Logo
HOW TO
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

System Center Configuration Manager 2007 : Desired Configuration Management - DCM Strategies

9/9/2013 2:33:56 AM

The actual functionality of DCM is relatively straightforward—create a baseline of settings and assign those to a set of systems. However, what do you do then? It really depends on what you are going to do with the data DCM provides.

What are your business goals for using DCM? Are you simply filling a check box for the auditors? Do you want to use reports to help in troubleshooting? Are you wanting to notify the on-call admin when something is amiss? Or do you want nonstandard configurations corrected? Each baseline you create may fulfill one or more of these goals; therefore, the first step for each baseline is to identify its purpose, the target audience, and the delivery method for results. These criteria will define what criteria to include in the baseline.

Reporting

Reporting is the only built-in way to view the results of DCM evaluation and the compliance status of your systems according to your baselines. A variety of reports is included out of the box to assist with this, including the following:

  • Noncompliance details for a configuration item on a computer

  • Compliance for a computer by baseline

  • Summary compliance by configuration baseline

  • Summary compliance by configuration item

  • Summary compliance for a collection by computer

Baseline and configuration item evaluation is a completely client-side task. The results of this task are returned to the site using the new state message mechanism built in to ConfigMgr. State messages are asynchronous messages sent from the client to the management point to report information back to the site. State messages for DCM include XML attachments to report specific details about the evaluation of configuration baselines and items. ConfigMgr consolidates these state messages in the database and makes the results available to end users in reports. With the excellent flexibility of the built-in classic reporting and the new SQL Reporting Services (SRS) reporting, rich reporting is available through a web browser without giving any type of access to the console. This is great for middle and upper management or those annoying auditors who interrupt you every time they need to see this data.

Note: DCM Scenarios

Of the four scenarios DCM addresses (regulatory compliance, pre- and post-change verification, configuration drift, and time to resolution), only one is not clearly addressed by the reports included out of the box with ConfigMgr—and that is configuration drift. Results from every compliance scan are stored in the ConfigMgr database, so the data for a configuration drift report is indeed available.

However, because of the simplistic single query-based approach, it would be difficult, if not impossible, to use the legacy reporting component to actually create a configuration drift report. The new SRS-based reporting included with ConfigMgr 2007 R2 introduces the ability to create sophisticated and complex reports, including a configuration drift report. Implementation of this report (or set of reports) is left as an exercise for the reader (or a hint to the ConfigMgr development team).


Knowing is half the battle; therefore, reporting is also typically only half the battle. What you do with the information in a report is the other half. Actions can include alerting to make everyone aware of the issue and using an automated mechanism to correct the reported issues.

On-demand Results

In addition to using the server-side reporting functionality in ConfigMgr, administrative users can also trigger client-side report generation. After you enable DCM in the console, a new tab is available in the ConfigMgr Control Panel applet on all clients, titled Configurations (shown in Figure 1). Each baseline assigned to the client is included in the list box. Using the Evaluate button at the bottom of the page, users can trigger the evaluation of selected baselines. Using the View Report button, administrative users can display a report showing the most current evaluation results of the selected baseline. A typical use of this on-demand reporting is for IT personnel to locally troubleshoot or remediate identified noncompliance issues.

Figure 1. Configurations Control Panel applet tab


Alerting

DCM, like ConfigMgr as a whole, is not designed to be a real-time reporting or alerting system. However, it is perfectly reasonable to want the results of DCM to raise a real-time alert. The easiest way to accomplish this is in conjunction with Operations Manager.

Three of the four noncompliance severity levels for evaluation criteria drop events into a system’s application event log as well as reporting back to ConfigMgr . One of OpsMgr’s bread-and-butter functions is to skim the event logs of monitored systems. Thus, it is simply a matter of creating a monitor and alert in OpsMgr to look for specific noncompliant events reported by DCM. The steps to create such a monitor and alert are discussed in detail in System Center Operations Manager 2007 Unleashed (Sams, 2008).

If OpsMgr is not present in your environment, you could also utilize custom scripts, another product that skims the event logs, or the great new ability in Windows Server 2008 to perform an action in response to an event.

Remediation

Simply knowing about an issue using an on-demand report or receiving an alert doesn’t help if the issue identified is causing a security hole or service interruptions for users—what you want is to fix the issue as quickly as possible without human intervention. Remediation refers to the process of correcting an issue identified, and auto-remediation is having the issue corrected in an automated manner. In both cases, DCM identifies the issue using a baseline assigned to a system in your organization.

The following example creates a ConfigMgr collection based on the noncompliant events raised by a baseline:

1.
Create a new collection by right-clicking Collections in the console tree (navigate to Site Database -> Computer Management -> Collections) and selecting New Collection from the resulting context menu.

