SCCM 2012 DCM #rdproud


Hello,

Today I created a sccm2012 dcm rule for verifying if all services set to automatic are effectively started. Sound easy but there are some catches.

For a walkthrough see http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx

The interesting part is however :

-> As soon as you add a remediation script to your CI it will allways show up compliant.

Baseline 1 without remediation

clip_image002

Shows up as non compliant ( which is correct )

As you can see the output presented by the script is “Incompliant” and it needs to be “Compliant” so we’re in an error state.

clip_image004

Now if we add the remediation script.

clip_image006

And perform the exact same thing ( after policy refresh )

clip_image008

And you’ll see that the rule reports as compliant because it automatically assumes the remediated value is “Compliant”

Since there was logging attached to the ps we can see the following. First of all I use the scriptname as logfile and apparently the powershell script name is regenerated each time the dcm rule is evaluated so take a hardcoded log file.

clip_image010

Now the remediation script logs the same output : Incompliant

clip_image012

So my guess is the detection rule is not re-evaluated after repair so state is assumed compliant.

Solution could be to add the same rule twice :

-> Once with remediation reporting no issues when non compliant

-> Once without remediation reporting Critical severity

clip_image014

Hmm.. This is not working still Compliant after evaluation. So I added 2 settings and created a set of 2 Comliance Rules

clip_image016

clip_image018

Much better, now I have an incompliant state but my repair script has executed.

clip_image020

We can see the Rule1 is evaluated and remediated but has not made a change in compliancy state.

clip_image022

Wow, this should have been easier to do no ?

Enjoy.

Gino D

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s