Tuesday, December 16, 2008

DCM How to Remediate Non-Compliant Computers Using Software Distribution

How to Remediate Non-Compliant Computers Using Software Distribution

You can use the compliance results from a Configuration Manager 2007 configuration item or configuration baseline to dynamically populate a collection with computers that report a specific compliance state or a specific non-compliance severity level.

You can then use Configuration Manager 2007 software distribution to assign a package or script to this collection which could, for example, either remediate the non-compliance condition or send a notification to an administrator that this condition requires attention.

For example, an application configuration item that checks for a specific version of Microsoft Office could be configured to report as non-compliant if the version number is not your standard release version. The configuration item could additionally be configured to report a specific non-compliance level such as Error in this case. If you create a collection that dynamically populates with computers that report a non-compliance severity level of Error for this application item, you can then assign to that collection a software distribution package to install the correct version of Office. When the application configuration item is next assessed for compliance, the client computer will report a compliance status and the computer will be dynamically removed from the collection.

The query you use to specify the collection membership defines the non-compliance severity level as a number. These non-compliance severity levels map to the following numbers in the query:

 

Non-Compliance Severity Level Number Mapping

Information - no Windows event messages

1

Information

2

Warning

3

Error

4

You can build your collection query based on the non-compliance severity level of a configuration item or a configuration baseline.

You will need to specify the unique ID associated with the configuration item or configuration baseline, in addition to the display name. You can find the unique ID values by adding the column CI Unique ID to the display columns on the home pages for the Configuration Baselines node, or the Configuration Items node.For more information, follow the procedure in How to Distinguish Configuration Data with the Same Name in Desired Configuration Management.

You can use the query builder to create your collection query, or you can use the query example in the following procedures.

After using these procedures, perform the following steps:

  • Ensure that you have created a Configuration Manager 2007 package containing software or scripts to remediate the non-compliant configuration item or configuration baseline.

  • Create a mandatory advertisement using standard software distribution methods to distribute this package to computers in the collection that you have created.

To remediate non-compliant computers by compliance state using software distribution

  1. Copy the following query and paste it into a text editor, such as Notepad:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId Where SMS_G_System_CI_ComplianceState.ComplianceStateName = "<ComplianceState>" and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>" and SMS_G_System_CI_ComplianceState.CI_UniqueID = "<CI Unique ID>"
  2. In the query, change <ComplianceState> to the compliance state of the configuration item or configuration baseline. This can be one of:

    • compliant

    • non-compliant

  3. In the query, change <BaselineName> to the name of the configuration baseline or the configuration item as it appears in the Configuration Manager console.

  4. In the query, change <CI Unique ID> to the unique ID associated with the configuration item or configuration baseline.

  5. Create the collection by right-clicking the Collections node and then selecting New Collection to launch the New Collection Wizard.

  6. On the General page, specify the collection name and, optionally, specify a description.

  7. On the Membership Rules page, click the second Membership rules icon to display the Query Rules Properties dialog box.

  8. Ensure System Resource is selected as the Resource class, and then click Edit Query Statement.

  9. In the Query Statement Properties dialog box, click Show Query Language.

  10. In the Query Statement Properties dialog box, paste the modified query into the Query Statement edit box.

  11. Click OK to save the query and close the Query Statement Properties dialog box.

  12. In the Query Rule Properties dialog box, optionally select Limit to collection, and then click OK.

  13. On the Membership Rules page of the New Collection Wizard, optionally click Schedule if you want to define a collection membership update schedule that is shorter than the default of every day.

  14. If you are defining an alternative schedule, specify your alternative in the Custom Schedule dialog box, and then click OK.

  15. Complete the wizard.

To remediate non-compliant computers by non-compliance severity using software distribution

  1. Copy the following query and paste it into a text editor, such as Notepad:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId Where SMS_G_System_CI_ComplianceState.ComplianceStateName = non-compliant And SMS_G_System_CI_ComplianceState.MaxNoncomplianceCriticality = "<Severity>" and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>" and SMS_G_System_CI_ComplianceState.CI_UniqueID = "<CI Unique ID>"
  2. In the query, change <Severity> to the non-compliance severity level of the configuration item or configuration baseline. This can be one of the following:

    • 1 (Information - no Windows event messages)

    • 2 (Information)

    • 3 (Warning)

    • 4 (Error)

  3. In the query, change <BaselineName> to the name of the configuration baseline or the configuration item as it appears in the Configuration Manager console.

  4. In the query, change <CI Unique ID> to the unique ID associated with the configuration item or configuration baseline.

  5. Create the collection by right-clicking the Collections node and then selecting New Collection to launch the New Collection Wizard.

  6. On the General page, specify the collection name and, optionally, specify a description.

  7. On the Membership Rules page, click the second Membership rules icon to display the Query Rules Properties dialog box.

  8. Ensure System Resource is selected as the Resource class, and then click Edit Query Statement.

  9. In the Query Statement Properties dialog box, click Show Query Language.

  10. In the Query Statement Properties dialog box, paste the modified query into the Query Statement edit box.

  11. Click OK to save the query and close the Query Statement Properties dialog box.

  12. In the Query Rule Properties dialog box, optionally select Limit to collection, and then click OK.

  13. On the Membership Rules page of the New Collection Wizard, optionally click Schedule if you want to define a collection membership update schedule that is shorter than the default of every day.

  14. If you are defining an alternative schedule, specify your alternative in the Custom Schedule dialog box, and then click OK.

  15. Complete the wizard.

No comments: