I just finished setting up ConfigMgr 2012 for a client. As part of the project we also implemented Nomad and PXE Everywhere. There are several settings in those products that have been set up as Configuration Items in ConfigMgr and aggregated into Configuration Baselines for each product. These baselines check several registry configuration settings related to the products, the services for each, license status, and other things. Noncompliant items are automatically remediated (if you choose to set them to remediate).
The customer also had other settings in the base Windows installation that he had wanted to evaluate as well. He wanted to create a GPO which would make those settings. I thought that perhaps we could take the opportunity to create Configuration Items for the settings he wanted to control and deploy a Configuration Baseline to the target machines in order to evaluate the settings and remediate them if they were non-compliant.
Why would someone want to do that instead of using a GPO? You wouldn’t. I don’t think this is an “either/or” scenario. You can use Compliance and Settings in ConfigMgr to enhance your GPO strategy. Let me explain.
GPOs will work on any domain member machine. GPO is a great way to get configuration settings out to the machines in your domain. But there are two major problems with GPOs the way I see it.
First, there is no real native solution for monitoring and reporting on GPO status across the environment. You basically put your GPO in place (hopefully after testing it!) and assume that it is applied across the board. If GPOs aren’t applied to some machines you really don’t have a proactive way of knowing that there are problems. I’m sure every IT person out there would much rather know about problems ahead of time. It stinks when your boss shows up deskside to tell you about an issue and your only response is “Errrr…uhhh…yeah…uhhh…”. Much better to confidently say, “Yup. I know. Already on it.”. And that will only happen if you couldn’t get it fixed before anyone noticed it.
Second, There really isn’t a good, centralized way of applying GPOs to machines that are not domain members. You basically have to edit the policy on each machine individually.
If you have ConfigMgr 2012 you can use Compliance and Settings to address both of those issues. With ConfigMgr Compliance and settings you can centrally report on the success of evaluation and remediation of Configuration Items. You can also evaluate and remediate items on machines that are not domain members.
So back to my question…Why would someone want to use ConfigMgr Compliance and Settings instead of using a GPO?
The answer was, you wouldn’t. You use Compliance and Settings to supplement GPOs. The reason I said that is because, obviously, Compliance and Settings evaluation and remediation in ConfigMgr 2012 only applies to ConfigMgr clients. This will not work for machines which are not ConfigMgr clients, or problematic machines which do not have a working ConfigMgr client installed.
So use your GPOs to make the settings on your domain member machines. Follow that up by deploying a Configuration Baseline to check the machines and ensure that the settings are correct. If you have machines that the GPO is not applied on they will show up in reports of non-compliant machines.
Some of the settings will take some research to identify. For example, I opened GPEDIT.MSC and randomly picked a setting on my machine: Shutdown: Allow system to be shut down without having to log on (Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options). After a quick Google search I find the same setting in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. The value name is REG_DWORD shutdownwithoutlogon. I can configure the Configuration Item as shown below:
Make note of the fact that the Data Type for this registry value is specified as an Integer, while we mentioned above that it is a REG_DWORD value. There is no REG_DWORD type listed in the Data Type dropdown. Therefore, if you have a REG_DWORD you want to check select Integer and in the compliance check (shown below) enter the value as Decimal instead of entering the hexadecimal that appears in the registry.
Note that I entered the value as decimal (I know, zero isn’t very helpful, but you notice I didn’t enter 0x00000000). If you want to remediate a noncompliant setting select the Remediate non-compliant rules when supported checkbox. Note: This checkbox does not appear on the page if the rule uses any condition other than Equals (shown in the dropdown box in the middle of the page). You can also specify a non-compliance severity for this setting.
Next, you need to create a Compliance Baseline. Finally, after you have added the Configuration Item(s) you desire to the Baseline you need to deploy it…
One thing that you must remember is to select the Remediate noncompliant rules when supported checkbox in the deployment as well. Otherwise, even if you have selected it in the Configuration Item the setting will not remediate if it is found to be noncompliant.
I’d like to close by visiting the topic of remediation. A ConfigMgr item can be configured to automatically remediate noncompliant settings (and don’t forget, you have to set your Configuration Baseline deployments to allow remediation or the setting for remediation in the Configuration Items contained in the Baseline will not take effect). If you have your Compliance Items/Baseline Deployment set to remediate noncompliant items you really need to make sure that you are organized. Do not put yourself in the position where you have updated a setting in a GPO but then neglected to update the corresponding Configuration Item in ConfigMgr. If that happens, the GPO will make one setting and then when ConfigMgr evaluates the Configuration Item it will revert the setting back to the previous value. You might want to do something like naming your GPO and you Configuration Baseline similarly. Populate the Configuration Baseline with Configuration Items that correspond to each of the settings in the GPO, and name the Configuration Items so that they clearly identify the GPO setting you are checking.