In the previous blog post i used file and registry settings for my Configuration Item. Another way to define your Configuration Item setting are scripts.
And in CM2012 we have 3 scripting options:
(The same goes for the use of scripts in Detection Methods when we create Application Deployment Types.)
Since the new colour fashion in scripting today is blue, i guess the popular choice would be PowerShell. On a serious note – PowerShell is now everywhere, just ask my buddy Kaido Järvemets.
And in this example i will be checking for a setting on the clients that have the AppV Client installed. With AppV 5.0 everything is done by PowerShell so it would be natural to also go down that road with this. The setting i want to check up on is the EnablePackageScripts on the AppV Client, in order to deploy and execute AppV packages from CM2012 we will need this to be set to True.
Again – this is mostly to show what we can actually do with the whole Configuration Item and Baseline options.
Step 1. Give the Configuration Item a name, and maybe assign some categories to it.
Step 2. Specify the Operating System you want this to run on.
Step 3. Add a new Settings to the Configuration Item, in the list of different Setting choices click Scripts you will see the layout changing.
Step 4. Enter a Name, Add the following PowerShell command as the Discovery Script and select the correct Data Type.
Get-AppvClientConfiguration -name "enablepackagescripts" | select-object -ExpandProperty "Value"
Step 5. Still in the Create Setting Window go to the Compliance Rules tab and add the rule we want de define the compliancy on.
(In this case the Boolean can only be either True or False, the PowerShell translates this to either 0 or 1)
Step 6. Once you are done defining the script setting and the compliancy rule go trough the last steps and finish the Configuration Item, remember to set the severity.
Done – and deploy the Configuration Item via an Baseline to a collection.
Now if you havent done any configurations to the CM2012 Client Setting or to a GPO policy that lets you execute unsigned PowerShell scripts then this will fail with error 0x87D00327 that means the script is not Signed, which is true. And for CM2012 SP1 the default Client Setting is only to allow “All Signed” PowerShell scripts to execute. We have 3 options in the CM2012 Client Settings:
- Bypass: The Configuration Manager client bypasses the Windows PowerShell configuration on the client computer so that unsigned scripts can run.
- Restricted: the Configuration Manager client uses the current Windows PowerShell configuration on the client computer, which determines whether unsigned scripts can run.
- All Signed (System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager SP1 only): The Configuration Manager client runs scripts only if they are signed by a trusted publisher. This restriction applies independently from the current Windows PowerShell configuration on the client computer.
Keep in mind that the CM2012 Client Setting is only execution scripts via the Client Agent. Its not a general setting configured onto the Client, for that you will need a GPO. And additionally the secure way would ofcourse be to sign all your PowerShell scripts with a certificate added to Trusted Publisher on the clients.
Now all you do in what i just shared above is that you look for the setting and report back whether the client is compliant or not, you could also define a remediation script that would then correct the setting for you.
To give another example with the remediation option, for you to use on your clients, could be the CM2012 Client Cache Size – in this example i remediate the Cache Size to something other then what the Client might have, or is supposed to have.
PowerShell Discovery Script:
Get-WmiObject -Namespace ROOT\CCM\SoftMgmtAgent -Query "Select Size from CacheConfig" | select-object -ExpandProperty "Size"
PowerShell Remediation Script:
$CacheQuery = Get-WmiObject -Namespace ROOT\CCM\SoftMgmtAgent -Class CacheConfig
$CacheQuery.Size = 10240
And you will need to enable “Run the specified remediation script…” in the Compliance Rule tab where you also define the Cache Size Value that you want as the compliance value.
Once again, happy Non-Compliance hunting.