Files: Enable this check box if you plan to configure offline files.

e. Roaming User Profiles: Enable this check box if you want to configure roaming user profiles.

4. Click Next to go to the Folder Redirection step, shown in Figure 14.24. Specify how you want the client computers of users who receive this configuration item to manage folder redirection. You can configure settings for any device the user logs onto or for only the user’s primary devices. This section will be available only if you checked the Folder Redirection box on the previous screen.

Figure 14.24 Create User Data And Profiles Configuration Item Wizard - Folder Redirection screen

5. Click Next to go to the Offline Files step, shown in Figure 14.25. You can enable or disable the use of offline files for users who receive this configuration item and configure settings for the behavior of the offline files. This section will appear only if you checked the Offline Files box on the initial screen shown in Figure 14.23.

Figure 14.25 Create User Data And Profiles Configuration Item Wizard - Offline Files screen

6. Click Next to go to the Roaming Profiles step, shown in Figure 14.26. You can configure whether roaming profiles are available on computers that the users log onto and also configure further information about how these profiles behave. This section will appear only if you checked the Roaming Profiles box shown in Figure 14.23.

Figure 14.26 Create User Data And Profiles Configuration Item Wizard - Roaming Profiles screen

7. Click Next to go to the Summary page, as shown in Figure 14.27. On this screen you can review the actions that are going to be taken and then click Next to create the configuration item.

Figure 14.27 Create User Data And Profiles Configuration Item Wizard - Summary screen

8. Once you have completed the wizard, the New User Data And Profiles configuration item is shown in the User Data and Profiles node of the Assets and Compliance workspace. From here you can just deploy it to the desired collection.

Remote Connection Profiles

Remote connection profiles in System Center 2012 R2 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor remote connection settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to their computers on the corporate network. Use remote connection profiles in ConfigMgr 2012 R2 to allow users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet.

Remote connection profiles let you deploy remote desktop connection settings to users in the ConfigMgr hierarchy. Users can then use the company portal to access any of their primary work computers through remote desktop by using the remote desktop connection settings provided by the company portal. Windows Intune is required if you want users to connect to their work PCs by using the company portal.

In order to configure remote connection profiles, you need to create a remote connection profile:

1. In the Configuration Manager console, select the Assets And Compliance workspace.

2. Expand Compliance Settings.

3. Right-click Remote Connection Profiles and click Create Remote Connection Profile. The Create Remote Connection Profile Wizard will start, as shown in Figure 14.28.

Figure 14.28 Create Remote Connection Profile Wizard - General page

4. Once you’re in the Create Remote Connection Profile Wizard, enter the name of the remote connection profile and click Next.

5. On the Profile Settings screen, you will need to provide the full name and port of the Remote Desktop Gateway server, as shown in Figure 14.29.

Figure 14.29 Create Remote Connection Profile Wizard - Profile Settings page

6. Select Enabled or Disabled for each of the connection settings as required by your company policies.

Note that all three items under Connection Settings must be set to either Enabled or Disabled. They must all match, regardless of which setting you choose to use.

7. When all settings are configured, click Next.

8. The Summary page will be displayed. Click Next to create the remote connection profile and then Close to complete the Create Remote Connection Profile Wizard.

Company Resource Access

The Company Resource Access feature of System Center 2012 R2 Configuration Manager provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations. This new feature allows you to create certificate, VPN, and Wi-Fi profiles in ConfigMgr and deploy them to users or device collections. To create each of these profiles you need to access the Compliance Settings section of the console, as shown in Figure 14.30.

Figure 14.30 Company Resource Access

Certificate Profiles

Certificate profiles provide a set of tools and resources to help provision computers in your organization with the certificates that users require to connect to various company resources. Certificate Profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment service role to provision authentication certificates for managed devices so that users can seamlessly access company resources. This setting is available on the Company Resource Access area of Compliance Settings, as shown in Figure 14.31.

