Compliance Settings in ConfigMgr 2012 is a great feature that can be used for a variety of things. It’s used to validate the compliance of certain settings on devices against rules that returns the compliant or non-compliant state. One thing you could use Compliance Settings for is to check the compliance state of the Windows Firewall, if it’s enabled or disabled. Even better, check if the connected profile in Windows Firewall is enabled or disabled.
In this blog post I’ll demonstrate how to make use of Compliance Settings to determine a compliant state if the connected profile of Windows Firewall is enabled. If it’s disabled, we’ll treat it as of non-compliant.
- Create a Configuration Item
- Create a Configuration Baseline
- Deploy the Configuration Baseline
- Verify that a device has evaluated the Configuration Baseline
Create a Configuration Item
A Configuration Item is used to define a configuration and associated validation criteria to be assessed for compliance on devices. We’ll create a single Configuration Item for the purpose of this scenario, and later associate it with a Configuration Baseline. Before we begin, we need to have the main component for the Configuration Item, and that’s the script below. This script is taken from MSDN, and modified slightly in order to work in this scenario.
Option Explicit Dim CurrentProfiles Dim LowerBound Dim UpperBound Dim iterate Dim excludedinterfacesarray Dim strWFStatus Const NET_FW_PROFILE2_DOMAIN = 1 Const NET_FW_PROFILE2_PRIVATE = 2 Const NET_FW_PROFILE2_PUBLIC = 4 Const NET_FW_ACTION_BLOCK = 0 Const NET_FW_ACTION_ALLOW = 1 Dim fwPolicy2 Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2") CurrentProfiles = fwPolicy2.CurrentProfileTypes strWFStatus = "False" If ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) Then If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_DOMAIN) = TRUE Then strWFStatus = "True" End If End If If ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) Then If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PRIVATE) = TRUE Then strWFStatus = "True" End If End If If ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) Then If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PUBLIC) = TRUE Then strWFStatus = "True" End If End If WScript.Echo(strWFStatus)
1. Open the ConfigMgr console and go to Assets and Compliance.
2. Expand Compliance Settings, right-click on Configuration Items and click Create Configuration Item.
3. In the Name field, enter a name that suits the purpose of the Configuration Item and click Next.
4. On the Supported Platforms page, select the operating system platforms that this Configuration Item will be assessed for compliance on and click Next.
5. Click the New button on the Settings page.
6. In the Create Settings window that appears, make the following selections:
- Name: Windows Firewall Setting
- Setting type: Script
- Data type: String
7. Click on Add Script in the Discovery script section.
8. In the Edit Discovery Script window, select VBScript as the Script language. In the Script field, paste the script from above and click OK.
9. Back in the Create Setting window, go to the Compliance Rules tab and click on New.
10. In the Create Rule window, make the following changes:
- Name: Windows Firewall Rule
- Rule type: Value
- The following values: True
- Noncompliance severity for reports: Warning
Click on OK.
11. Back in the Create Setting window, click OK.
12. On the Settings page, click Next.
13. On the Compliance Rules page, click Next (we’ve already create a rule for this Configuration Item).
14. Click Next on the Summary page.
15. And finally on the Completion page, click Close.
Create a Configuration Baseline
The Configuration Baseline can be described as a container for a single or several Configuration Data (Configuration Item, Configuration Baseline and Software Updates) items. All of the Configuration Data items in the baseline needs to be compliant for the Configuration Baseline to be assessed as compliant. For our scenario to assess the compliance of the Windows Firewall, we’ll add our newly created Configuration Item called Check compliance state of Windows Firewall to a new Configuration Baseline.
1. In the Assets and Compliance node, expand Compliance Settings, right-click on Configuration Baseline and click Create Configuration Baseline.
2. In the Create Configuration Baseline window, make the following changes:
- Name: Windows Firewall Compliance Check
- Description: If the connected profile of Windows Firewall is enabled, it’s considered compliant
Click on Add and select Configuration Items.
3. In the Add Configuration Items window, select the Check compliance state of Windows Firewall and click Add.
4. Click on OK.
5. Back in the Create Configuration Baseline window, click OK.
Deploy the Configuration Baseline
In order for devices to evaluate the compliance state of a Configuration Baseline, the Configuration Baseline needs to be deployed to a collection. The members of that collection will then during the next Machine Policy Refresh Cycle grab the policy containing the information about this Configuration Baseline. Depending on Client Settings, the Configuration Baseline will be evaluated on the device in according to specified schedule. The default schedule is set to every 7 days. You also have the option to specify a schedule for each Configuration Baseline upon when you deploy it. The default value matches the value specified in the Client Settings.
1. In the Assets and Compliance node, expand Compliance Settings and select Configuration Baselines.
2. Select the Windows Firewall Compliance Check, right-click and click Deploy.
3. In the Deploy Configuration Baselines window, click on Browse and select a collection that you wish the members of should check the compliance state. Click on OK.
Verify that a device has evaluated the Configuration Baseline
On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at it’s specific schedule. As shown in the picture below, our Configuration Baseline was evaluated to be Compliant.
Working perfectly for W10 too!
This does not work on Windows 10, FW disabled on all profiles, yet the script returns True.
Great work!!! Can you also point to the table where this information are stored in CM DB. or any other way to pull out the report
Thanks for this – really very useful. A couple of things – once completed – can this list be converted into a report/query and how easy is it to then remediate all the failed ones to true?