2.
In the New Collection Wizard, name your new collection and add an optional comment. Click Next.

3.
On the Membership Rules page, click the new query rule button to create a new query membership rule.

4.
On the resulting Query Rule Properties page, name the query and click the button labeled Edit Query Statement.

5.
On the Query Statement Properties dialog box, click the Show Query Language button at the bottom.

6.
Paste the following query into the text box:

select SMS_R_System.ResourceId,
SMS_R_System.ResourceType,
SMS_R_System.Name,
SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup,
SMS_R_System.Client
from
SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId
Where
SMS_G_System_CI_ComplianceState.ComplianceStateName = "Non-Compliant"
and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>"


7.
Replace <BaselineName> with the name of the baseline or configuration item you want to remediate.

8.
Click OK on the Query Statement Properties dialog box and OK again on the Query Rule Properties dialog box.

9.
Finish the New Query Wizard by clicking Next and then Finish.

10.
Finish the New Collection Wizard by clicking Next until the Finish button is enabled. Then click Finish.

ConfigMgr populates this new collection with systems that have a noncompliant evaluation result from the specified baseline or configuration item.

You can modify the preceding criteria to query for the severity of the compliance failure by using the ComplianceStateName property of the SMS_G_System_CI_ComplianceState class. For complete details of this class, see http://msdn.microsoft.com/en-us/library/cc143662.aspx.

After creating the collection, you create a software distribution package that corrects the issue and assign that package to the collection. The package could be as simple as setting a Registry key to a correct value or reinstalling the antivirus software that an application administrator accidentally on purpose uninstalled. The actual actions performed by the package are up to you and should correct any noncompliant issues that the baseline can identify. Those systems failing the compliance checks in the baseline populate the collection, which assigns them to the package correcting the issue.

Note: Auto-remediation Capability

At first glance, the lack of a built-in auto-remediation capability in DCM may seem like a huge missing piece. However, the question to pose here is, Do you really want the configuration of your working, production systems automatically changed?

In most cases the answer is no, at least not without restrictions. Although group policy does indeed affect changes to systems, the extent of what DCM can check is far greater than group policy and the ramifications are therefore larger. Additionally, for those configuration items such as the existence of an antivirus product, using this approach may not always be straightforward to remediate.

Although the next version of DCM will hopefully include some built-in auto-remediation enablers, the lack of auto-remediation in the current version does not take away from its usefulness and power.

Other -----------------
- Microsoft Exchange Server 2007 : Leveraging the Capabilities of the Outlook Web Access Client - Understanding OWA Security Features, Tips for OWA Users with Slow Access
- Microsoft Exchange Server 2007 : Leveraging the Capabilities of the Outlook Web Access Client - Using Contacts in OWA
- What's new and improved in SharePoint 2013 : Creating an eDiscovery Center
- What's new and improved in SharePoint 2013 : Creating badges, Using Visual Designer for workflows within SharePoint Designer
- What's new and improved in SharePoint 2013 : Previewing search documents, Using the Community Site template
- Windows Small Business Server 2011 : Adding a Terminal Server - Adding a RemoteApp to Remote Web Workplace
- Windows Small Business Server 2011 : Adding a Terminal Server - Configuring RemoteApps (part 2) - Deploying with .rdp and .msi files
- Windows Small Business Server 2011 : Adding a Terminal Server - Configuring RemoteApps (part 1) - RemoteApp Manager
- SQL Server 2012 : XML and the Relational Database - Querying XML Data Using XQuery (part 2) - SQL Server XQuery in Action, XML DML
- SQL Server 2012 : XML and the Relational Database - Querying XML Data Using XQuery (part 1) - Understanding XQuery Expressions and XPath
 
 
REVIEW
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
 
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
 
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
Top 10
- Microsoft Excel : How to Use the VLookUp Function
- Fix and Tweak Graphics and Video (part 3) : How to Fix : My Screen Is Sluggish - Adjust Hardware Acceleration
- Fix and Tweak Graphics and Video (part 2) : How to Fix : Text on My Screen Is Too Small
- Fix and Tweak Graphics and Video (part 1) : How to Fix : Adjust the Resolution
- Windows Phone 8 Apps : Camera (part 4) - Adjusting Video Settings, Using the Video Light
- Windows Phone 8 Apps : Camera (part 3) - Using the Front Camera, Activating Video Mode
- Windows Phone 8 Apps : Camera (part 2) - Controlling the Camera’s Flash, Changing the Camera’s Behavior with Lenses
- Windows Phone 8 Apps : Camera (part 1) - Adjusting Photo Settings
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro