Mastering System Center Configuration Manager
上QQ阅读APP看书,第一时间看更新

Compliance authoring

Configuration Manager is responsible for creating, organizing, editing, and deploying compliance settings. The biggest challenge is when you have to translate business requirements into Configuration Manager items.

Organization

The organization of configuration items in configuration baselines is very important, just as in the case of organizing individual policies within Group Policy Objects. Actually, you don't need any organization. If you put all the settings in one configuration item and baseline, you are done. However, the problem is when something goes wrong and you have to troubleshoot an issue. Organize similar settings into a single configuration item; for example, put all the settings for Internet Explorer into one configuration item. For more isolation, you can create a baseline with just one configuration item.

Although this is a good practice and creates isolation, it creates a lot of configuration items and more overhead for administration. Think of the configuration items as building blocks representing atomic units of functionality. Combining these in different ways results in a diverse and comprehensive set of baselines that are easier to maintain and troubleshoot.

Note

Evaluation is mostly quick and has no major impact on the client system. However, it is possible to create complex configuration items or baselines with a lot of configuration settings, but this will affect the target system. Software updates' compliance terms have a great impact on the client performance, especially when many are packed in one baseline. Test the baseline before deploying it so that you ensure that it won't affect performance on the target system. Scripts also have a great impact on target systems and because of this Configuration Manager 2012 R2 has a 1-minute timeout for scripts.

Using Microsoft tools

A great way to start configuring compliance settings is with the help of Microsoft configuration packs. They provide great examples and are good to use as a reference because they can teach you about compliance settings. Many of the evaluation checks are performed by custom scripts, and you can use them in your own configuration settings as well as easily modify them.

Security Compliance Manager

Security Compliance Manager is a Microsoft tool that is free for download. You can download it from the following link:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16776

This tool can help you to create and manage configuration baselines. The difference is that it cannot apply baselines to target systems and that is why it relies on Configuration Manager and group policies to do that. This tool includes a lot of baselines that cover the Windows, Microsoft Office, and Internet Explorer configurations. SCM has the capability to import a Group Policy Object, and this is a great way to start your baseline creation. When you have defined your baseline configuration, you can export it and import the Configuration Manager compliance settings.

CP Studio

This is a third-party application from Silect Software ( it offers the authoring of configuration baselines and configuration items. This allows IT administrators to create baselines without the Configuration Manager console. CP Studio provides a rich and intuitive environment for baseline creation. This is important because it shortens the development life cycle of configuration baselines and decreases the time needed for baselines to be put into production.

The compliance strategy

All of the functionalities regarding compliance settings are relatively straightforward. You have to create the settings and deploy them. However, the main thing is what should be done after that. Configuration manager clients will accumulate data, and you have to decide what is to be done with this data. Some of the goals might be satisfying business goals, creating reports, troubleshooting, correcting nonstandard configurations, and so on. Every baseline that you create can address some of these goals. So, that is why the first thing to do is to identify the baseline's purpose, target, and delivery method. The following three parameters define what you put inside a baseline:

  • Reporting: This consists of another way to view and distribute the compliance results of the deployed baselines.
  • Alerting: This consists of raising real-time alerts of the evaluation results of a baseline.
  • On-demand results: This deals with client-side report generation. You can trigger the evaluation on the clients of selected baselines.