Using SCCM DCM Feature to monitor GPO application in the environment

The Issue

A Common issue that keeps being experienced across customer sites, is the application of Group Policies on machines

By default when a GPO is created and linked, it should apply to all the machines that the policy was linked to, and in most cases this works pretty perfectly, however, how do you know when this is not happening?

There may be multiple reasons why the GPO’s are not applying, whether it be a corrupt-policy cache, or timing out when downloading the Policy on slower links for instance. For most of the larger environments, you do not have an easy way to check the application of the policies across your entire estate, and manually going to machines, running GPResult /h is not feasible.

This is where we can start using the DCM feature of SCCM to help you.

Desired Configuration Management in SCCM is a mechanism where we deploy Configuration Baselines, that are made up of Configuration Items (CI’s)

You can read more about the topic here

Configuration items define a discrete unit of configuration to assess for compliance. They can contain one or more elements and their validation criteria, and they typically define a unit of configuration that you want to monitor at the level of independent change.

Configuration baselines contain one or more configuration items with associated rules, and they are assigned to computers through collections, together with a compliance evaluation schedule

Now how does this apply to our topic above? well that is essentially what a GPO is as well. a List of defined settings that are bundled together, and deployed out to be enforced on machines.

So let us start putting all of this together below:

We need a combination of 3 different tools here.

  1. System Center Configuration Manager
  2. Backup of your GPO that you want to measure\remediate against
  3. Microsoft Security Compliance Manager (For converting GPO backups\baselines to files) can be downloaded from here

Process flow will be as follows:

  1. Either Import a GPO backup or use a Security Baseline into Security Compliance Manager
  2. Modify the baseline include the settings you want, elsewise export the GPO\baseline to SCCM DCM 2007 format
  3. Import the CAB file into SCCM
  4. Deploy the Baseline (with or without remediation settings as per below)

Pre-export step of modified Baseline\GPO

Baseline has now been exported, select the name and select Save, with location

Open SCCM – Navigate to Assets and Compliance – Compliance Settings and start the importation steps

Select the Import Configuration Data
Select the Baseline, select Open
Select to Accept the baseline that is being Imported
Review the CI’s being created as part of Baseline

The Baseline is now successfully imported, I can now proceed to review the individual CI’s

I can choose to simply deploy the Baseline (as per below)

Deploying without remediating (for simply seeing what machines are NOT compliant, reporting on what the non-compliant issues are)

We are not remediating at this point, but do want an alert if this falls below 90% successful, and want it to run every 1 hour

The Baseline has run and reported a failure, the report below has been filtered to show one setting in particular for ease of demo

By default this is up to the point where the default functionality from DCM will report on the non-compliance for you.

You can either use this to see where you have configuration drift in your organization, and target the machines for manual intervention, or if you are feeling up to it, you can edit the Individual CI’s, and add a remediation script for each setting (Powershell, VBscript etc)

Just a note though, DCM can remediate registry entries for you automatically, so if you have a CI that is calling for a specific setting “RDP is enabled = 0” for instance, you will see the option on the CI to “Remediate non-compliant rules when supported”

I would highly recommend that this is setup and used for your Critical GPO’s ( Members of Local Admin Groups, or your different security policies), to make sure that you are getting the coverage of the GPO’s that you want.