Tuesday, November 15, 2016

SCCM Configuration Baseline

So I had a client that had a scenario where they needed to know which machines did not have subkeys under a specific registry hive.  Machines that had subkeys were considered “healthy” and if no subkeys were found then that machine was “unhealthy”.  And so SCCM Configuration Baselines come to the rescue.

So in this scenario we’ll just say the subkeys exist under “HKLM\Software\Fubar”.  Now I know I’ll probably get burned at the stake for using vbscript but its something I already had so no sense in reinventing the wheel when it comes to a tight timeline, use the tools you already have…….in this case I already had a script that met this criteria from many eons ago.  So the premise is I’ll have a script that just queries the registry for this key and if subkeys are found report “subkeys found” and if none exist then report “subkeys not found”.  Easy enough.

On Error Resume Next
Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."
strKeyPath = "Software\Fubar"

Set objRegistry = GetObject("winmgmts:\\" & _
    strComputer & "\root\default:StdRegProv")

    objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys

    If IsArray(arrSubkeys) Then
   wscript.echo "subkeys found"
    Wscript.echo "no subkeys found"
    End If

So that’s the script that just runs through and identifies if subkeys exist.  If you need to customize this for your environment you simply need to change the line after “StrKeyPath = “ to where the registry is located that you would like queried.  Now to create a Configuration Baseline rule in SCCM.

1. Go under Assets and Compliance – Compliance Settings – Configuration Items and right click to create a new Configuration Item.

2. Give it a name and select the platforms you’d like to have it run on the first two screens of the wizard.

3. Now on the third screen that states “Specify settings for this operating system” click on “New”.

4. Now on the settings give it a name of your choice, for the “Setting Type” ensure you select “Script”, for the “Data Type” ensure you select “String” (as our result will be echoed back either “subkeys found” or “subkeys not found”).  Finally paste in your script where it says “Edit Script” ensuring you select “vbscript” from the drop down “Script Language”.

5. Now go to the “Compliance Rules” tab at the top and click on “New”.

6. From here give it a name once again, and near the bottom you’ll see the field “The setting must comply with the following rule”.  In the field enter the text “subkeys found” as that is the wording that gets echoed back to SCCM from the vbscript.

7. Click OK and OK once more to save these settings.  Now complete the wizard to finish creating your Configuration Item.

8. Now scroll down to “Configuration Baselines” and right click to “Create Configuration Baseline”

9. Once again give it a name and for “Configuration Data” select “Add - Configuration Items” and select the Configuration Item you created in the previous steps.  Click OK and OK once more to finish creating the Configuration Baseline.

Now simply deploy this Configuration Baseline to a collection that has a few test machines.  Once they check in you can see in the console that they will be reporting accurately, compliant or non-compliant based on what you are looking for.

No comments:

Post a Comment