Tuesday, 14 May 2013

ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 28: Compliance

Back to main menu

Part 28 of my Config Mgr 2012 SP1 Step by Step Guide describes how to implement Compliance (formerly known as Desired Configuration Management in Config Mgr 2007).

(note that the configurations below were carried out on a Config Mgr 2012 server - post SP1):

 High Level Steps

 1. Create Configuration Items (CIs)- eg Anti-virus service is started, AV definition files have to be a specific version, Windows Firewall is started
2. Create Baseline - this will include all the CIs that you deem neccessary for devices to be compliant
3. Deploy Baseline to Collection

1. Create Configuration Item

 Navigate to Assets and Compliance and right click on Configuration Item to create a new one.


Enter General Settings. Name the item and specify the type as Windows. This example is for the Windows Firewall


Select the OS you require - in this case Windows 7

 Click New to enter more specific settings. 


Enter the details as shown. Note that this is a WQL query and that the Windows Firewall service name is MpsSvc. Click OK.


 See your settings. Click Next to continue


Enter Compliance settings as shown an click OK.


See your completed Compliance setting. Click Next to continue.

Review summary and click Next


Configuration Item has now been completed.

2. Create Baseline

Navigate to Assets and Compliance and right click on Configuration Baselines to create a new one

Click Add and add the CIs that you require. See here I have added the CI that I created earlier.

 3. Deploy Baseline to Collection

 Right click on the baseline to deploy

Choose a collection and an evaluation schedule 

 Let's now have a look at a client to see how this works

 Open the Configuration Manager client in Control Panel and open Configurations tab.

An evaluation has not yet been run so Config Mgr does not know the Compliance state - hence Unknown


Click to Evaluate and see that the Compliance state changes to Compliant


Select to View the Report


Stop the Windows Firewall and re-evaluate - now Non-Compliant


 View the non-compliant report
Compliance information from each client is collated and available in the Compliance and Settings Management Reports.
Posted by at
Labels: , ,

2 comments:

  1. Anonymous9 February 2016 at 00:39

    Hi Gerry,

    How to disable a service from SCCM console for much servers!!

    Thanks

    ReplyDelete
  2. Gerry Hampson9 February 2016 at 13:02

    Once you figure out the syntax for the service you need, yes, you can absolutely use this method.

    ReplyDelete

Subscribe to: Post Comments (Atom)