It’s only been 2 weeks since I released the last update of this MP (version 220.127.116.11). Soon after the release, Mr. David Allen, a fellow System Center CDM MVP contacted me, asked me to test his SCCM Compliance MP, and possibly combine it with my ConfigMgr 2012 Client MP.
In the ConfigMgr 2012 Client MP, the OVERALL DCM baselines compliance status are monitored by the DCM Agent class, whereas in David’s SCCM Compliance MP, each DCM Baseline is discovered as a separate entity and monitored separately. Because of the utilisation of Cook Down feature, comparing with the approach in the ConfigMgr 2012 Client MP, this approach adds no additional overhead to the OpsMgr agents.
David’s MP also included a RunAs profile to allow users to configure monitoring for OpsMgr agents using a Low-Privileged default action account.
I think both of the features are pretty cool, so I have taken David’s MP, re-modelled the health classes relationships, re-written the scripts from PowerShell to VBScripts, and combined what David has done to the ConfigMgr 2012 Client MP.
If you (the OpsMgr administrators) are concerned about number of additional objects that are going to be discovered by this release (every DCM baseline on every ConfigMgr 2012 Client monitored by OpsMgr), the DCM Baselines discovery is disabled by default, I have taken an similar approach as configuring Business Critical Desktop monitoring, there is an additional unsealed MP in this release to allow you to cherry pick which endpoints to monitor in this regards.
What’s New in Version 18.104.22.168
Other than combining David’s SCCM Compliance MP, there are also few other updates included in this release. Here’s the full “What’s New” list:
Bug Fix: ConfigMgr 2012 Client Missing Client Health Evaluation (CCMEval) Execution Cycles Monitor alert parameter incorrect
Added a privileged RunAs Profile for all applicable workflows
Additional rule: ConfigMgr 2012 Client Missing Cache Content Removal Rule
Enhanced Compliance Monitoring
- Additional class: DCM Baseline (hosted by DCM agent)
- Additional Unit monitor: ConfigMgr 2012 Client DCM Baseline Last Compliance Status Monitor
- Additional aggregate and dependency monitors to rollup DCM Baseline health to DCM Agent
- Additional State View for DCM Baseline
- Additional instance groups:
- All DCM agents
- All DCM agents on server computers
- All DCM agents on client computers
- All Business Critical ConfigMgr 2012 Client DCM Agents
- Additional unsealed MP: ConfigMgr 2012 Client Enhanced Compliance Monitoring
- Override to enabled DCM baseline discovery for All DCM agents on server computers group
- Override to disable old DCM baseline monitor for All DCM agents on server computers group
- Discovery for All Business Critical ConfigMgr 2012 Client DCM Agents (users will have to populate this group, same way as configuring business critical desktop monitoring)
- Override to enabled DCM baseline discovery for All Business Critical ConfigMgr 2012 Client DCM Agents group
- Override to disable old DCM baseline monitor for All Business Critical ConfigMgr 2012 Client DCM Agents group
- Additional Agent Task: Evaluate DCM Baseline (targeting the DCM Baseline class)
- Software Distribution Agent
- Software Update Agent
- Software Inventory Agent
- Hardware Inventory Agent
- DCM Agent
- DCM Baseline
Enhanced Compliance Monitoring
Version 22.214.171.124 has introduced a new feature that can monitor assigned DCM Compliance Baselines on a more granular level. Prior to this release, there is a unit monitor targeting the DCM agent class and monitor the overall baselines compliance status as a whole. Since version 126.96.36.199, each individual DCM baseline can be discovered and monitored separately.
By default, the discovery for DCM Baselines is disabled. It needs to be enabled on manually via overrides before DCM baselines can be monitored individually.
There are several groups can be used for overriding the DCM Baseline discovery:
|Enable For All DCM Agents||Class: ConfigMgr 2012 Client Desired Configuration Management Agent|
|Enable For Server Computers Only||Group: All ConfigMgr 2012 Client DCM Agents on Server OS|
|Enable For Client Computers Only||Group: All ConfigMgr 2012 Client DCM Agents on Client OS|
|Enable for a subset of group of computers||Manually create an instance group and populate the membership based on the “ConfigMgr 2012 Client Desired Configuration Management Agent” class|
Note: Once the DCM Baseline discovery is enabled, please also disable the “ConfigMgr 2012 Client DCM Baselines Compliance Monitor” for the same targets as it has become redundant.
