powershell dsc v. configmgr compliance settings mms minnesota 2014 greg ramsey david o’brien...

Download PowerShell DSC v. ConfigMgr Compliance Settings MMS Minnesota 2014 Greg Ramsey David O’Brien Sherry Kissinger #MMSMinnesota

Post on 29-Dec-2015

214 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

PowerShell DSC v. ConfigMgr Compliance SettingsMMS Minnesota 2014Greg RamseyDavid OBrienSherry Kissinger#MMSMinnesotaAgendaCreationTargeting/Deployment, Enforcement, and PriorityReporting

PowerShell DSC Demo DavidConfigMgr Client Settings Demo Greg and SherryDiscussMMS Minnesota 2014PowerShell DSCNative Feature in Windows Powershell 4.0Lots of Experimental Resources availableAD, Azure, Certs, Bitlocker, Chrome, CompMgmt, CredSSP, Database, DHCPServer, DISM, DNS, Exchange, Cluster, Firefox, Hyper-V, JEA,MySQL, Networking, RebootPending, PHP, RemoteDesktopConfig, SafeHarbor, SCDPM, SCOM, Script, SMA, SCVMM, SMB, SQLPS, SQL, SystemSecurity, WebAdmin, WindowsUpdate, WinEventLog, WordPress, FileShareRBA? Not really. . Maybe control some with Partial Config

MMS Minnesota 2014Make It SoDSC is Idempotent

Idempotent - The property of certain operations in mathematics and computer science, that can be applied multiple times without changing the result beyond the initial application.

http://en.wikipedia.org/wiki/IdempotenceMMS Minnesota 2014DSC ExampleMMS Minnesota 2014

DSC CreationMMS Minnesota 2014DSC Resource Anatomy 101MMS Minnesota 2014Test-TargetResource tests presence, absence on a machineGet-TargetResource Checks for how a machine is configured at a point in time.Set-TargetResource Enforces State of machine, when Test-TargetResource returns falseDSC Resource Simple PseudocodeMMS Minnesota 2014

DSC Targeting/Deployment and PriorityTargeting/DeploymentInstall configuration locallyStatic (mostly)Configure Local Configuration Manager to PULL configurationsPartial ConfigurationsDependenciesPriorityConflict DetectionMMS Minnesota 2014Partial Configurations with the current beta, you can configure partial configurations basically break an LCM to multiple sections each partial config has a source (pull server). Can also declare exclusivity over certain resources Partial Config A can control network, Partial Config B can control Certs.Priority theres only one config applied to a system. You can also build dependencies9EnforcementApplyOnly applies once, does nothing else until new/updated configurationApplyAndMonitor Apply, monitor report compliance/noncomplianceApplyAndAutoCorrect - Apply, monitor, report compliance/noncompliance, auto remediate driftMMS Minnesota 2014Monitor happens every 30 mins by default

http://technet.microsoft.com/en-us/library/dn249922.aspxhttp://blogs.technet.com/b/privatecloud/archive/2014/08/08/desired-state-configuration-dsc-nodes-deployment-and-conformance-reporting-series-part-2-deploying-a-pull-service-endpoint-and-automating-the-configuration-of-the-dsc-nodes.aspx10DSC ReportingPass/Fail, no detailUse Web Services on Conformance Endpoint

Use SCOMMMS Minnesota 2014Web Services (invoke-RestMethod

Trevors blog - http://trevorsullivan.net/2014/09/26/fix-for-service-unavailable-in-powershell-dsc-pull-server/

Using SCOM to check enforcement - http://blogs.technet.com/b/privatecloud/archive/2014/10/09/desired-state-configuration-dsc-nodes-deployment-and-conformance-reporting-series-part-4-using-operations-manager-to-check-for-configuration-enforcement.aspx

http://blogs.technet.com/b/privatecloud/archive/2014/08/08/desired-state-configuration-dsc-nodes-deployment-and-conformance-reporting-series-part-3-working-with-the-conformance-endpoint.aspx

http://blogs.msdn.com/b/powershell/archive/2014/05/29/how-to-retrieve-node-information-from-pull-server.aspx

Reporting in Generalhttp://blogs.technet.com/b/privatecloud/archive/2014/08/08/desired-state-configuration-dsc-nodes-deployment-and-conformance-reporting-series-part-3-working-with-the-conformance-endpoint.aspx

11Demo - DSCMMS Minnesota 2014ConfigMgr Compliance SettingsNative Feature in ConfigMgrLots of supported providersAD, File, Script (Jscript, VBScript, and PowerShell), SQL, Software Update, WMI, XML, Registry, IIS, MSI)RBA Yes!

MMS Minnesota 2014Compliance Settings ExampleMMS Minnesota 2014

Compliance Settings Targeting/Deployment and PriorityTargeting/DeploymentDeploy using ConfigMgrCan be Dynamic (Query-based Collection)Client pollson regular interval for CI updatesPartial Configurations*DependenciesPriorityConflict Detection reporting

MMS Minnesota 201415Compliance Settings EnforcementMonitorMonitor and Remediate*Maintenance Windows for Enforcement

MMS Minnesota 2014Monitor/remediate occurs on your defined schedule16Compliance Settings ReportingIn-Console monitoring*Create collections tooConfigMgr Reporting PointSQLEventvwrMMS Minnesota 2014Demo Compliance SettingsMMS Minnesota 2014Session TitleEvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!Visit all of our sponsors in the expo area and online!Platinum Sponsors:Gold Sponsors:MMS Minnesota 2014GPO v. DSC - http://sdmsoftware.com/group-policy-blog/group-policy/group-policy-vs-desired-state-configuration-vs/

19