MMS Minnesota 2014

PowerShell DSC v. ConfigMgr Compliance Settings

Greg RamseyDavid O’BrienSherry Kissinger

#MMSMinnesota

MMS Minnesota 2014

Agenda

• Creation• Targeting/Deployment, Enforcement, and Priority• Reporting

• PowerShell DSC Demo – David• ConfigMgr Client Settings Demo – Greg and Sherry• Discuss

MMS Minnesota 2014

PowerShell DSC

• Native Feature in Windows Powershell 4.0• Lots of Experimental Resources available• AD, Azure, Certs, Bitlocker, Chrome, CompMgmt, CredSSP,

Database, DHCPServer, DISM, DNS, Exchange, Cluster, Firefox, Hyper-V, JEA,MySQL, Networking, RebootPending, PHP, RemoteDesktopConfig, SafeHarbor, SCDPM, SCOM, Script, SMA, SCVMM, SMB, SQLPS, SQL, SystemSecurity, WebAdmin, WindowsUpdate, WinEventLog, WordPress, FileShare

• RBA? Not really. . Maybe control some with Partial Config

MMS Minnesota 2014

“Make It So”

DSC is Idempotent

Idempotent - The property of certain operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.

http://en.wikipedia.org/wiki/Idempotence

MMS Minnesota 2014

DSC Example

MMS Minnesota 2014

DSC Creation

MMS Minnesota 2014

DSC Resource Anatomy 101

• Test-TargetResource – tests presence, absence on a machine

• Get-TargetResource – Checks for how a machine is configured at a point in time.

• Set-TargetResource – Enforces State of machine, when Test-TargetResource returns false

MMS Minnesota 2014

DSC Resource – Simple Pseudocode

MMS Minnesota 2014

DSC Targeting/Deployment and Priority• Targeting/Deployment• Install configuration locally• Static (mostly)• Configure “Local Configuration Manager” to PULL configurations• Partial Configurations• Dependencies

• Priority• Conflict Detection

MMS Minnesota 2014

Enforcement

• ApplyOnly – applies once, does nothing else until new/updated configuration• ApplyAndMonitor – Apply, monitor – report

compliance/noncompliance• ApplyAndAutoCorrect - Apply, monitor, report

compliance/noncompliance, auto remediate drift

MMS Minnesota 2014

DSC Reporting

• Pass/Fail, no detail• Use Web Services on Conformance Endpoint

• Use SCOM

MMS Minnesota 2014

Demo - DSC

MMS Minnesota 2014

ConfigMgr Compliance Settings

• Native Feature in ConfigMgr• Lots of supported providers• AD, File, Script (Jscript, VBScript, and PowerShell), SQL, Software

Update, WMI, XML, Registry, IIS, MSI)• RBA – Yes!

MMS Minnesota 2014

Compliance Settings Example

MMS Minnesota 2014

Compliance Settings Targeting/Deployment and Priority

• Targeting/Deployment• Deploy using ConfigMgr• Can be Dynamic (Query-based Collection)• Client pollson regular interval for CI updates• Partial Configurations*• Dependencies

• Priority• Conflict Detection reporting

MMS Minnesota 2014

Compliance Settings Enforcement

•Monitor•Monitor and Remediate• *Maintenance Windows for Enforcement

MMS Minnesota 2014

Compliance Settings Reporting

• In-Console monitoring• *Create collections too

• ConfigMgr Reporting Point• SQL• Eventvwr

MMS Minnesota 2014

Demo – Compliance Settings

Session Title

EvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!

Visit all of our sponsors in the expo area and online!

Platinum Sponsors:

Gold Sponsors:

MMS Minnesota 2014