Customizing configuration baselines and items may be a
full-time task, depending on the role set for DCM in an organization.
The toolset included with ConfigMgr 2007 provides a rich environment for
authoring these objects, although it is not the only way to author
them. The following sections discuss how to go about authoring baselines
and configuration items using the console as well as a few alternative
methods.
1. Console Authoring
The main purpose of the ConfigMgr console in DCM
is to organize, assign, create, and edit configuration baselines and
configuration items. The built-in toolset for these last two
activities—creating and editing—is fairly complete; it allows you to
define a wide range of evaluation criteria covering most of the
scenarios needed.
To create a new configuration item, navigate to
Site Database -> Computer Management -> Desired Configuration
Management -> Configuration Baselines in the ConfigMgr console
navigation tree and then select New. This results in a flyout menu where
you can select to create one of the three creatable types of
configuration items. The resulting Configuration Item Creation Wizards
for all these types are similar to each other; each has the pages listed
in Table 1.
Table 1. Configuration Item Configurable Properties
| Configuration Item Type | Configurable Property Types |
|---|
| Application | Identification
Detection Method
Objects
Settings
Applicability |
| General | Identification
Objects
Settings
Applicability |
| Operating System | Identification
Objects
Settings
Microsoft Windows Version |
Here are descriptions of the wizards:
Identification— On this page, you set the name of the configuration item and assign any desired categories.
Detection Method— This page, specific to only application configuration items and shown in Figure 16.7, allows you to configure how the installation of an application is detected. There are three methods:
Assumption—
When this method is selected, DCM simply assumes that the application
is installed without a check. Choosing this option is essentially the
equivalent of creating a general configuration item.
Windows Installer (MSI) Detection—
This method uses the list of products installed by Windows Installer to
determine if an application is installed. If an application was not
installed using an MSI, this method is not applicable.
Expected
data for this method includes the Globally Unique Identifier (GUID) and
the version number for the application. The easiest way to get this
information is to click the Open button and select the MSI originally
used to install the application. This automatically populates the
fields. You can also instruct DCM that the installation was installed
“per user” by checking the corresponding box shown in Figure 1. This check box is grayed out until you select Use Windows Installer (MSI) detection.
Note: Manually Determining a Product’s GUID
Although
not always apparent, most software applications today are installed
using an MSI. The MSIs are typically hidden inside of executables and
are not directly accessible. During installation, the MSI is extracted
from the executable to a temporary folder and then installed from that
folder. The easiest way to determine the application’s GUID and version
if the MSI is hidden in this way—or not readily available for any
reason—is to use WMI, and the easiest way to query WMI is the WMI
console (WMIC).
WMIC is part of every Windows installation and invoked from the command line.
Here’s an example of a WMIC command to query for the GUID and version of all Microsoft Live products:
wmic product where "caption like '%Live%'" get name, IdentifyingNumber, version
This command outputs the product name, GUID, and version for every product that has Live in its name.
Script—This
method uses a custom script—VBScript, JScript, or PowerShell based—to
detect the installation of an application. The script should return some
text to indicate the successful detection of an installed application
and no text to indicate failure. A simple example VBScript to detect the
installation of the Internet Explorer Administration Kit 7 follows:
folderPath = "C:\Program Files\Microsoft IEAK 7"
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FolderExists(folderPath) Then
WScript.Echo "IEAK 7 Found"
End If
Note: Script Success
Scripts used in DCM are considered to be successful if they output anything to the standard output—often referred to as StdOut.
The exact contents of the output are not evaluated; it’s just that
something is output. Conversely, if nothing is output, the script is
considered unsuccessful.
Objects— On this page, displayed in Figure 2,
you choose which objects to evaluate for compliance on a system. To add
a check for an object, click New at the bottom of the page (circled in
the figure) and choose the type you would like to check for from the
pop-up menu.
Settings— Shown in Figure 3,
you choose which settings to evaluate for compliance on a system. To
add a check for a setting, click New at the bottom of the page and
choose which type you would like to check for from the pop-up menu. The “Settings” section discusses possible settings.
Applicability— Only available on general and application configuration items, this page (displayed in Figure 4)
sets the Windows platforms for which the configuration item is
applicable. If the Windows version does not match, the configuration
item is not evaluated. The list of Windows platforms includes all
ConfigMgr-supported platforms and is broken down by version, service
pack, and hardware platform. You can specify All Windows platforms, or
use the list to select one or multiple platforms, making the
configuration item applicable to specific Windows platforms.
Microsoft Windows Version— Shown in Figure 5,
this page is only available to operating system configuration items,
but is very similar in function to the Applicability page described in
the previous bullet. The primary difference is you can only specify a
single Windows version. You can choose a Windows version from the
drop-down at the top of the page or explicitly define the Windows
version using the text boxes. If you chose a version from the list box
at the top, the text boxes for the version are automatically populated.
The
primary evaluation criteria used in configuration items is defined
using the Objects and Settings tabs. These are described in detail next.
