CONFIGMGR CONFIGURATION
ITEMS DISSECTED
Tom Degreef
Nash Pherson
Steve Jesok
@TomDegreef
@KidMystic
@SteveJesok
Senior Consultant, OSCC
MNSCUG
MNSCUG
www.oscc.be
nowmicro.com/rct
mnscug.org
CONFIGURATION ITEMS (CI’S)
Agenda
AGENDA
What are CI’s ?
What and Why for CI’s
A Very Brief History (SCCM 2007 until current branch)
Useful CI’s in your own environment
Creation & Evaluation flow
Logs
Server Side
Client Side
WMI
SQL
WHAT AND WHY FOR CI’S
THE COMPLIANCE MODEL
EVERYBODY goes in 1 and ONLY 1 bucket.
The only way to get in the Compliant bucket is for us to positively know you are Compliant
Compliant
Not Required
Not Compliant
Error
Unknown
WHAT TYPE OF CI’S EXIST
CIType_ID
1
2
3
4
5
6
7
TypeName
Software Updates
Baseline
OS
General
Application
Driver
Uninterpreted
8
Software Updates Bundle
Update List
Application Model
Global Settings
9
10
11
13
14
21
Global Expression
Supported Platform
Deployment Type
24
Intend Install Policy
60
Virtual Environment
WHAT IS A CONFIGURATION ITEM
A configuration item can be thought of as a container that stores the following information (the
information you configure will depend on the configuration item type:
Detection method information (for Windows configuration items that contain application
settings only) - Lets you detect whether an application is installed by detecting the Windows
installer file for the application, or by using a custom script.
Settings - Settings represent the business or technical conditions that are used to assess
compliance on client devices. You can configure a new setting or browse to an existing setting on
a reference computer.
Compliance rules - Compliance rules specify the conditions that define the compliance of a
configuration item setting. Before a setting can be evaluated for compliance, it must have at least
one compliance rule. Some settings let you remediate values that are found to be noncompliant.
You can create new rules or browse to an existing setting in any configuration item to select rules
in it.
Supported platforms - These are the device platforms you define on which the configuration
item will be evaluated for compliance. If you deploy a configuration item to a device that is not in
the supported platforms list, it will not be evaluated for compliance.
CI HISTORY
CI HISTORY (A TRIP DOWN MEMORY LANE)
Configuration Manager 2007
Desired Configuration Management Monitoring
Operating System Configuration Item
Application Configuration Item
General Configuration Item
Software Update Configuration Item
CI HISTORY (A TRIP DOWN MEMORY LANE)
Configuration Manager 2012
Compliance Settings
Remediation for selected CI’s
Registry
Scripts
WMI
Deployments to non-compliant Collections
Mobile Devices (hybrid)
User Data & Profiles
CI HISTORY (A TRIP DOWN MEMORY LANE)
Configuration Manager Current Branch
Remote connection profiles
Conditional Access
Company Resource Access
Windows Hello 4 Business
Windows edition upgrade
USEFUL CI’S
SECURITY COMPLIANCE MANAGER
https://blogs.technet.microsoft.com/secguide/2016/07/28/security-compliancemanager-4-0-now-available-for-download/
REG2CI
Roger Zander:
https://github.com/rzander/Reg2CI
DISABLE SMB V1
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://alexpooleyblog.wordpress.com/2017/03/09/disabling-smb1-via-configmgrdesired-state-configuration-dsc/
SUPPORT INFO IN ABOUT SCREEN
Code
WSUS CONFIG
WSUSPOOl Queue length – 2000
WSUSPOOL Private memory limit (4 times default value)
WSUSPOOL fixed restart schedule
Based on : https://docs.microsoft.com/en-us/sccm/core/plandesign/configs/recommended-hardware
Because :
http://blog.coretech.dk/kea/house-of-cardsthe-configmgr-software-update-pointand-wsus/
https://www.mnscug.org/blogs/brian-mason/361-how-to-melt-a-sup
So:
--->
https://www.mnscug.org/blogs/sherry-kissinger/360-wsus-sup-servers-inconfigmgr-2012-custom-configuration-settings
CONFIGMGR REMOTE COMPLIANCE
https://gallery.technet.microsoft.com/ConfigMgr-Remote-Compliance-2a9e55f3
EVENT LOG EXAMPLE (CORRUPT GROUP POLICY)
http://setspn.blogspot.com/2015/05/corrupt-local-gpo-files.html
https://technet.microsoft.com/en-us/library/cc978247.aspx
http://itcalls.blogspot.be/2014/09/event-1096-processing-of-group-policy.html
https://blogs.technet.microsoft.com/jlosey/2013/01/08/the-cobblers-childrenhave-now-shoes/
EventID 1096
COLLECT LOCAL ADMINS (ON NON DC’S)
1)
Create a Custom WMI Class
2)
Enumerate groups where Localaccount = true
3)
Enumerate members of those groups
4)
Write back to custom WMI class
5)
Collect using hardware inventory
WINRM CONFIG
1)
$returnvalue = "NOTCOMPLIANT"
2)
$Sessions = GetPSSessionConfiguration
3)
foreach ($Session in $Sessions) {
4)
if ($Session.Name -eq
'Microsoft.PowerShell'){
$returnvalue = "COMPLIANT"
5)
}
6)
7)
}
8)
Write-Host $returnvalue
1)
register-pssessionConfiguration
Microsoft.PowerShell -force
WINDOWS FIREWALL STATE
Binary “OR” :
#1
service not running
#2
service configuration incorrect
#4
FW Domain Profile not enabled
#8
FW Domain Profile inbound is not blocked
#16 FW Private Profile not enabled
#32 FW Private Profile inbound is not blocked
#64 FW Public Profile not enabled
#128 FW Public Profile inbound is not blocked
Returns bitflag value with current config before remediation kicks in.
