CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Configuration Item

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status