Once the DCM baselines are discovered, their compliance status is monitored individually:
Additionally, the DCM Baselines have an agent task called “Evaluate DCM Baseline”, which can be used to manually evaluate the baseline. This agent task performs the same action as the “Evaluate” button in the ConfigMgr 2012 client:
An additional unsealed management pack named “ConfigMgr 2012 Client Enhanced Compliance Monitoring” is also introduced. This management pack includes the following:
- An override to enable DCM baseline discovery for “All ConfigMgr 2012 Client DCM Agents on Server OS” group.
- An override to disable the legacy ConfigMgr 2012 Client DCM Baselines Compliance Monitor for “All ConfigMgr 2012 Client DCM Agents on Server OS” group.
- A blank group discovery for the “All Business Critical ConfigMgr 2012 Client DCM Agents” group
- An override to enable DCM baseline discovery for “All Business Critical ConfigMgr 2012 Client DCM Agents” group.
- An override to disable the legacy ConfigMgr 2012 Client DCM Baselines Compliance Monitor for “All Business Critical ConfigMgr 2012 Client DCM Agents” group.
In summary, this management pack enables DCM baseline discovery for all ConfigMgr 2012 client on server computers and switch from existing “overall” compliance baselines status monitor to the new more granular compliance baseline status monitor which targets individual baselines. This management pack also enables users to manually populate the new “All Business Critical ConfigMgr 2012 Client DCM Agents” group. Members in this group will also be monitored the same way as the server computers as previously mentioned.
Note: Please only use this management pack when you prefer to enable enhanced compliance monitoring on all server computers, otherwise, please manually configure the groups and overrides as previously stated.
New RunAs Profile for Low-Privilege Environments
Since almost all of the workflows in the ConfigMgr 2012 Client management packs require local administrative access to access various WMI namespaces and registry, it will not work when the OpsMgr agent RunAs account does not have local administrator privilege.
Separate RunAs accounts can be created and assigned to the “ConfigMgr 2012 Client Local Administrator RunAs Account” profile.
RunAs Account Example:
For More information about OpsMgr RunAs account and profile, please refer to: http://technet.microsoft.com/en-us/library/hh212714.aspx
Note: When assigning a RunAs Account to the “ConfigMgr 2012 Client Local Administrator RunAs Account” profile, you will receive an error as below:
Please refer to the MP documentation section “14.3 Error Received when Adding RunAs Account to the RunAs Profile” for instruction on fixing this error.
New Rule: Missing Cache Content Removal Rule
This rule runs every 4 hours by default and checks if any registered ConfigMgr 2012 Client cache content has been deleted from the file system. When obsolete cache content is detected, this rule will remove the cache content entry from ConfigMgr 2012 client via WMI and generates an informational alert with the details of the missing cache content:
Prior to this release, only the top level class ConfigMgr 2012 Client has its dedicated icons. I have spent a lot of time looking for icons for all other classes, I managed to produce icons for each monitoring classes in this release:
Note: I only managed to find high res icons for the Software Distribution Agent and the Software Update Agent (extracted from various DLLs and EXEs). I couldn’t find a way to extract icons from AdminUI.UIResources.DLL – where all the icons used by SCCM are stored. So for other icons, I had to use SnagIt to take screenshots of these icons. You may notice the quality is not that great, but after few days effort trying to find these icons, this is the best I can do. If you have a copy of these icons (res higher than 80×80), or know a way to extract these icons from AdminUI.UIResources.dll, please contact me and I’ll update them in the next release.
BIG thank you to David Allen for his work on the SCCM Compliance MP, and also helping me test this release!
You can download the ConfigMgr 2012 Client MP Version 188.8.131.52 HERE.
Until next time, happy SCOMMING!