Geek of All Trades: GPPs for the GPP-less
There are other ways to manage the compliance settings of Microsoft System Center 2012 Configuration Manager if you’re shut out of Group Policy.
IT organizations everywhere are ramping up for the System Center 2012 releases, so I’ve been doing a lot of System Center training. This makes perfect sense. What doesn’t make sense is the fact that most Microsoft System Center Configuration Manager admins tell me their companies still don’t let them use Group Policy and Group Policy preferences (GPPs).
Their reason is always the same: Group Policy is handled by the server team. In some cases, it might be the Active Directory team. “They don’t let us use it,” they say. Neither company size nor industry matters. Across IT, the turf war between who’s responsible for the desktops and who takes care of the servers is inadvertently keeping the desktop guys from their desktop management tools.
You can almost understand the reason, if not the result. Group Policy and GPPs are typically considered part of Active Directory. And Active Directory is a classically server-side technology. What’s unfortunate is the configurations these tools can manage are perhaps more useful for desktops than servers.
One of my students just asked, “I want to disable automatic updates on Adobe Reader. I know which registry key and value turns it off, but how do I distribute that registry change out to all my computers?”
My initial response was a quick rundown on GPPs. Distributing a simple registry change, as my student wanted to do, requires about a dozen clicks. The answer may be simple, but he was concerned he’d never be allowed to do it. Because changing the minds of his Active Directory caretakers seemed out of the question, we turned to options he could implement. One of those was Configuration Manager 2012—specifically its new and improved Compliance Settings.
Desired Configuration Management
Monitoring compliance settings isn’t new to Configuration Manager. It was actually introduced in the previous version as Desired Configuration Management (DCM). In its original form, DCM could monitor for deviations from a configuration baseline, but it couldn’t do remediation. Configuration Manager 2007 DCM might have told you which computers didn’t meet a baseline, but you had to figure out how to resolve the problem on your own.
Configuration Manager 2012 adds direct remediation to the DCM feature set. This is a much-needed assist for Group Policy Object (GPO)-less desktop admins everywhere. Here’s how it works.
You’ll find the Adobe Reader X registry key that controls automatic updates at: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Adobe ARM\1.0\ARM. Setting the DWORD value for iCheck to 3 tells the Adobe updater to automatically download and install updates. Setting the value to 0 shuts the Adobe updater down.
Finding that key and the correct value is perhaps the most difficult part of this process. One way is to search the Web for the right values. Another trick involves using a registry-scanning tool to see which value changes when you alter the setting. Armed with the correct registry key, path and value, you can do the rest within the Configuration Manager 2012 console.
Under the console’s Assets and Compliance node, click on Compliance Settings. There you’ll find places to configure configuration baselines and configuration items (CIs). Baselines contain CIs, as well as other baselines. Start by creating a baseline. In this case, I’ve titled mine simply “Adobe Reader X” (see Figure 1). This gives me the freedom to use this baseline later for remediating other configurations.
Figure 1 You can configure baselines, and use them for future configurations.
After creating that baseline, create a CI that specifies the registry key and value you want to evaluate. Give the CI a name and specify Windows as the type of CI you want to create. Then check the box to affirm this CI does indeed contain application settings (see Figure 2). You can also assign a category if you wish.
Figure 2 Working with the configuration items lets you specify a variety of settings.
CIs in Configuration Manager 2012 can lean on details found in an application’s Microsoft Installer (MSI) or a custom script to detect its installation status (see Figure 3). This verification ensures a baseline only applies to computers upon which an application has already been installed. It’s generally a good idea to ensure compliance metrics aren’t skewed by computers that don’t have the application installed.
Figure 3 The configuration items can check on the application installation status.
You should be aware that the Windows Installer detection data is collected from the original MSI used to install the application, and not the application itself. Some installations wrap their MSI within an EXE, so you need to first “unpack” the MSI. A common trick to do this involves launching but not proceeding with installation. Navigate to the computer’s %Temp% folder after kicking off the installation. You’ll often find the MSI you need in the root or in a subfolder of %Temp%.
Armed with the necessary detection information, click Next. The wizard’s third screen specifies the application settings. Click New to create a new Setting that corresponds to the application. There are 10 setting types available: Active Directory query, assembly, file system, IIS metabase, registry key, registry value, script, SQL query, Windows Management Instrumentation (WMI) Query Language (WQL) query and XPath query.
Solving this problem requires verifying that a DWORD registry value is properly set. If not, you have to remediate it to the correct value. Do this by selecting Registry value and Integer for the Setting type and Data type. Click the Browse button to locate the correct registry key and value (see Figure 4).
Figure 4 You’ll need to find the correct registry key and value.
When you complete this step, it creates a rule. You’ll need to configure this further under the Compliance Rules tab. This process creates a rule for Adobe Reader X (see Figure 5). Check the Remediate noncompliant rules when supported box to automatically fix any clients that deviate from the baseline.
Figure 5 These steps create a rule for Adobe Reader X.
Click through the rest of the wizard to specify the applicable OSes where the rule will be evaluated. Then create the CI and add it to the baseline. You can right-click the baseline and select Show Members to verify this CI has been associated with the baseline.
Baselines in Configuration Manager 2012 must be deployed to a Collection if they’re to be evaluated. Right-click the baseline and select Deploy to launch the Deploy Configuration Baselines wizard (see Figure 6). You’ll need to identify the baseline to be deployed along with a collection to evaluate against.
Figure 6 You can deploy your baseline once it’s complete.
Check the Remediate noncompliant rules when supported box to have Configuration Manager automatically fix any noncompliant computers. Set a schedule and select whether to generate alerts to complete the deployment. Baselines are evaluated every seven days by default. You can also modify a schedule to fit your needs.
While the Configuration Manager configuration baselines don’t provide the same “preferences” experience as GPPs, they can be a useful solution for controlling configurations that require absolute compliance. With a fully functional instance of Configuration Manager 2012 in place, they’re about as easy to set up as GPPs. Best of all, they sit outside the sphere of “Group Policy as a function of Active Directory” that unfortunately limits its use for many.