Figure 14.31 Company Resource Access - Certificate Profiles

Certificates Profiles provide the following management capabilities:

· Certificate enrollment and renewals from an enterprise certification authority for devices that run iOS 5/6/7, Windows 8.1/RT 8.1, and Android. These certificates can then be used for Wi-Fi and VPN connections.

· Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.

· Monitor and report on the installed certificates.

Now that you understand what Certificate Profiles is used for, let’s configure a certificate profile and deploy it to users or device collections.

To create the certificate profile, follow these steps:

1. In the Configuration Manager console, navigate to the Assets And Compliance workspace.

2. Expand Compliance Settings ⇒ Company Resource Access.

3. Right-click Certificate Profiles and select Create Certificate Profile.

4. The Create Certificate Profile Wizard will be displayed, as shown in Figure 14.32.

Figure 14.32 Create Certificate Profile Wizard - General page

5. Enter the name of the certificate profile.

6. Select either Trusted CA Certificate or Simple Certificate Enrollment Protocol (SCEP) Settings.

7. Click Next to continue the wizard.

8. Click Import, as shown in Figure 14.33, and select the certificate that you want to deploy.

Figure 14.33 Create Certificate Profile Wizard - Trusted CA Certificate page

9. Click Next to go to the Supported Platforms page, as shown in Figure 14.34.

Figure 14.34 Create Certificate Profile Wizard - Supported Platforms page

10.Select all the OS versions that you need for the certificate, and then click Next.

11.Review the Summary page, and click Next.

12.When the configuration is complete, review the Completion screen, as shown in Figure 14.35; then click Close to complete the Create Certificate Profile Wizard.

Figure 14.35 Create Certificate Profile Wizard - Completion page

13.Your certificate profile should now be visible on the system.

Once the certificate profile is created, you can deploy it to a user or a device collection of your choosing.

VPN Profiles

You use VPN profiles in ConfigMgr 2012 R2 to deploy VPN settings to users in your organization. By deploying these settings, you can minimize the effort required to connect to the resources of the company network. With a new VPN profile you can easily configure any devices on your organization that may need this setting to connect to the network. You can create this profile to support Windows 8.1, Windows RT, and iOS 5, 6, and 7.

A VPN profile can include a wide range of security settings, including certificates for server validation and client authentication that have been provisioned by ConfigMgr certificate profiles.

To create a VPN profile, follow these steps:

1. Open the ConfigMgr console and choose the Assets And Compliance workspace.

2. Expand Compliance Settings ⇒ Company Resource Access.

3. Right-click VPN Profiles and click Create VPN Profiles.

4. The Create VPN Profile Wizard will appear, as shown in Figure 14.36.

Figure 14.36 Create VPN Profile Wizard - General page

5. Enter the name and a description for the VPN profile.

6. Check Import An Existing VPN Profile From A File, if you already have these details saved. Otherwise, click Next.

7. On the Connection page, as shown in Figure 14.37, select the right connection type and server list for your environment.

Figure 14.37 Create VPN Profile Wizard - Connection page

8. Click Add to specify a VPN server. Enter a friendly name and the IP address of the server or FQDN. Once you’ve entered all the information, click Next.

9. Select the authentication method that you are going to use for this VPN connection, as shown in Figure 14.38.

Figure 14.38 Create VPN Profile Wizard - Authentication Method page

10.Click Next once you’ve configure the right authentication method.

11.Configure the proxy setting that is needed for this VPN profile, as shown in Figure 14.39.

Figure 14.39 Create VPN Profile Wizard - Proxy Settings page

12.Click Next once you’ve configured the proxy settings appropriately.

13.On the Automatic VPN page, shown in Figure 14.40, you need to indicate which requests you wish to trigger a VPN connection to. Check Enable VPN On-Demand, and then enter the VPN suffixes in order to trigger an automatic VPN connection. All settings on this page are optional. Click Next to move to the next page in the wizard.

