Compliance Settings for ConfigMgr 2012. Microsoft has provided us with a Configuration Pack for ConfigMgr 2012. This Configuration Pack contains Configuration Items and a Configuration Baseline for our ConfigMgr 2012 environment.

This Configuration Pack monitors following:

• Management Point(s);
• Site Server(s);
• Software Update Point(s).

You can download the Configuration Pack HERE.

From the Microsoft site:

Overview

Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center 2012 Configuration Manager Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2012 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center 2012 Configuration Manager Server Roles configuration baseline to a collection which contains your Configuration Manager 2012 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the management point role, it will not be evaluated for software update point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration item in the context of the Configuration Manager 2012 Server Role being addressed.

Installation.

After download (HERE) install the MSI package.

That was easy!

In the installation directory you will find several files. That notice that the ConfigMgr2012ConfigPackReview.doc contains all the info about the Configuration Pack. Nice info!

I will put the content of the doc at the end of this post (HERE).

Import the Configuration Pack

Now you have to import the Configuration Pack.

Go to: Assets and Compliance – Overview – Compliance Settings and right-click on ‘Configuration Baselines‘, choose ‘Import Configuration Data‘.

Add, browse to your installation directory and click: CM2012ServerRolesConfigpack.cab

2x Next

And there you are, you have 1 Configuration Baseline and 4 Configuration Items.

You can browse through the configuration items by selecting ‘Properties’. One thing you will notice that all the ‘Remediate‘ options are standard set to ‘No‘. This is actually a good thing, you don’t want anything automatically remediated on you ConfigMgr environment without you knowing about it. But it is possible J

 

Deploy the Configuration Baseline

Make a collection with your SCCM 2012 site server(s) and deploy the Configuration Baseline.

Pick a collection and select OK.

 

And now you have to wait until the Baseline has run on the SCCM 2012 server(s).

Here you can choose ‘View Report’. This is the report from my SQL server:

Not much to do here, but at least it is nice and Green 😉

And this is the one from my ConfigMgr site server.

Hm, Non-Compliant, let’s check this out.

And the details:

Under Non-Compliant rules we see that BGB firewall port for Management point should be open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.

Oké let’s check this script. It is found under Configuration Items – Microsoft System Center 2012 Configuration Manager Management Point, Properties, BGB firewall port.

Edit

Compliance Rules

Edit

So what this tells us is that the script is generating a Warning when it finds the port used for BGB is closed. But my firewall is disabled so it should not generate this error?

Check the underlying script:

Edit Script:

Option Explicit

Function GetBGBPort()

    Const HKEY_LOCAL_MACHINE = &H80000002

    Dim strComputer,strKeyPath,oReg,arrSubKeys,dwValue,strValueName,WshShell

    strComputer = “.”

    strKeyPath = “Software\Microsoft\SMS\NotificationServer”

    strValueName=”TCP Listener Port”

    Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)

    Set WshShell = WScript.CreateObject(“WScript.Shell”)

    If oReg.EnumKey(HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys) = 0 Then

        oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

    End If

    If not IsNull(dwValue) Then

        If not IsEmpty(dwValue) Then

            GetBGBPort = dwValue

        End If

    End If

End Function

Function FirewallPortIsOpen(iBGBPort)

    FirewallPortIsOpen = false

    Dim objFirewall, objPolicy, colPorts, objPort

    Set objFirewall = CreateObject(“HNetCfg.FwMgr”)

    Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

    Set colPorts = objPolicy.GloballyOpenPorts

    For Each objPort in colPorts

        If objPort.Port = iBGBPort Then

            FirewallPortIsOpen = true

        End If

        Next

End Function

Dim iBGBPort

iBGBPort = GetBGBPort()

If FirewallPortIsOpen(iBGBPort) Then

    WScript.echo “Port Open”

Else

    WScript.echo “Port Closed”

End If

 

 

And here you have the culprit. Although my firewall is disabled the script enumerates the current firewall profile to see if the used port is open!

So I opened up the port (standard 10123 TCP) in the firewall policy (Inbound Rule) et voila all green!

 

 

System Center 2012 Configuration Manager Configuration Pack

Detailed Summary

Configuration Manager 2012 Configuration Pack

Configuration Baseline: Microsoft System Center 2012 Configuration Manager Server Roles

• Included Configuration Items (If these optional application configuration items are detected, they must be properly configured)
  
  • Microsoft System Center 2012 Configuration Manager Site Server
  • Microsoft System Center 2012 Configuration Manager Management Point
  • Microsoft System Center 2012 Configuration Manager Software Update Point
  • Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Configuration Item: Microsoft System Center 2012 Configuration Manager Site Server

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

• ConfigMgr Distribution Manager Startup Type
  
  • Title– ConfigMgr Distribution Manager Startup Type
  • Description – Verifies the Distribution Manager component startup type is configured correctly. This setting applies to all primary sites, secondary sites, and Central Administration Server.
  • Type of provider – Registry value.
• ConfigMgr Offer Manager Startup Type
  
  • Title– ConfigMgr Offer Manager Startup Type
  • Description – Verifies the Offer Manager component startup type is configured correctly. This setting applies only to primary site servers.
  • Type of provider – Registry value.

