Must be the summer of System Center 2012 Configuration Manager, few days ago the System Center 2012 Configuration Manager Configuration Pack was released.

The pack checks the Software Update Point and Management Point roles, Site Servers and WSUS Configuration settings. The Pack will only return compliance on Roles that are installed, essentially a script is used for the DCM Configuration Items Detection Methods which senses the presence of the role and avoids running the Item if the role isn’t installed.

Installing the pack is a breeze, we’re essentially going to let the installer place a CAB into a folder on the Site server which we can then import via the ConfigMgr Console to produce a Baseline and a bunch of Configuration Items, which just leaves us to deploy the Baseline to a collection.

Start by launching the installer

image

Next

image

Next

image

Note and accept the default path unless this really means something to you

select Next

image

Select Next

image

Select Close

Open the ConfigMgr 2012 Console, navigate to Assets and Compliance, expand Compliance Settings and select Configuration Baselines

Select Import Configuration Data on the Ribbon

image

Select Add and navigate to the System Center 2012 Configuration Manager Configuration Pack installation folder

Select Next

image

the Wizard lists the Baselines and Items

Select Next

image

Select Close

Back to the ConfigMgr 2012 Console, navigate to Assets and Compliance, expand Compliance Settings and select Configuration Items

image

We get four Items

Microsoft System Center 2012 Configuration Manager Software Update Point

Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Microsoft System Center 2012 Configuration Manager Management Point

Microsoft System Center 2012 Configuration Manager Site Server

Select Configuration Baselines

image

We see one Baseline

Microsoft System Center 2012 Configuration Manager Server Roles

This baseline needs to be assigned to a Collection. I’ve already created a Collection and selected Deploy on the Ribbon

image

Notice the Remediate noncompliant rules when supported, very handy feature!

Select OK

Now visit one of your Site servers that is present in the Collection you chose when deploying the baseline, open the ConfigMgr Client applet in the Control Panel

image

Select the Actions Tab and Select Machine Policy Retrieval & Evaluation Cycle to contact the Management Point for new policy representing the System Center 2012 Configuration Manager Configuration Pack’s Baselines and Configuration Items

image

If you open the Policy Evaluator log on the Site server you chose, then you’ll see the Client receive new policy and apply it

This is the DCM Baseline and its Configuration Items being processed

image

Nip back to the ConfigMgr Client applet and select the Configurations Tab, you’ll see the baseline ready for evaluation

Wait for evaluation to take place, fall asleep, or click Evaluate to speed things up

image

Non-Compliant, something in the Baseline returned a non-compliant status

Click View Report

image

Spells it out pretty much, one of the Rules in a Configuration Item returned a non-compliant status. The rule for Big Green Button failed, BGB is there for System Center Endpoint Protection 2010, so that the Site server can reach out to Clients and force a definition update within minutes rather than on schedule. Bit light on documentation for this feature at present Smile

If we chase down the error we get to see some interesting stuff about the Configuration Item that failed the compliance evaluation, so, return to the ConfigMgr Console and bring up Configuration Items

image

Select the Properties of the Management Point Configuration Item

image

Select the BGB firewall port is open rule and Select Edit

image

Select Properties

image

As you can see above, there is no remediation script for this rule but it does have a discovery script which is used to figure out the BGB firewall rule response value

In the Discovery section Select Edit Script

image

In the script above we get to see the value this rule will return based on those script functions as Port Open or Port Closed

Click Cancel and return to the Rule list

image

The condition for BGFB firewall port is open Rule is Equals Port Open

The rules in each of the Configuration Items are full of ideas that you can reuse, sure is worth taking a look over them.

Download here: http://www.microsoft.com/en-us/download/details.aspx?id=30710