SCCM 2012 – Compliance Settings, really?

Hey, here’s Martin, did you ever come to the Point, where you should implement compliance Settings in System Center 2012 Configuration Manager (Artist formerly known as “Desired Configuration Management”)?
And further, did you also thought, how to get all of those compliance Settings? Microsoft publish the so-called “Security Compliance Manager” which will be the Support to achieve our Goal!
Well what do you Need?
-Microsoft Security Compliance Manager (http://technet.microsoft.com/en-us/library/cc677002.aspx)
-SQL Server (Otherwise it will install a SQL Express 2008 on your Machine, check if your OS is supported; Windows 8.1 isn’t 🙂 )

And… that’s it. Let’s start, I have it already installed in an existing SQL instance, and through the installation, a new database called XTrans is created:
Compliance Database
After a successful Installation you can start the “Security Compliance Manager” (SCM), the program will start and you can select the appropriate Options:
SCM Startup
In this example, I will use a Windows Server 2012 Hyper-V Security template as baseline, because the virtualization layer is a good Point to start with compliance, thus they are hosting our environment. So click on Windows Server 2012 to open the tree, and select “WS2012 Hyper-V Security”:
Hyper-V Compliance Settings 01
Your Focus should now Change to the middle of the console, where you already get 203 Settings to use. You can now decide to use this set, and Export it to use it in SCCM, then you can scroll down a Little bit, this will be explained. Otherwise, if you decide to use SCM for the Single Point of Management, what would be a good Option, then you have to duplicate the baseline:
Dublicate Baseline
After giving an unique Name and an excellent description, click on Save and you can use your custom baseline:
Custom Baseline
Now you are able to Change any Settings and also to add more Settings, or delete some:
Compliance Settings Add
In this example, I only set the Print Spooler to “Disabled”, and set the severity to “Important”:
Disable Print Spooler
I also add a Setting to the baseline, but first, I create a new Settings Group, I will Name it General:
Add Setting Group
When clicking on “Add” in the right side of the console beyond “Setting”, the “Add Settings”-Wizard appears, here can I add more Settings to my baseline. The GUI is not very good, that’s why I would Point out, that there exist 22 pages for Windows Server 2012 (you might want to use the filter search). I choose to not require Ctrl-Alt-Del to Logon interactively:
Add Setting
Click on “Add” to finish the wizard. Afterwards you can Change the behaviour of the added Setting. I changed the value to enabled and the severity to Optional:
Add compliance setting
You can add more and more Settings to your baseline if you want. For this example, I have changed and added enough, now I will Export the baseline, and Import it to SCCM.

Here Comes the Export of the Baseline. Be sure that you have selected your custom baseline in the tree on the left side of the console. The click on “SCCM DCM 2007 (.cab)” beyond Export. Even if you are using SCCM 2012, it will definitely work:
Export Baseline
And in the SCCM 2012 Console, you can now Import your designed baseline. Go to “Asset and Compliance” “Compliance Settings” “Configuration Baseline”, with a right-click, the menu opens, and you can select “Import configuration Data”:
SCCM Baseline Import
Click on “Add” and select your exported Baseline from SCM, because your cab-File is not digitally signed, a warning will be shown. The wizard should Looks like this:
Import Baseline SCCM
In the summary you can recognize your Setting Groups:
Import Summary
If everything was imported, you will see the success Status:
Successful Import
After finishing the wizard, you can modify the Settings again, or set remediation. Mind to document any changes made in SCCM, when using DCM as the Single Point of Management. And then, you can deploy your baseline as any baselines created before.
The SCM allows you to control your Settings on a easy way, and publish them to different Systems (Group Policy, SCCM, Excel).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s