MMS Minnesota 2014
PowerShell DSC v. ConfigMgr Compliance Settings
Greg RamseyDavid O’BrienSherry Kissinger
#MMSMinnesota
MMS Minnesota 2014
Agenda
• Creation• Targeting/Deployment, Enforcement, and Priority• Reporting
• PowerShell DSC Demo – David• ConfigMgr Client Settings Demo – Greg and Sherry• Discuss
MMS Minnesota 2014
PowerShell DSC
• Native Feature in Windows Powershell 4.0• Lots of Experimental Resources available• AD, Azure, Certs, Bitlocker, Chrome, CompMgmt, CredSSP,
Database, DHCPServer, DISM, DNS, Exchange, Cluster, Firefox, Hyper-V, JEA,MySQL, Networking, RebootPending, PHP, RemoteDesktopConfig, SafeHarbor, SCDPM, SCOM, Script, SMA, SCVMM, SMB, SQLPS, SQL, SystemSecurity, WebAdmin, WindowsUpdate, WinEventLog, WordPress, FileShare
• RBA? Not really. . Maybe control some with Partial Config
MMS Minnesota 2014
“Make It So”
DSC is Idempotent
Idempotent - The property of certain operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.
http://en.wikipedia.org/wiki/Idempotence
MMS Minnesota 2014
DSC Example
MMS Minnesota 2014
DSC Creation
MMS Minnesota 2014
DSC Resource Anatomy 101
• Test-TargetResource – tests presence, absence on a machine
• Get-TargetResource – Checks for how a machine is configured at a point in time.
• Set-TargetResource – Enforces State of machine, when Test-TargetResource returns false
MMS Minnesota 2014
DSC Resource – Simple Pseudocode
MMS Minnesota 2014
DSC Targeting/Deployment and Priority• Targeting/Deployment• Install configuration locally• Static (mostly)• Configure “Local Configuration Manager” to PULL configurations• Partial Configurations• Dependencies
• Priority• Conflict Detection
MMS Minnesota 2014
Enforcement
• ApplyOnly – applies once, does nothing else until new/updated configuration• ApplyAndMonitor – Apply, monitor – report
compliance/noncompliance• ApplyAndAutoCorrect - Apply, monitor, report
compliance/noncompliance, auto remediate drift
MMS Minnesota 2014
DSC Reporting
• Pass/Fail, no detail• Use Web Services on Conformance Endpoint
• Use SCOM
MMS Minnesota 2014
Demo - DSC
MMS Minnesota 2014
ConfigMgr Compliance Settings
• Native Feature in ConfigMgr• Lots of supported providers• AD, File, Script (Jscript, VBScript, and PowerShell), SQL, Software
Update, WMI, XML, Registry, IIS, MSI)• RBA – Yes!
MMS Minnesota 2014
Compliance Settings Example
MMS Minnesota 2014
Compliance Settings Targeting/Deployment and Priority
• Targeting/Deployment• Deploy using ConfigMgr• Can be Dynamic (Query-based Collection)• Client pollson regular interval for CI updates• Partial Configurations*• Dependencies
• Priority• Conflict Detection reporting
MMS Minnesota 2014
Compliance Settings Enforcement
•Monitor•Monitor and Remediate• *Maintenance Windows for Enforcement
MMS Minnesota 2014
Compliance Settings Reporting
• In-Console monitoring• *Create collections too
• ConfigMgr Reporting Point• SQL• Eventvwr
MMS Minnesota 2014
Demo – Compliance Settings
Session Title
EvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!
Visit all of our sponsors in the expo area and online!
Platinum Sponsors:
Gold Sponsors:
MMS Minnesota 2014