Figure 14.40 Create VPN Profile Wizard - Automatic VPN page

14.Select the supported platforms for this VPN profile, as shown in Figure 14.41, and then click Next.

Figure 14.41 Create VPN Profile Wizard - Supported Platforms page

15.On the Summary screen, review all settings to ensure every configuration you wanted is set up; then click Next.

16.Click Close to complete the configuration of your VPN profile.

VPN profiles can save your users lots of time. Make sure you configure all the settings that are needed for the VPN profile before deploying it to your production devices.

Wi-Fi Profiles

In ConfigMgr 2012 R2 you can configure Wi-Fi profiles and deploy them to your users and device collections to ensure the Wi-Fi settings are correct. This will help you minimize the end-user effort required to connect to the corporate wireless network.

If you install a new Wi-Fi network and you want to provision it to all the devices in your organization, you can create a Wi-Fi profile containing the settings necessary to connect to the new Wi-Fi network. Then you can deploy this profile to all users or devices. The new Wi-Fi profile supports the following device types: Windows 8.1 and RT, iOS 5, 6, and 7, as well as Android devices that run version 4.

Follow these steps to configure a Wi-Fi profile:

1. Open the ConfigMgr console and choose the Assets and Compliance workspace.

2. Expand Compliance Settings ⇒ Company Resource Access.

3. Right-click Wi-Fi Profiles and select Create Wi-Fi Profiles.

4. The Create Wi-Fi Profile Wizard will appear, as shown in Figure 14.42.

Figure 14.42 Create Wi-Fi Profile Wizard - General page

5. Enter the name and a description for the Wi-Fi profile. If you have an existing Wi-Fi profile in a file, you can select to import it and click Next.

6. As shown in Figure 14.43, enter the network name and SSID. Select Connect Automatically When This Network Is In Range if you need this to be the default Wi-Fi profile; otherwise leave all boxes unchecked and click Next.

Figure 14.43 Create Wi-Fi Profile Wizard - Wi-Fi Profile page

7. On the Security Configuration page, select a security type, as shown in Figure 14.44. Click Next once you finish configuring the proper security for the Wi-Fi profile.

Figure 14.44 Create Wi-Fi Profile Wizard - Security Configuration page

8. On the Advanced Settings page, configure additional details, as shown in Figure 14.45, and then click Next.

Figure 14.45 Create Wi-Fi Profile Wizard - Advance Settings page

9. On the Proxy Settings page, enter the proxy information for this Wi-Fi profile if needed. No settings are required, as shown in Figure 14.46. Click Next to continue.

Figure 14.46 Create Wi-Fi Profile Wizard - Proxy Settings page

10.On the Supported Platforms page, select the devices required for your environment or just click Select All, and then click Next.

11.On the Summary page, review the information, making sure to validate the configuration before you deploy this profile.

As you have seen, using the Wi-Fi Profiles feature, it is very easy to configure and manage the process of deploying Wi-Fi profiles to ConfigMgr users and devices.

The Bottom Line

1. Enable the client settings. Until the client settings are enabled for your Configuration Manager clients, your clients will not evaluate any of the configuration baselines. This is the first step in using Compliance Settings to validate client settings.

1. Master It Enable Compliance Settings for the Configuration Manager clients.

2. Create configuration items. Configuration items are the pieces that make up a configuration baseline. There are a number of different configuration item types in Configuration Manager, and depending on the type you choose to create, you are presented with certain options when creating your configuration item. The steps to create configuration items were covered in the first part of this chapter, and they included several examples of how to create the different types of configuration items.

1. Master It Create a configuration item for an application that checks a registry string value.

3. Define a configuration baseline. This is where you take one or more of the CIs and put them into a package that the Configuration Manager client downloads and at the scheduled time validates by checking the CIs against the computer. The Configuration Manager client then reports the outcome of those checks back to Configuration Manager, where you can then run reports to see if your clients are within the specified configuration. These steps were covered in the last section of the chapter.

1. Master It Assemble a configuration baseline with one or more configuration items you have created.