Using Software distribution and Desired Configuration Management to fix non-compliant computers

Desired Configuration Management (DCM) is a feature in Configuration Manager which helps us tracing non-compliant computers. In Configuration Manager 2012 the feature also allows us to automatically remediate non-compliant computers. With Configuration Manager 2007 we can use a combination of DCM and Software Distribution to achieve the same functionality.

In this example I will create a DCM CI that will report a workstation as non-compliant if Adobe Flash automatic update is enabled. To fix the problem, I have a script that will disable the check for new updates. The script will be deployed using a normal software package.

Part I – Desired Configuration Management

Create the DCM objects

A DCM rule consist of a least one Configuration Item (CI) that is added to a Baseline. The baseline is advertised to a collection and compliant data are automatically sent back to the site server.

Create the CI

  1. In the Configuration Manager Console, navigate to Computer Management, Desired Configuration Management, Configuration Items.
  2. Right Click and create a new General CI.
    image
  3. Name the CI, Automatic Update, assign a custom category and click Next.
    image
  4. Click New, File or Folder
    image
  5. Select
    Type: File
    Path: %windir%\system32\Macromed\Flash\
    File or folder name: mms.cfg
    Name pattern search depth: Specified path
    image
  6. Select the Validation tab. We want to make sure that a single file exists and the file size is 19 kb.
    Instance count operator: Equals
    Value: 1
    image
  7. Click New, File Size and select
    Operator: Greater than or equal to
    Value: 19
    image
  8. Click OK twice and finish the wizard using the default values.

Create the Baseline

  1. In the Configuration Manager Console, navigate to Computer Management, Desired Configuration Management, Baselines.
  2. Right Click and create a new baseline.
    image
  3. Name the baseline Automatic Updates, assign a custom category and click Next.
    image
  4. Click applications and general, select the Automatic updates CI and click finish the wizard.
    image
  5. Right click the baseline and Assign it to a collection using the default values.

Part 2 – The Software deployment

Create the Collection

The target collection for our software deployment is based on a dynamic query that looks for the unique baseline name.

  1. Create the dynamic query rule
    1. Create a new simple value
    2. In Attribute class select Configuration Item Compliance State
    3. In Attribute select Configuration State Name
      image
    4. Click OK
    5. In the Criterion Properties window click Value and select non-compliant
      image
    6. Click OK to save the criteria
    7. Create a new criteria:
      1. Attribute class select Configuration Item Compliance State
      2. Attribute select Localized Display Name
      3. In the Criterion Properties window click Value and select Automatic Updates
      4. Click OK to save the criteria
      5. Back in the in query statement your criteria’s should look like this:
        image
      6. Click Show Query Language:
        select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CI_ComplianceState.ComplianceStateName = "non-compliant" and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "Automatic Updates"
      7. Click OK to save the query statements and finish the collection

The package and advertisement

The package is a VB script that will copy mms.cfg to the correct location. Create the two files and place them in the same source location.

  1. Create a text file and type AutoUpdateDisable=1 save the file as mms.cfg
  2. Create a new VB script called disableAUflash.vbs

  3. Create the package and run the script as the program, like this “cscript.exe disableAUflash.vbs

    image
  4. Make sure the program runs under the local system account without any user interaction.

    image
  5. Finish the package and program using default settings. Remember to copy the package to your distribution points.
  6. Create a new advertisement with a recurrence schedule. In my example I run the package once a week. Also make sure you configure the rerun behavior to always rerun program.

    image

Local DCM report from non-compliant computer

image

Local DCM report after running the package

image

By | 2010-12-24T10:45:49+00:00 December 24th, 2010|Configuration Manager (SCCM), General info|5 Comments

About the Author:

Kent Agerlund
Microsoft Regional Director, Enterprise Mobility MVP. Microsoft Certified Trainer and Principal consultant. I have been working with Enterprise client management since 1992. Co-founder of System Center User Group Denmark in 2009. Certified MCITP: Enterprise Administrator, MCSA+Messaing, and much more. Member of: Microsoft Denmark System Center Partner Expert Team The Danish Technet Influencers program System Center Influencers Program.

5 Comments

  1. rhino January 6, 2011 at 21:57 - Reply

    You might want to check your spelling under “Create CI” step 6. 🙂

  2. Kent Agerlund January 6, 2011 at 22:02 - Reply

    Changed and thanks, count is not really the same wihtout the “o” 🙂

  3. Sam March 9, 2011 at 13:11 - Reply

    Hey Kent,

    Thanks for the above post , it is very helpful.But i am having a different case.

    Can i create a baseline to check, if all my users are having there outlook in cached mode or not. I have the registry key information with.

    pls help me with this.

    Thanks,
    Sam

  4. Rashmika October 4, 2011 at 13:51 - Reply

    Haha that cheered me up 😛

    Very helpful and I’ll give it a go!

    Rash.

  5. Rashmika October 4, 2011 at 17:10 - Reply

    A quick question! Instead of manually creating a collection, why would you not use the option to right click on the entry under Configuration Baselines, select Create New Collection -> Non-Compliant Systems?

Leave A Comment