ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 28: Compliance
Back to main menu
Part 28 of my Config Mgr 2012 SP1 Step by Step Guide describes how to implement Compliance (formerly known as Desired Configuration Management in Config Mgr 2007).
(note that the configurations below were carried out on a Config Mgr 2012 server - post SP1):
High Level Steps
1. Create Configuration Items (CIs)- eg Anti-virus service is started, AV definition files have to be a specific version, Windows Firewall is started
2. Create Baseline - this will include all the CIs that you deem neccessary for devices to be compliant
3. Deploy Baseline to Collection
1. Create Configuration Item
Navigate to Assets and Compliance and right click on Configuration Item to create a new one.
Enter General Settings. Name the item and specify the type as Windows. This example is for the Windows Firewall
Select the OS you require - in this case Windows 7
Click New to enter more specific settings.
Enter the details as shown. Note that this is a WQL query and that the Windows Firewall service name is MpsSvc. Click OK.
See your settings. Click Next to continue
Enter Compliance settings as shown an click OK.
See your completed Compliance setting. Click Next to continue.
Review summary and click Next
Configuration Item has now been completed.
2. Create Baseline
Navigate to Assets and Compliance and right click on Configuration Baselines to create a new one
Click Add and add the CIs that you require. See here I have added the CI that I created earlier.
3. Deploy Baseline to Collection
Right click on the baseline to deploy
Choose a collection and an evaluation schedule
Let's now have a look at a client to see how this works
Open the Configuration Manager client in Control Panel and open Configurations tab.
An evaluation has not yet been run so Config Mgr does not know the Compliance state - hence Unknown
Click to Evaluate and see that the Compliance state changes to Compliant
Select to View the Report
Stop the Windows Firewall and re-evaluate - now Non-Compliant
View the non-compliant report
Compliance information from each client is collated and available in the Compliance and Settings Management Reports.
Part 28 of my Config Mgr 2012 SP1 Step by Step Guide describes how to implement Compliance (formerly known as Desired Configuration Management in Config Mgr 2007).
(note that the configurations below were carried out on a Config Mgr 2012 server - post SP1):
High Level Steps
1. Create Configuration Items (CIs)- eg Anti-virus service is started, AV definition files have to be a specific version, Windows Firewall is started
2. Create Baseline - this will include all the CIs that you deem neccessary for devices to be compliant
3. Deploy Baseline to Collection
1. Create Configuration Item
Navigate to Assets and Compliance and right click on Configuration Item to create a new one.
Enter General Settings. Name the item and specify the type as Windows. This example is for the Windows Firewall
Select the OS you require - in this case Windows 7
Click New to enter more specific settings.
Enter the details as shown. Note that this is a WQL query and that the Windows Firewall service name is MpsSvc. Click OK.
See your settings. Click Next to continue
Enter Compliance settings as shown an click OK.
See your completed Compliance setting. Click Next to continue.
Review summary and click Next
Configuration Item has now been completed.
2. Create Baseline
Navigate to Assets and Compliance and right click on Configuration Baselines to create a new one
Click Add and add the CIs that you require. See here I have added the CI that I created earlier.
3. Deploy Baseline to Collection
Right click on the baseline to deploy
Choose a collection and an evaluation schedule
Let's now have a look at a client to see how this works
Open the Configuration Manager client in Control Panel and open Configurations tab.
An evaluation has not yet been run so Config Mgr does not know the Compliance state - hence Unknown
Click to Evaluate and see that the Compliance state changes to Compliant
Select to View the Report
Stop the Windows Firewall and re-evaluate - now Non-Compliant
View the non-compliant report
Compliance information from each client is collated and available in the Compliance and Settings Management Reports.
No comments:
Post a Comment