Sherry:
That makes a lot of sense, thank you very much. I’ve created a
new version of our CI to test for VMWare Tools using the VBScript, and I also
created a slightly modified version of the script that does the exact opposite
(AKA returns something if the machine is physical else does nothing) I can use
for some of the things that only need to be applied to physical servers.
Thanks again so much.
Ryan
From: [email protected] [mailto:[email protected]] On
Behalf Of Sherry Kissinger
Sent: Thursday, February 5, 2015 11:13 AM
To: [email protected]
Subject: Re: [mssms] Compliance details for a configuration baseline report in
SCCM 2012R2
See, I would approach that slightly differently. for that 1 rule (or 10, or
whatever you have), for a CI which is only applicable if the target is a
Virtual Machine, I'd re-do that CI as an "application" type CI (check the box
when creating the CI.
For Applicability, make the detection logic be a custom script, for example,
here would be a vbscript way to detect if the target is virtual:
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem
where model like '%virtual%'",,48)
For Each objItem in colItems
wscript.echo objItem.Model
Next
If all your targets have powershell, you could use a posh script instead of a
vbscript. A box will "pass" the applicability script if anything at all is
echo'd out. If nothing is echo'd, it's not applicable.
we've got hyperv, VMware, and even a few parallels and sunvm in our
environment, and that catches them all. If you want to ONLY get VMware, then
you'd use model = 'VMware Virtual Platform' instead of the like '%virtual%'
Add your settings, etc. as normal. And here's the trick: when you add that
Application CI to your Baseline, after adding it, it will be listed as
"required". highlight and change it from 'required' to 'optional'.
So what will happen is for that Baseline, target to every server regardless of
physical or virtual, the physical boxes will determine it's not applicable, AND
it's optional, so they'll be compliant about it. and the Virtual boxes will
see it as applicable, and go on to test what's inside the CI.
That way... One Baseline; easy peasy.
I do that type of thing for all kinds of things--like "only care if you happen
to have IIS installed" or "only care if you have SQL 2014 Enterprise", or "only
bother if you have WSUS feature installed". So I can target one baseline to
all our infrastructure servers, but only test the iis stuff if they have iis,
only check the SQL stuff if you have sql, etc. etc.
On Thursday, February 5, 2015 10:40 AM, Ryan Shugart <[email protected]> wrote:
Borring huh. (smile)
What I’m doing is running a bunch of Cis against all our servers
to do things like see if RDP is turned on, if AV is installed, etc. I have two
different baselines because for our virtual machines, one of the things I need
to report on is if VMWare Tools is installed on the VM. If its not installed
on the machine and the machine’s in the virtual machine’s collection that’s a
problem, but if the machine is physical, well that’s obviously a good thing and
I don’t want that CI in noncompliance. So I just have two different baselines,
one pointed at a collection of physical systems, one pointed at a collection of
virtual systems. Most of the Cis in there are the same. So, if the report is
smart enough to see that the machine is in the collection of physical servers,
and doesn’t have the baseline with the VMWare Tools CI assigned to it, then
that will solve my problem.
Ryan
From: [email protected] [mailto:[email protected]] On
Behalf Of Sherry Kissinger
Sent: Thursday, February 5, 2015 9:06 AM
To: [email protected]
Subject: Re: [mssms] Compliance details for a configuration baseline report in
SCCM 2012R2
Baseline? you never said you wanted to limit it to a baseline. it's any CI
that is applicable or detected, regardless of what baseline that ci might be
in. :)
If you want to limit it to a baseline, (how boring, limits) then I'd suggest
using vSMS_BaselineAssignment .assignmentName
ba.assignmentName = 'long and obnoxious name that's sorta comprehensible'
On Thursday, February 5, 2015 9:55 AM, Ryan Shugart <[email protected]> wrote:
Thanks a lot Sherry, this looks like it will fit the bill. When I run the
report will it prompt for the baseline I want it to pull the Cis from or is
there a place in the report I need to fill that in?
Ryan
From: [email protected] [mailto:[email protected]] On
Behalf Of Sherry Kissinger
Sent: Wednesday, February 4, 2015 3:37 PM
To: [email protected]
Subject: Re: [mssms] Compliance details for a configuration baseline report in
SCCM 2012R2
I happened to have this saved for some reason. Might be close to what you
mean. If you want per-computer, uncomment that line and fill in that prompt;
if you mean per-collection, uncomment the fcm line and fill in the
collectionid. It is 'hard coded' to 1033 English. If you happen to be
elsewhere/different language, you may want to change that. I was just cheating
and making it simple for me.
select fcm.name, ba.assignmentName, lcb.IsAssigned
,CASE WHEN cs.ComplianceState = 1 then 'Compliant'
when cs.ComplianceState = 2 then 'Non-Compliant'
when cs.ComplianceState = 4 then 'Failure' end as 'TextComplianceState'
,cs.IsEnforced, cs.ComplianceValidationRuleFailures, cs.errorCount
,cs.ConflictCount, cs.LastComplianceMessageTime, cs.LastEnforcementMessageTime
,ciinfo.DisplayName, ciinfo.description
from vSMS_BaselineAssignment ba
join v_fullcollectionmembership fcm on fcm.collectionid=ba.collectionid
join fn_ListconfigurationBaselineInfo(1033) lcb on
lcb.CI_UniqueID=ba.AssignedCI_UniqueID
join vSMS_CombinedconfigurationItemRelations cir on cir.FromCI_ID=lcb.CI_ID
join v_ConfigurationItems ci on ci.ci_id=cir.TOCI_ID
join dbo.v_CICurrentComplianceStatus cs with(NOLOCK) on cs.CI_ID=ci.ci_ID
and cs.Resourceid=fcm.resourceid
join fn_ListCIs(1033) ciinfo on ciinfo.ci_id=cs.ci_id
where
--fcm.name = @ComputerName and --If you want per-computer, uncomment this
--fcm.collectionid = @CollectionID and --if you want for a specific collection,
uncomment and fill this in instead of the per-computer above.
cs.isapplicable=1 and cs.isdetected=1
order by fcm.name
On Wednesday, February 4, 2015 3:30 PM, Ryan Shugart <[email protected]> wrote:
Hi:
Is there an equivalent to the “Compliance details for a configuration
baseline” (report ID 309) report in SCCM 2012R2? I’m looking for a report that
shows me compliance for each configuration item for each device in a
collection, and I can find ones that summarize this info but not one that goes
through item by item, device by device like that one did.
Thanks.
Ryan
Ryan Shugart
LAN Administrator
MiTek USA, MiTek Denver
314-851-7414
MiTek Holdings, Inc., 2011-2014, All Rights Reserved
________________________________
This communication (including any attachments) contains information which is
confidential and may also be privileged. It is for the exclusive use of the
intended recipient(s). If you are not the intended recipient(s), please note
that any distribution, copying, or use of this communication or the information
in it is strictly prohibited. If you have received this communication in error,
please notify the sender immediately and then destroy any copies of it.
