Authoring a DCM Configuration Item to Identify and Fix Non-compliant Systems

Sometimes administrators have the need to find systems that have an undesirable file and delete it.  A system with this file is not considered to be compliant with the organization’s policies.  One way to tackle this problem is using Desired Configuration Management (DCM) in System Center Configuration Manager (SCCM) 2007.  This article provides information on how to author a DCM Configuration Item (CI) and Configuration Baseline to identify systems with the file and how to use SCCM software distribution to delete the file automatically.

Creating a Configuration Item

In this example the undesirable file is redFlag.txt in the root of drive c:.  The first step is to create a DCM configuration item to detect the file.  Right-click on Configuration Items, select New and click on General Configuration Item.

In the Identification page of the wizard, provide a descriptive name and click on Next.

In the Objects page of the wizard, click on New and then click on File or Folder as illustrated below.

The New File or Folder Properties will open.  Enter the information for the file in the General tab as illustrated below.

Click on the Validation tab and configure it with the following settings.  We are indicating to report non-compliance when the instance count of less than 1 fails (meaning there’s one or more of this file).

Click on OK to close the New File or Folder Properties window and then click on Next to continue with the Configuration Item wizard.

Click on Next on the Settings page.   Then, click on Next to accept the default settings in the Applicability page.  Click on Next and Close twice to finish the wizard.  Now our Configuration Item has been created.

Adding Configuration Item to a Baseline

To add our Configuration Item to a new Baseline, right-click on Configuration Baselines and select New Configuration Baseline.

Give a name to the baseline and click on Next.

In the Set Configuration Baseline Rules page, select “These applications and general configuration items are required and must be properly configured:” as illustrated below.

Select our Configuration Item and click on OK.

Click on Next twice to finish the New Configuration Baseline wizard.

Assigning the Baseline to a Collection

Now we need to assign our new baseline to a collection with systems that will evaluate it to report compliance on it.  Right-click on the baseline and select Assign to a Collection to assign it to the appropriate collection by selecting the baseline you want to assign and the target collection.

Systems in the collection will retrieve the assignment of the baseline and evaluate it the next time they pull policies from SCCM (every 60 minutes by default).  When the client in this example retrieved the policy, it evaluated it.  The Configurations tab of the Configuration Manager applet in control panel provides information about our baseline.  This client has the RedFlag.txt file in the root of drive C: so it isn’t compliant.

Run a report to obtain compliance information

You can run the “Summary compliance by configuration baseline’ report to find compliance information on all the systems in the targeted collection.  Select the Configuration Baseline Name that you want to get information on.

And then click on Display.

Fixing non-compliant systems

To fix the non-compliant systems (the ones that have the c:\redFlag.txt file), we’ll put together a simple batch file and deliver it to the non-compliant systems using SCCM software distribution.  Our batch file contains just one line:

del c:\redFlag.txt

You can now create an SCCM program and package containing the batch file.  You’ll advertise this program to non-complaint systems.

Now we need to create a collection with non-complaint systems.  You can use WQL query language to create a dynamic collection that will be composed of only non-compliant systems every time it evaluates (you indicate how frequently the collection should be evaluated).  If you have R3 for SCCM 2007 installed, you can create the collection automatically by right-clicking on the baseline, select “Create New Collection” and click on “Non-Compliant Systems”.

In the New Collection wizard, give the collection a name and indicate how often it should be evaluated (the default is every 1 day).

The collection was created with the following WQL statement, which is what you would have to create if R3 wasn’t installed on your SCCM 2007 site server.

Click Next and Finish to create the collection.  In this example, it got populated with the non-compliant system.

You can now advertise the SCCM program to fix the non-compliant systems (by deleting the c:\redFlag.txt file) to this collection.

In our example, after the non-complaint system ran the advertised SCCM program and then evaluated the baselines on the next scheduled evaluation, our baseline was reported as “Compliant” in the Configurations tab of the Configuration Manager applet in control panel.

Then the next time our collection evaluated, it no longer had our system in it.

The DCM report now shows 1 compliant system instead of 1 non-compliant



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.