• SMS_EXECUTIVE
  
  • Title– SMS_EXECUTIVE
  • Description – SMS_EXECUTIVE registry key should be present on site server.
  • Type of provider – Registry key.
  • Sync Done
    
    • Title– Sync Done
    • Description – Script checks status message system for presence of sync done message.
    • Type of provider – Script.
  • Sync in Progress: WSUS Server
    • Title– Sync in Progress: WSUS Server
    • Description – Script checks status message system for presence of sync in progress: WSUS server message.
    • Type of provider – Script.
• Sync Started
  
  • Title– Sync Started
  • Description – Script checks status message system for presence of sync started message.
  • Type of provider – Script.
• WSUS Configuration Manager Startup Type
  
  • Title– WSUS Configuration Manager Startup Type
  • Description – Verifies the WSUS Configuration Manager Component startup type is configured correctly.
  • Type of provider – Registry value.
• WSUS Sync Manager Startup Type
  • Title– WSUS Sync Manager Startup Type
  • Description – Verifies the WSUS Sync Manager Component startup type is configured correctly.
  • Type of provider – Registry value.

Configuration Item: Microsoft System Center 2012 Configuration Manager Management Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

• Background Intelligent Transfer Service (BITS) Server Extensions
  
  • Title– Background Intelligent Transfer Service (BITS) Server Extensions
  • Description – Verify that BITS is installed on this IIS server.
  • Type of provider – Script.
• BGB firewall port is opened
  
  • Title– BGB firewall port is opened
  • Description – Verifies that the ‘Big Green Button’ (BGB) firewall port for this Management Point is open.
  • Type of provider – Script.
• BITS Upload Enabled
  
  • Title– BITS Upload Enabled
  • Description –
    Verify that BITS Upload is enabled in IIS.
  • Type of provider – WQL query.
• IIS Admin Service Start Mode
  
  • Title– IIS Admin Service Start Mode
  • Description –
    Verifies the IIS Admin Service is properly configured to auto start.
  • Type of provider – WQL query.
• IIS Admin Service State
  
  • Title– IIS Admin Service State
  • Description –
    Verifies the IIS Admin Service is running.
  • Type of provider – WQL query.
• IIS Windows Authentication
  
  • Title– IIS Windows Authentication
  • Description –
    Verifies that IIS has Windows Authentication enabled.
  • Type of provider – Script.
• Microsoft Distributed Transaction Coordinator Service State
  
  • Title– Microsoft Distributed Transaction Coordinator Service State
  • Description –
    Distributed Transaction Coordinator Service should be running on Management Point.
  • Type of provider – WQL query.
• Microsoft Distributed Transaction Coordinator Start Mode
  
  • Title– Microsoft Distributed Transaction Coordinator Start Mode
  • Description –
    Verifies the MSDTC service is properly configured to auto start.
  • Type of provider – WQL query.
• Minimum Physical Memory Requirement
  
  • Title– Minimum Physical Memory Requirement
  • Description –
    Management Point meets minimum physical memory (RAM) requirements.
  • Type of provider – WQL query.
• Windows Task Scheduler Service State
  
  • Title– Windows Task Scheduler Service State
  • Description –
    Task Scheduler Service should be running on Management Point.
  • Type of provider – WQL query.
• Windows Task Scheduler Start Mode
  
  • Title– Windows Task Scheduler Start Mode
  • Description –
    Verifies the Windows Task Scheduler is properly configured to auto start.
  • Type of provider – WQL query.
• World Wide Web Publishing Service Start Mode
  
  • Title– World Wide Web Publishing Service Start Mode
  • Description –
    Verifies the World Wide Web Publishing Service is properly configured to auto start.
  • Type of provider – WQL query.
• World Wide Web Publishing Service State
  
  • Title– World Wide Web Publishing Service State
  • Description –
    World Wide Web Publishing Service should be running on Management Point.
  • Type of provider – WQL query.

Configuration Item: Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

• WSUS Control Manager Current State
  
  • Title– WSUS Control Manager Current State
  • Description –
    Verifies the WSUS Control Manager Component is running.
  • Type of provider – Registry value.
• WSUS Control Manager Startup Type
  
  • Title– WSUS Control Manager Startup Type
  • Description –
    Verifies the WSUS Control Manager Component startup type is configured correctly.
  • Type of provider – Registry value.

Configuration Item: Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

• microsoft.updateservices.admindataaccessproxy.dll
  
  • Title– microsoft.updateservices.admindataaccessproxy.dll
  • Description – Verify all instances of microsoft.updateservices.admindataaccessproxy.dll.
  • Type of provider – File system.
• microsoft.updateservices.administration.dll
  
  • Title– microsoft.updateservices.administration.dll
  • Description – Check for the existence of microsoft.updateservices.administration.dll.
  • Type of provider – File system.
• microsoft.updateservices.baseapi.dll
  
  • Title– microsoft.updateservices.baseapi.dll
  • Description – Verify all instances of microsoft.updateservices.baseapi.dll.
  • Type of provider – File system.
• Setup
  
  • Title– Setup
  • Description – Setup Registry key should be present.
  • Type of provider – Registry key.
• SMS_EXECUTIVE
  
  • Title– SMS_EXECUTIVE
  • Description – SMS_EXECUTIVE Registry key should be present.
  • Type of provider – Registry key.
• Windows Server Update Services Start Mode
  
  • Title– Windows Server Update Services Start Mode
  • Description – Verifies the WSUS Service start mode is configured correctly.
  • Type of provider – WQL query.
• WSUS
  
  • Title– WSUS
  • Description – WSUS Registry key should be present.
  • Type of provider – Registry key.
• WSUS Control Manager Startup Type
  
  • Title– WSUS Control Manager Startup Type
  • Description – Verifies the WSUS Control Manager Component startup type is configured correctly.
  • Type of provider – Registry value.