Desired Configuration Management (DCM) is a feature in Configuration Manager which helps us tracing non-compliant computers. In Configuration Manager 2012 the feature also allows us to automatically remediate non-compliant computers. With Configuration Manager 2007 we can use a combination of DCM and Software Distribution to achieve the same functionality.
In this example I will create a DCM CI that will report a workstation as non-compliant if Adobe Flash automatic update is enabled. To fix the problem, I have a script that will disable the check for new updates. The script will be deployed using a normal software package.
Part I – Desired Configuration Management
Create the DCM objects
A DCM rule consist of a least one Configuration Item (CI) that is added to a Baseline. The baseline is advertised to a collection and compliant data are automatically sent back to the site server.
Create the CI
- In the Configuration Manager Console, navigate to Computer Management, Desired Configuration Management, Configuration Items.
- Right Click and create a new General CI.
- Name the CI, Automatic Update, assign a custom category and click Next.
- Click New, File or Folder
- Select
Type: File
Path: %windir%\system32\Macromed\Flash\
File or folder name: mms.cfg
Name pattern search depth: Specified path
- Select the Validation tab. We want to make sure that a single file exists and the file size is 19 kb.
Instance count operator: Equals
Value: 1
- Click New, File Size and select
Operator: Greater than or equal to
Value: 19
- Click OK twice and finish the wizard using the default values.
Create the Baseline
- In the Configuration Manager Console, navigate to Computer Management, Desired Configuration Management, Baselines.
- Right Click and create a new baseline.
- Name the baseline Automatic Updates, assign a custom category and click Next.
- Click applications and general, select the Automatic updates CI and click finish the wizard.
- Right click the baseline and Assign it to a collection using the default values.
Part 2 – The Software deployment
Create the Collection
The target collection for our software deployment is based on a dynamic query that looks for the unique baseline name.
- Create the dynamic query rule
- Create a new simple value
- In Attribute class select Configuration Item Compliance State
- In Attribute select Configuration State Name
- Click OK
- In the Criterion Properties window click Value and select non-compliant
- Click OK to save the criteria
- Create a new criteria:
- Attribute class select Configuration Item Compliance State
- Attribute select Localized Display Name
- In the Criterion Properties window click Value and select Automatic Updates
- Click OK to save the criteria
- Back in the in query statement your criteria’s should look like this:
- Click Show Query Language:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CI_ComplianceState.ComplianceStateName = "non-compliant" and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "Automatic Updates" - Click OK to save the query statements and finish the collection
The package and advertisement
The package is a VB script that will copy mms.cfg to the correct location. Create the two files and place them in the same source location.
- Create a text file and type AutoUpdateDisable=1 save the file as mms.cfg
- Create a new VB script called disableAUflash.vbs
Dim objFSO,ObjNet Dim strUsername,strDestfile, strScriptLocation strFileName = "mms.cfg" strScriptLocation = Replace(WScript.ScriptFullName,WScript.ScriptName,"") Set objShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") strAppData = objShell.ExpandEnvironmentStrings("%windir%") strDestFolder = strAppData & "\system32\Macromed\Flash" If Not objFSO.FolderExists(strDestFolder) Then objFSO.CreateFolder strDestFolder End If objFSO.Copyfile strScriptLocation & strFileName,strDestFolder&"\",True
- Create the package and run the script as the program, like this “cscript.exe disableAUflash.vbs
- Make sure the program runs under the local system account without any user interaction.
- Finish the package and program using default settings. Remember to copy the package to your distribution points.
- Create a new advertisement with a recurrence schedule. In my example I run the package once a week. Also make sure you configure the rerun behavior to always rerun program.
Local DCM report from non-compliant computer
Local DCM report after running the package
You might want to check your spelling under “Create CI” step 6. 🙂
Changed and thanks, count is not really the same wihtout the “o” 🙂
Hey Kent,
Thanks for the above post , it is very helpful.But i am having a different case.
Can i create a baseline to check, if all my users are having there outlook in cached mode or not. I have the registry key information with.
pls help me with this.
Thanks,
Sam
Haha that cheered me up 😛
Very helpful and I’ll give it a go!
Rash.
A quick question! Instead of manually creating a collection, why would you not use the option to right click on the entry under Configuration Baselines, select Create New Collection -> Non-Compliant Systems?