SCCM 2012 Compliance Settings

compl settings

If you have worked on  SCCM 2007 then Configuration Manager 2007 desired configuration management is now called sccm 2012 compliance settings in System Center 2012 Configuration Manager. SCCM 2012 Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found.

SCCM 2012 Compliance Settings

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. An Administrator can create new configuration items and configuration baselines. After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

Configuration baselines : This is a grouping of multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.

Prerequisites for Compliance Settings in Configuration Manager

1) Clients must be enabled and configured for compliance evaluation – To enable it, In the CM console click on AdministrationClient Settings. Right click custom client device settings and select properties. choose Compliance settings.

Note If you want to enable compliance on all the devices, then select Default Client Settings. In this example i have created a Custom Client Device settings and compliance settings is selected and set as true.

 

SCCM 2012 Compliance Settings Snap 1

On the left pane, select Compliance Settings and under device settings set Enable compliance evaluation on clients as True.

SCCM 2012 Compliance Settings Snap 2

2) Reporting point site system role must be installed and configured. To install the reporting point site role, Click on Administration, Site Configuration, Sites, Add Site System Roles, Choose Reporting services point.

SCCM 2012 Compliance Settings Snap 3

As an example we will download the Configuration manager packs from one of the vendors and import it our configuration manager. We will deploy the configuration baseline to a collection and test the compliance. In this example we will download the Configuration Pack for System Center 2012 Configuration Manager here. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points.

After you download the configuration pack, install the msi file on the SCCM machine. Also note the path where the files are installed.

SCCM 2012 Compliance Settings Snap 4

SCCM 2012 Compliance Settings Snap 5

On the CM console, Under Assets and compliance, Compliance Settings, Right Click Configuration Baselines and and select Import Configuration Data.

SCCM 2012 Compliance Settings Snap 6

Click on Add.

SCCM 2012 Compliance Settings Snap 7

Browse to the path where the Configuration pack was installed. Select the Configuration manager config pack (.cab file) and click on open. On the next screen click Next.

SCCM 2012 Compliance Settings Snap 8

Click on close.

SCCM 2012 Compliance Settings Snap 9

Once you have imported the config pack, click on Configuration Items. We see that there are four configuration items. Right click one of them and click properties.

SCCM 2012 Compliance Settings Snap 10

Every Configuration item has these properties. This configuration item evaluates the configuration of CM 2012 Management point role against Microsoft’s recommended best practices.

SCCM 2012 Compliance Settings Snap 11

In the next tab, Settings, there are few scripts which are executed to test the management point with Microsoft best practices.

SCCM 2012 Compliance Settings Snap 12

To deploy this Configuration Baseline, right on the configuration baseline and click Deploy.

SCCM 2012 Compliance Settings Snap 13

Click on Remediate noncompliant rules when supported and Allow remediation outside the maintenance window. Choose the collection by clicking on Browse. In this example i have created a device collection called SCCM Server and my SCCM is added to it. Click Customize and Set the schedule of your choice.

SCCM 2012 Compliance Settings Snap 14

We see the change now. The configuration baseline has been deployed to a collection. After few minutes we see that under the Noncompliance Count the value is turned to 1 from 0. Lets find out the reason.

 SCCM 2012 Compliance Settings Snap 15

On the SCCM machine, click Control panel, Configuration manager, Configurations – we see there a baseline existing. This is the same configuration baseline that we had applied in the above steps. Click on Evaluate and then View Report.

SCCM 2012 Compliance Settings Snap 16

Out of the 4 configuration items, one item has reported that our SCCM server is non compliant.

SCCM 2012 Compliance Settings Snap 17

Lets see why exactly its non compliant. Under Non Compliant rules we see that BGB firewall port for Management point  is open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.

What is BGB (Big Green Button) – A way for administrators to push out urgent actions across a large number of clients to combat a particular infection through a quick or full scan for instance.

SCCM 2012 Compliance Settings Snap 18

Right click the configuration item Microsoft System Center 2012 Configuration Manager Management Point, select Properties, choose the Compliance Rules, select BGB firewall port and click Edit.

SCCM 2012 Compliance Settings Snap 19

This settings defined here checks whether the BGB port is open on the firewall. If its not open then a Warning is generated.

SCCM 2012 Compliance Settings Snap 20

In the next step we will modify compliance rule for BGB firewall port. As per the compliance conditions the BGB firewall port should be open on management point. In this lab we don’t need the BGB port to be open, so we will modify value returned by script from Equals  to “Not equal to“. This means a warning is not generated if the BGB port is cl0sed on management point.

SCCM 2012 Compliance Settings Snap 21

After few minutes we evaluate and run the compliance report on SCCM server, we see that our SCCM server is fully compliant with Microsoft’s  recommended best practices.

SCCM 2012 Compliance Settings Snap 22

The compliance count value is changed from 0 to 1 in the CM console.

SCCM 2012 Compliance Settings Snap 23

Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.