DISABLE ADMINISTRATOR
Returns the status of the Local Administrator Account
0 = OK; 1 = Enabled; 2 = Renamed; 3 = Enabled + Renamed
Detect :
Remediate :
$Status = 0
$user =
[ADSI]"WinNT://./Administrator"
# 1: enabled
# 2: renamed
$DefaultName = "Administrator"
$BuildInAdmin = Get-WmiObject -query "Select * From Win32_UserAccount
Where LocalAccount = TRUE AND SID LIKE 'S-1-5%-500'"
if ($BuildInAdmin.Disabled -eq $False) {
$Status = $Status -bor 1
$user.psbase.invokeset("AccountDi
sabled", $True)
$user.setinfo()
}
$CurrentName
= $BuildInAdmin.Name
$CurrentNameOK = [string]::Compare($CurrentName, $DefaultName, $True)
if ($CurrentNameOK -ne 0) {
$Status = $Status -bor 2
}
Return $Status
$user = [ADSI]"WinNT://./Guest"
$user.psbase.invokeset("AccountDi
sabled", $True)
$user.setinfo()
NTLM SECURITY SETTINGS
Do not store LM Hash values
Set LM Compatibility level to 5 (if possible)
CREDENTIAL GUARD
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace
root\Microsoft\Windows\DeviceGuard
return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning contains 1
http://ccmexec.com/2017/04/configmgr-ci-to-check-that-credential-guard-isrunning/
PROTECTING THE NAA
Import the “Dummy CAB”
Extract the NAA’s from the environment
Replace the Dummy NAA’s with the extracted ones
Replace the XML’s in the imported CI’s
Ci’s Involved
Deny Logon through Remote Desktop Service
Deny Logon Locally
Deny Logon as a service
Deny Logon as a batch job
Deny Access this computer from the network **
** remove this if you use Peer-Cache
PROTECT THE NAA
Import-CMConfigurationItem -FileName "$psscriptroot\Dummy - Limit Network access account on non-site systems.cab"
$NAANames = (Get-CMAccount | ? {$_.accountusage -eq "Software Distribution"}).Username
$naanamesarray = [String]::Empty
$newvalue ="'"
foreach ($name in $naanames)
{
$newvalue = $newvalue + $name + ','
}
$newvalue = $newvalue.Substring(0,$newvalue.Length-1) + "'"
$arrCI = (Get-CMConfigurationItem | ? {$_.localizeddisplayname -like "Protect Network Access Account - *"} | select localizeddisplayname)
foreach ($item in $arrci)
{
$ciXML = [XML](Get-CMConfigurationItem | ? {$_.localizeddisplayname -eq $item.localizeddisplayname}).SDMPackageXML
$ciCD = [System.Xml.XmlElement]($ciXML.DesiredConfigurationDigest)
$writer = New-Object XML.XmlTextWriter "$env:temp\cidigest.xml", ([Text.Encoding]::Unicode)
$cicd.WriteTo($writer)
$writer.Flush()
$writer.Close()
(Get-Content $env:temp\CIDigest.xml).Replace("`$NAAAccount = @('dummy\dummy01')","`$NAAAccount = @($newValue')") | Set-Content $env:temp\CIDigest.xml
Set-CMConfigurationItem -DesiredConfigurationDigestPath $env:temp\CIDigest.xml -Name $item.localizeddisplayname
remove-item $env:temp\CIDigest.xml -Force
}
GET THEM FROM …
https://github.com/npherson/StealTheseCIs/
CI-FLOWS
CI-FLOW (SERVER SIDE)
CI Get's created
Inserts into : CI_Models (contains modelID (=/= CI_Id), modelname (= ci_uniqueID)
Inserts into CI_ConfiguratinItems (Ci_Id, ModelID, uniquaID, SDM_Package (!) (**Trigger)
Inserts into CI_DocumentsStore (hash of SDMPackage)
Inserts into CI_ConfigurationItemsRelations (links to various other CI's, (applicable OS's, …) (**Triger)
SMSDBMON checks Tablechangenotifications
Triggers fire and insert into : TableChangeNotifications
Creates <CI_ID.CIN> in ObjectReplication Manager
ObjRepl checks Inboxes
Acts on files
Creates Policy
SDM PACKAGE DIGEST
WHAT LOGS ARE INVOLVED
Server-Side
SMSDBMON
ObjReplMgr
CI-RELATIONS EXAMPLE (MSI APPLICATION)
Each Deploymenttype has a “template” CI in the database
The “Application” CI-ID links to each Deployment Type (Relationship type 9)
Each DT CI-ID links to it’s respective “template” (Relationship type 16)
Each DT can link to eg, a Global Condition (Relationship type 13)
The main Application CI also links to an Intention (Required/Available) (type 11)
CI-RELATIONS
RelationType
IsRecursive
Description
1
1
Bundled
2
0
Required
3
0
Prohibited
4
0
Optional
5
1
Derived
6
1
Superseded
7
0
Self
8
0
Reference
9
0
AppToDTReference
10
1
AppDependence
11
0
Intention
12
0
Platform
13
0
GlobalConditionReference
15
1
ApplicationSuperSeded
16
0
ApplicationType
17
0
ApplicationHost
18
0
ApplicationInstaller
19
1
SupersedOrDependent
20
0
VirtualEnvironmentReference
21
0
AppDCMReference
22
0
DeploymentTypeToPolicyTemplateReference
23
0
CIInheritanceRelation
24
0
AppConfigTemplateReference
USEFULL WMI CLASSES (SERVER SIDE)
Root\SMS\Site_<Sitecode>
CI_ComplianceSummary
CI_CurrentComplianceStatus
CIAssignmentBaseClass
CIRelation
ConfigurationItem
CI STATES
(current)State -> Result of the Evaluation (NonCompliant, Compliant,NotInstalled, Installed)
ResolvedState -> Desired outcome
Applicablity -> Is the CI applicable on this platform (based on the rules being set)
ConfigureState -> Configured, NotConfigured, and NotNeeded (used internally by the client
in app re-eval)
Found in
AppIntentEval.log (for Application CI’s)
DCMReports (For DCM CI’s)
CI-FLOW (CLIENT SIDE) - DOWNLOAD
Policy is downloaded/Evaluated
CIAgent (coordinator) creates job and stores in WMI (Root\CCM\ClientSDK\CCM_CiEvaluationJob)
CiDownloader job is created
CIStatestore (ccmstore.SDF) is being queried for previous results (if exists)
CiDownloader downloads payload (main baseline/CI + related ci’s if needed)
Zlib Compressed
Decompressed to c:\windows\ccm\cidownloader\staging\<GUID>
Hash verified (hash is stored in SQL : CI_DocumentStore)
Results stored in CIStateStore
CiDownloader compiles into WMI (eg : (root\ccm\cimodels\ccm_script_setting_synclet))
CiDownloader Extracts SDM Package to C:\Widnows\CCM\CIDwnloader\DigestStore\HASH.XML
CIAgent : Job Complete
CI-FLOW (CLIENT SIDE) - EVALUATION
CI-Execution is triggered (manual/schedule)
CIAgent (coordinator) creates job and stores in WMI (Root\CCM\ClientSDK\CCM_CiEvaluationJob)
DCMAgent creates list of Baselines to evaluate
CIStatestore (ccmstore.SDF) is being queried for previous results (if exists)
CIDownloader is called to verify that we have the latest version (if not, download it !)
CIAgent takes over again
Starts Enactment
Calls Provider/Handler
Extracts script from WMI and saves temporary to c:\windows\ccm\systemtemp\<guid>
Executes and returns result
Enactment successful
Returns State
Stores results in CCMStore
Reports back
CLIENT SIDE
What are “handlers” ?
CCM_AppHandlers
“C++” code to take action on a specific CI type
Eg, WUA Handler, Application types (Appv, MSI,…)
What are WMI Providers
__Win32Provider Class
DCM Assembly provider
DCM IIS Metabase provider
DCM SQL Query provider
DCM SUM Provider
DCM WQL Query provider
DCM Xpath query provider
Script provider
Registry Provider
WHAT LOGS ARE INVOLVED
Client-Side
CiAgent
CiDownloader
CiStateStore
CiStore
CiTaskMgr
AppIntentEval
DCMAgent
DCMReporting
DCMReports
DCMWMIProvider
WMI
The M stands for Magic
WMI (CLIENT)
Root\CCM\CIModels
Root\CCM\DCM
Root\Microsoft\Policyplatform\Documents\Local
Extract scripts from WMI (testing purposes)
CCM_Scripts_Settings_Synclet
Discovery script (scriptbody)
Remediation script (scriptbody)
© Copyright 2026 Paperzz